Add a use case driven guide for creating a credential store using elytron-tool for wildfly client configuration #2068
Conversation
PrarthonaPaul
force-pushed
the
credential-store-guides
branch
from
f7e80d7
to
28e0441
Compare
There was a problem hiding this comment.
@PrarthonaPaul These blog posts are great! Very well explained and I think community will appreciate this as credential stores and encryption are common questions. I just added minor comments but I approved it. Thank you!
| ``` | ||
| Now we can create a keystore using a plaintext password: | ||
| ``` | ||
| /subsystem=elytron/key-store=serverKS:add(path=server.keystore, relative-to=jboss.server.config.dir, type=JKS, credential-reference={clear-text=secret}) |
There was a problem hiding this comment.
@PrarthonaPaul Just a total minor, we should now use PKCS12 type instead of JKS in these blogs as PKCS12 is default in Java 11
| } | ||
| } | ||
| ``` | ||
| Notice how even though we specified the clear-text password when updating the credentials, it does not show up here. Instead, we can see the name of the credential-store and the alias listen under credential-reference. |
There was a problem hiding this comment.
s/alias listen/alias listed
| ``` | ||
| /subsystem=elytron/credential-store=myCredStore:remove-alias(alias=myalias) | ||
| ``` | ||
| However, when deleting a alias, you must be careful, as if the alias is in use, it may still be removed successfully, leaving the resource's credential-reference pointing to a non-existent alias. |
There was a problem hiding this comment.
s/deleting a alias/deleting an alias
| If you navigate to WILDFLY_HOME/standalone/configuration, you will see a new file has been created there named mycredstore.cs. This file is used to store all the credentials in a credential-store. If you try to open it using Vim or another file viewer, you will see that the file is not human readable. As a result, the passwords are secured. It is possible to programmatically read the passwords, which is what WildFly does when dereferencing the credential reference to access a resource. | ||
|
|
||
| == Add a Password to the Credential-Store | ||
| Now in order to use the credential-store for our keystore, we need to add the keystore password to it: |
There was a problem hiding this comment.
@PrarthonaPaul Just a total minor, could be to mention that you can disable the management CLI history before running the commands that contain the clear text password, so "secret-value=secret" in this case and clear-text=secret below:
[standalone@localhost:9999 /] history --disable
After inputting the clear text password you can enable the saving of history again:
[standalone@localhost:9999 /] history --enable
There was a problem hiding this comment.
I noticed this is mentioned in the other blog, so we can mention it to this one also
There was a problem hiding this comment.
added a section for this.
| ``` | ||
|
|
||
| == About WildFly Client Configuration | ||
| EJBs, also known as Enterprise JavaBeans are a collection of specifications that are used for building java applications and offer a set og APIs for developing anf running secured applications. When invoking ejbs using the WildFly server, we need to configure the WildFly client to specify revevant information about authentication to secure the application. This can be done using a file named wildfly-config.xml located inside the sec/main/resources folder of the application. |
There was a problem hiding this comment.
s/anf running/and running
There was a problem hiding this comment.
s/ejbs/EJBs
s/revevant/relevant
s/sec/src
| Note that creating an additional security domain (fsSD in this case) is not necessary. We could alternatively take the default ApplicationDomain and add the FileSystem realm, role-decoder and permission-mapper to it. | ||
|
|
||
| === Create an Authentication Factory | ||
| We now need to create a sasl-authentication factory and connect out security domain to it and specify a mechanism for the authentication: |
There was a problem hiding this comment.
s/sasl-authentication factory/sasl-authentication-factory
s/connect out/ connect our
PrarthonaPaul
force-pushed
the
credential-store-guides
branch
2 times, most recently
from
6f0079c
to
29a6d0c
Compare
There was a problem hiding this comment.
@PrarthonaPaul Can you please split this into three separate PRs and bring the dates up to date.
I think this would make sense to publish one per week and then it will become some regular content instead of it all going our at once.
PrarthonaPaul
force-pushed
the
credential-store-guides
branch
from
29a6d0c
to
126d608
Compare
PrarthonaPaul
changed the title
…tron-tool for wildfly client configuration
PrarthonaPaul
force-pushed
the
credential-store-guides
branch
from
126d608
to
f668033
Compare
I have opened two other PRs for the other guides: #2121 and #2120 and updated the dates on all. |
| ``` | ||
|
|
||
| == About WildFly Client Configuration | ||
| EJBs, also known as Enterprise JavaBeans are a collection of specifications that are used for building java applications and offer a set og APIs for developing and running secured applications. When invoking EJBs using the WildFly server, we need to configure the WildFly client to specify relevant information about authentication to secure the application. This can be done using a file named wildfly-config.xml located inside the `src/main/resources` folder of the application. |
There was a problem hiding this comment.
Just a minor, set og/set of
There was a problem hiding this comment.
Just a minor, should this sentence be:
When invoking EJBs using the WildFly server, we need to configure the WildFly client to specify relevant information about authentication to the secured the application.
? Since we are not securing the application with this client config file, but we are supplying the required client authentication that should be used to authenticate the client to the secured app
| $ mvn clean install wildfly:deploy | ||
| ``` | ||
|
|
||
| Unlike other applications, this will not be a web application, rather something we can run on the terminal. If you examine the server logs, you will notice that instead of a `.war` deployment, we will be producing a `.jar` deployment file. We can access the application by running the client using the command below: |
There was a problem hiding this comment.
hm just a total minor suggestion that you can ignore, but since we are not mentioning other applications in this blog, and there are many kinds of applications other than web applications, and we can access .jar with other apps or code and not just with the terminal, I would just write:
This will not be a web application, so we won't use a browser to access it, but instead we will use the terminal.
| As you can see, it mentions that the secured bean has been accessed by our identity, quickstartUser and it does not have admin permissions, since we only assigned the `guest` role to it. | ||
|
|
||
| == Summary | ||
| This guide demonstrates how a `credential-store` can be used to add identity specification when configuring a WildFly client. This guide also demonstrates how the `elytron-tool` can be used to generate the credential store and add aliases to it. |
There was a problem hiding this comment.
@PrarthonaPaul Maybe this should be:
s/credential-store can be used to add identity specification when configuring a WildFly client./credential-store can be used to specify identity credentials when configuring a WildFly client.
| @@ -0,0 +1,155 @@ | |||
| --- | |||
| layout: post | |||
| title: 'Using Credential Stores on for WildFly Client' | |||
|
@PrarthonaPaul Can pls you push this to your develop branch and link a preview here? To make it easy for other reviewers also, thank you! |
No description provided.