Chapter 17. Jakarta Security

17.1. About Jakarta Security

Jakarta Security defines plug-in interfaces for authentication and identity stores, and a new injectable-type SecurityContext interface that provides an access point for programmatic security. For details about the specifications, see Jakarta Security Specification.

17.2. Configure Jakarta Security Using Elytron

Enabling Jakarta Security Using the elytron Subsystem

The SecurityContext interface defined in Jakarta Security uses the Jakarta Authorization policy provider to access the current authenticated identity. To enable your deployments to use the SecurityContext interface, you must configure the elytron subsystem to manage the Jakarta Authorization configuration and define a default Jakarta Authorization policy provider.

  1. Disable Jakarta Authorization in the legacy security subsystem. Skip this step if Jakarta Authorization is already configured to be managed by Elytron.

    /subsystem=security:write-attribute(name=initialize-jacc, value=false)
  2. Define a Jakarta Authorization policy provider in the etlyron subsystem and reload the server.

    /subsystem=elytron/policy=jacc:add(jacc-policy={})
    reload

Enabling Jakarta Security for Web Applications

To enable Jakarta Security for a web application, the web application needs to be associated with either an Elytron http-authentication-factory or a security-domain. This installs the Elytron security handlers and activates the Elytron security framework for the deployment.

The minimal steps to enable Jakarta Security are:

  1. Leave the default-security-domain attribute on the undertow subsystem undefined so that it defaults to other.
  2. Add an application-security-domain mapping from other to an Elytron security domain:

    /subsystem=undertow/application-security-domain=other:add(security-domain=ApplicationDomain, integrated-jaspi=false)

    When integrated-jaspi is set to false, ad-hoc identities are created dynamically.

Jakarta Security is built on Jakarta Authentication. For information about configuring Jakarta Authentication, see Configure Jakarta Authentication Security Using Elytron.