Appendix A. Reference Material

A.1. Example wildfly-config.xml

The wildlfly-config.xml file is one way for clients to use Elytron Client, which allows clients to use security information when making connections to JBoss EAP.

Example: custom-config.xml

<configuration>
  <authentication-client xmlns="urn:elytron:client:1.2">
    <authentication-rules>
      <rule use-configuration="monitor">
        <match-host name="127.0.0.1" />
      </rule>
      <rule use-configuration="administrator">
        <match-host name="localhost" />
      </rule>
    </authentication-rules>
    <authentication-configurations>
      <configuration name="monitor">
        <sasl-mechanism-selector selector="DIGEST-MD5" />
        <providers>
          <use-service-loader />
        </providers>
        <set-user-name name="monitor" />
        <credentials>
          <clear-password password="password1!" />
        </credentials>
        <set-mechanism-realm name="ManagementRealm" />
      </configuration>

      <configuration name="administrator">
        <sasl-mechanism-selector selector="DIGEST-MD5" />
        <providers>
          <use-service-loader />
        </providers>
        <set-user-name name="administrator" />
        <credentials>
          <clear-password password="password1!" />
        </credentials>
        <set-mechanism-realm name="ManagementRealm" />
      </configuration>
    </authentication-configurations>

    <net-authenticator/>

    <!-- This decides which SSL context configuration to use -->
    <ssl-context-rules>
      <rule use-ssl-context="mycorp-client">
        <match-host name="mycorp.com"/>
      </rule>
    </ssl-context-rules>
    <ssl-contexts>
      <default-ssl-context name="mycorp-context"/>
      <ssl-context name="mycorp-context">
        <key-store-ssl-certificate key-store-name="store1" alias="mycorp-client-certificate"/>
        <!-- This is an OpenSSL-style cipher suite selection string; this example is the expanded form of DEFAULT to illustrate the format -->
        <cipher-suite selector="ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2"/>
        <protocol names="TLSv1.2"/>
      </ssl-context>
    </ssl-contexts>
  </authentication-client>
</configuration>

Additional resources

A.2. Single Sign-on attributes

A Single Sign-on (SSO) authentication mechanism configuration.

The following table provides attribute descriptions for the setting=single-sign-on resource of the application-security-domain in the undertow subsystem.

A.2.1. Single Sign-on

Table A.1. single-sign-on Attributes

AttributeDescription

client-ssl-context

The reference to the SSL context used to secure back-channel logout connection.

cookie-name

The name of the cookie. The default value is JSESSIONIDSSO.

credential-reference

The credential reference to decrypt the private key entry.

credential-reference has the following attributes:

  • alias : The alias which denotes stored secret or credential in the store.
  • clear-text : The secret specified using clear text. Checks the credential store way of supplying credential or secrets to services.
  • store : The name of the credential store holding the alias to credential.
  • type : The type of credential this reference is denoting.

domain

The cookie domain to be used.

http-only

For setting cookie’s httpOnly attribute. The default value is false.

key-alias

The alias of the private key entry used for signing and verifying back-channel logout connection.

key-store

The reference to keystore containing a private key entry.

path

The cookie path. The default value is /.

secure

For setting cookie’s secure attribute. The default value is false.

Additional resources

A.3. Password mappers

A password mapper constructs a password from multiple fields in a database using one of the following algorithm types:

  • Clear text
  • Simple digest
  • Salted simple digest
  • bcrypt
  • SCRAM
  • Modular crypt

A password mapper has the following attributes:

Note

The index of the first column is 1 for all the mappers.

Table A.2. password mapper attributes

Mapper nameAttributesEncryption method

clear-password-mapper

  • password-index

    The index of the column containing the clear text password.

No encryption.

simple-digest

  • password-index

    The index of the column containing the password hash.

  • algorithm

    The hashing algorithm used. The following values are supported:

    • simple-digest-md2
    • simple-digest-md5
    • simple-digest-sha-1
    • simple-digest-sha-256
    • simple-digest-sha-384
    • simple-digest-sha-512
  • hash-encoding

    Specify the representation hash. Permitted values:

    • base64 (default)
    • hex

A simple hashing mechanism is used.

salted-simple-digest

  • password-index

    The index of the column containing the password hash.

  • algorithm

    The hashing algorithm used. The following values are supported:

    • password-salt-digest-md5
    • password-salt-digest-sha-1
    • password-salt-digest-sha-256
    • password-salt-digest-sha-384
    • password-salt-digest-sha-512
    • salt-password-digest-md5
    • salt-password-digest-sha-1
    • salt-password-digest-sha-256
    • salt-password-digest-sha-384
    • salt-password-digest-sha-512
  • salt-index

    Index of the column containing the salt used for hashing.

  • hash-encoding

    Specify the representation for the hash. Permitted values:

    • base64 (default)
    • hex
  • salt-encoding

    Specify the representation for the salt. Permitted values:

    • base64 (default)
    • hex

A simple hashing mechanism is used with a salt.

bcrypt-password-mapper

  • password-index

    The index of the column containing the password hash.

  • salt-index

    Index of the column containing the salt used for hashing.

  • iteration-count-index

    Index of the column containing the number of iterations used.

  • hash-encoding

    Specify the representation for the hash. Permitted values:

    • base64 (default)
    • hex
  • salt-encoding

    Specify the representation for the salt. Permitted values:

    • base64 (default)
    • hex

Blowfish algorithm used for hashing.

scram-mapper

  • password-index

    The index of the column containing the password hash.

  • algorithm

    The hashing algorithm used. The following values are supported:

    • scram-sha-1
    • scram-sha-256
    • scram-sha-384
    • scram-sha-512
  • salt-index

    Index of the column containing the salt is used for hashing.

  • iteration-count-index

    Index of the column containing the number of iterations used.

  • hash-encoding

    Specify the representation for the hash. Permitted values:

    • base64 (default)
    • hex
  • salt-encoding

    Specify the representation for the salt. Permitted values:

    • base64 (default)
    • hex

Salted Challenge Response Authentication mechanism is used for hashing.

modular-crypt-mapper

  • password-index

    The index of the column containing the encrypted password.

The modular-crypt encoding allows for multiple pieces of information to be encoded in single string such as the password type, the hash or digest, the salt, and the iteration count.





Revised on 2024-01-17 05:25:08 UTC