Chapter 2. New Features and Enhancements

Support for automatic update of credentials in a credential store

Elytron now automates adding and updating a credential to a previously defined credential store when you configure a credential reference that specifies both the store and clear-text attributes.

With this update, you do not need to add a credential to an existing credential store before you can reference it from a credential-reference. The automated process reduces the number of steps you need to perform for referencing new credentials in different subsystems.

New role mapper regex-role-mapper in Elytron

Elytron now provides a new role mapper, regex-role-mapper, to define a regular expression (regex) based mapping of security roles.

You can use regex-role-mapper to translate a list of roles to simpler roles. For example:

With regex-role-mapper, you do not need to implement your own custom component to translate security roles. For more information, see regex-role-mapper Attributes.

Accessing IP address of remote client

You can now add the source-address-role-decoder role decoder to the elytron subsystem. By configuring this role decoder, you can gain additional information from a remote client when making authorization decisions.

The source-address-role-decoder extracts the IP address of a remote client and checks that it matches the IP address specified in the pattern attribute or the source-address attribute. If the IP address of the remote client matches the IP address specified in either attribute, the roles attribute then assigns roles to the user. When you have configured source-address-role-decoder, you can reference it in the role-decoder attribute of the security domain.

The aggregate-role-decoder role decoder

The aggregate-role-decoder consists of two or more role decoders. After each specified role decoder completes its operation, it adds roles to the aggregate-role-decoder.

You can use aggregate-role-decoder to make authorization decisions by adding role decoders that assign roles for a user. Further, aggregate-role-decoder provides you with a convenient way to aggregate the roles returned from each role decoder.

Using TLS protocol version 1.3 with JDK 11

Elytron now provides the ability to use Transport Layer Security (TLS) Protocol version 1.3 for JBoss EAP running against JDK 11.

TLS 1.3 is disabled by default. You can enable TLS 1.3 by configuring the new cipher-suite-names attribute in the SSL Context resource definition in the elytron subsystem.

Compared with TLS 1.2, you might experience reduced performance when running TLS 1.3 with JDK 11. Diminished performance might occur when a very large number of TLS 1.3 requests are being made. A system upgrade to a newer JDK version can improve performance. Test your setup with TLS 1.3 for performance degradation before enabling it in production.

Enable support for the TLS 1.3 protocol with the OpenSSL provider for TLS

JBoss EAP 7.4 includes support for the Transport Layer Security (TLS) protocol version 1.3. The use of TLS 1.3 protocol with the OpenSSL provider for TLS is disabled by default. You can enable OpenSSL provider for TLS by either configuring the providers attribute in the ssl-context configuration or by registering the OpenSSL provider ahead of all globally registered providers using the initial-providers attribute in the Elytron subsystem configuration.

You can enable support for the TLS 1.3 protocol with the OpenSSL provider for TLS by configuring the cipher-suite-names attribute in the ssl-context configuration.

Compared with TLS 1.2, you might experience reduced performance when running TLS 1.3 with JDK 11. Diminished performance might occur when a very large number of TLS 1.3 requests are being made. A system upgrade to a newer JDK version can improve performance. Test your setup with TLS 1.3 for performance degradation before enabling it in production.

Re-enable support for the TLS 1.1 protocol in your JDK configuration

Newer versions of JDK might disable the Transport Layer Security (TLS) protocol version 1.1 by default. If your JBoss EAP 7.4 configuration must comply with the Federal Information Processing Standard (FIPS), you might need to re-enable support for the TLS 1.1 protocol in your JDK configuration.

For more information about TLS protocols compatible with JBoss EAP 7.4, see the Red Hat JBoss Enterprise Application Platform (EAP) 7 Supported Configurations page on the Red Hat Customer Portal.

Using SSH credentials to connect to a remote Git SSH repository

With JBoss EAP 7.4, you can use SSH credentials to connect to a remote Git SSH repository. This repository can manage your server configuration data, properties files, and deployments.

You must use the elytron configuration file to specify SSH credentials. You can then start your standalone server instance and have a remote Git SSH repository manage your server configuration file history.

If necessary, you can generate SSH keys by using one of the following methods:

For information about connecting to a remote Git SSH repository, see Using a remote Git SSH repository.

New principal transformer added to the elytron subsystem

JBoss EAP 7.4 includes a new principal transformer, case-principal-transformer, in the elytron subsystem. You can use the case-principal-transformer to change a principal’s username to either uppercase or lowercase characters.

Ability to automatically generate a self-signed certificate

With JBoss EAP 7.4, you can automatically generate a self-signed certificate.

Use a self-signed certificate only in a test environment. Do not use a self-signed certificate in a production environment.

To use this new feature, in the undertow subsystem, update the configuration of the http-listener.

    batch
    /subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
    /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=applicationSSC)
    run-batch
    reload

After you update the configuration, and if no keystore file exists, the first time JBoss EAP receives an HTTPS request, the system automatically generates a self-signed certificate. JBoss EAP logs a warning when a self-signed certificate is used.

Configuration of multiple security realms to support failover

With JBoss EAP 7.4, you can configure a failover security realm. If the security realm is not available, JBoss EAP uses the failover realm. The following code illustrates an example configuration:

    <failover-realm name="myfailoverrealm" delegate-realm="LdapRealm" failover-realm="LocalRealm" />

Distributed identities across multiple security realms

With JBoss EAP 7.4, you can configure a distributed security realm, which sequentially invokes a list of configured realms until a realm with the identity is found. The following code illustrates an example configuration:

    <distributed-realm name="mymainrealm" realms="realm1 realm2 realm3" />

Access to external credentials over HTTP in the elytron subsystem

With JBoss EAP 7.4, JBoss EAP can authenticate a user based on credentials established externally when using HTTP authentication.

To use this capability, configure a security domain to use the External mechanism when authenticating users.

Use the Elytron client authentication configuration with the RESTEasy client

The JBoss EAP 7.4 release integrates the RESTEasy client with the Elytron client. The RESTEasy client uses authentication information, such as credentials, bearer tokens, and SSL configurations, from an Elytron client configuration.

You can specify the Elytron client configuration that the RESTEasy client can use in the following ways:

Secret key credential store for providing initial secret key

You can now provide an initial secret key to the application server process using a new type of credential store named secret-key-credential-store. With this credential store, you get more robust security than password-based encryption because you can now manage your own initial secret. For information about providing an initial key to JBoss EAP, see Providing an initial key to JBoss EAP to unlock secured resources.

Additionally, you can now generate secret keys, and also export and import previously generated secret keys, for all credential stores. You can also use existing credential stores for storing secret keys, and management operations to maintain them. For more information, see Credential store operations using the JBoss EAP management CLI.

Encrypted expressions for securing security-sensitive strings

You can now use encrypted expressions to securely store security-sensitive strings in the management model. Elytron encrypts plain text strings using Advanced Encryption Standard (AES) encryption and decrypts the encrypted expression dynamically at runtime using a SecretKey key stored in a credential store.

You can configure encrypted expressions using the new resource expression-encryption in the elytron subsystem. Use the create-expression management operation to create encrypted expressions. For information about encrypted expressions, see Encrypted expressions in Elytron.

Updates to elytron-tool

You can use the elytron-tool with both the existing and new credential stores. Use the credential-store command to manage secret keys and to generate encrypted tokens for use in expressions.

Support for Microsoft Windows Server 2019

You can use the Microsoft Windows Server 2019 virtual operating system while using JBoss EAP 7.4 in Microsoft Azure.

Use a global directory to distribute shared libraries across deployments

In JBoss EAP 7.3 and earlier versions, you could not create and configure a global directory to distribute shared libraries across deployments running on a server. These capabilities have been added to the ee subsystem.

A global directory offers a better alternative to the global module approach. For example, if you want to change the name of a library listed in a global module, you must remove the global module, change the library’s name, and then add the library to a new global module. If you change the name of a library that is listed in the global directory, you only need to restart the server to make the library name change available for all deployments.

Using a global directory is also a better solution if you want to share multiple libraries across deployed applications.

For more information, see Define global modules in the JBoss EAP Configuration Guide.

Support for read-only server configuration directories

In JBoss EAP 7.3 and earlier versions, servers fail to start if the configuration directory is configured as read-only. JBoss EAP 7.4 introduces the ability to use a read-only server configuration directory. If the configuration directory is read-only, include the --read-only-server-config switch in a command to start the server.

Ability to pass JBoss Module parameters

In the configuration files for JBoss EAP 7.3 and earlier versions, JBoss Modules did not include the ability to pass module parameters. In the script configuration files for JBoss EAP 7.4 you can now add a MODULE_OPTS=-javaagent:my-agent.jar environment variable to pass JBoss Module parameters.

You can use this capability when you previously were required to add the log manager on the boot class path.

Infinispan APIs

Previously, the Infinispan APIs were flagged as private within EAP as they are a part of the Red Hat Data Grid project. These APIs are now fully included and supported in JBoss EAP7.4. The modules included are:

Configurable option to allow requests during startup

Added the option for a graceful startup mode for when user requests need to occur earlier in the startup process. This is supported for both managed domains, and standalone servers.

Configurable common script file added

You can now use the file, common.conf, to customize your JBoss EAP instance environments. The file allows you to set common environment variables usable by all scripts in the $JBOSS_HOME/bin directory. You can add the file to $JBOSS_HOME/bin or add the path to the file in the COMMON_CONF environment variable. This functionality does support batch scripts and powershell scripts, with common.conf.bat and common.conf.ps1 respectively.

Enhancement to the command CLI command

The CLI command command has a new --node-child argument that you can use to edit the properties or manage the operations of a specific child node.

Use the command add --node-child --help CLI command to view a description of the --node-child argument.

New role decoder added to the elytron subsystem

In JBoss EAP 7.4, you can use the management CLI to add the source-address-role-decoder role decoder to the elytron subsystem. By configuring this role decoder in the mappers element, you can gain additional information from a remote client when making authorization decisions.

You can configure the following attributes for source-address-role-decoder:

Exposing runtime statistics for managed executor services

In the previous JBoss EAP release, runtime statistics were not available for managed executor services in the ee subsystem.

You can now monitor the performance of managed executor services by viewing the runtime statistics generated with the new management CLI attributes. The following management CLI attributes have been added:

Terminating hung tasks

You can now manually attempt to terminate hung tasks in the EE subsystem. To do this, run the following command:

/subsystem=ee/managed-executor-service=default:terminate-hung-tasks()

A new attribute, hung-task-termination-period, is added to the managed-executor-service

You can now automatically attempt to terminate hung tasks in the EE subsystem. A new attribute, hung-task-termination-period, is added to the managed-scheduled-executor-service resources to facilitate this.

Using property replacement for permissions files

Users upgrading from JBoss EAP 6 to JBoss EAP 7 were unable to migrate file permissions in the Java policy file to the permissions.xml or jboss-permissions.xml files. It was not possible to use property replacement to migrate file permissions in the permissions.xml and jboss-permissions.xml files.

You can now use property replacement for the permissions.xml and jboss-permissions.xml files.

The property replacement for jboss-permissions.xml and permissions.xml files can be enabled or disabled using the jboss-descriptor-property-replacement and spec-descriptor-property-replacement attributes in the ee subsystem.

Configuring RESTEasy parameters

You can now use the JBoss EAP management CLI to change the settings for RESTEasy parameters. A global change applies the updated settings to new deployments as web.xml context parameters.

You can modify the settings of a parameter by using the :write-attribute operation with the /subsystem=jaxrs resource in the management CLI. For example:

/subsystem=jaxrs:write-attribute(name=resteasy-add-charset, value=false)

See the RESTEasy Configuration Parameters table for details about RESTEasy elements.

Configuring RESTEasy providers

In RESTEasy, certain built-in providers are enabled by default. You can now use the new RESTEasy parameter resteasy.disable.providers in the JBoss EAP management CLI to disable specific built-in providers.

The following example demonstrates how to disable the built-in provider FileProvider:

/subsystem=jaxrs:write-attribute(name=resteasy-disable-providers, value=[org.jboss.resteasy.plugins.providers.FileProvider])

You can use the resteasy.disable.providers parameter with the pre-existing parameter resteasy.use.builtin.providers to customize a specific provider configuration that applies to all new deployments.

New role decoder added to the elytron subsystem

In JBoss EAP 7.4, you can use the management console to add the source-address-role-decoder role decoder to the elytron subsystem. By configuring this role decoder in the mappers element, you gain additional information from a remote client when you make authorization decisions.

You can configure the following attributes for source-address-role-decoder:

The Apache Log4j2 API

In JBoss EAP 7.4, you can use an Apache Log4j2 API instead of an Apache Log4j API to send application logging messages to your JBoss LogManager implementation.

The JBoss EAP 7.4 release supports the Log4J2 API, but the release does not support the Apache Log4j2 Core implementation, org.apache.logging.log4j:log4j-core, or its configuration files.

Using Infinispan APIs in deployments

You can now use the Infinispan subsystem to create remote and embedded JBoss EAP caches without the need to install separate modules. This allows you perform read and write operations to caches from your deployment but does not include support for all Data Grid capabilities or the following APIs:

Additionally the Data Grid CDI modules are not available from the Infinispan subsystem.

If you have questions about using JBoss EAP with any Data Grid features or capabilities, contact the Red Hat support team.

Default global stateful session bean timeout value in the ejb3 subsystem

In the ejb3 subsystem, you can now configure a default global timeout value for all stateful session beans (SFSBs) that are deployed on your server instance by using the default-stateful-bean-session-timeout attribute. This attribute is located in the JBoss EAP server configuration file. You can configure the attribute using the Management CLI.

Attribute behavior varies according to the server mode. For example:

By default, the attribute value is set at -1 milliseconds, which means that deployed SFSBs are configured to never time out. However, you can configure two other types of valid values for the attribute, as follows:

You can still use the pre-existing @StatefulTimeout annotation or the stateful-timeout element, which is located in the ejb-jar.xml deployment descriptor, to configure the timeout value for an SFSB. However, setting such a configuration overrides the default global timeout value to the SFSB.

Forcing Jakarta Enterprise Beans timer refresh in database-data-store

You can now set the wildfly.ejb.timer.refresh.enabled flag using the EE interceptor. When an application calls the TimerService.getAllTimers() method, JBoss EAP checks this flag. If this flag is set to true, JBoss EAP refreshes the Jakarta Enterprise Beans timers from database before returning the result.

In the previous JBoss EAP releases, the Jakarta Enterprise Beans timer reading could be refreshed in a database using the refresh-interval attribute found in database-data-store. Users could set the refresh-interval attribute value in milliseconds to refresh the Jakarta Enterprise Beans timer reading.

For information about Jakarta Enterprise Beans clustered database backed-timers, see Jakarta Enterprise Beans clustered database timers in the Developing Jakarta Enterprise Beans Applications guide.

Access to runtime information from Jakarta Enterprise Beans

With JBoss EAP 7.4, you can access runtime data for Jakarta Enterprise Beans. Stateful session beans, stateless session beans, and singleton beans each return different runtime information. For example, the following command returns runtime data for a stateless session bean:

/deployment=ejb-management.jar/subsystem=ejb3/stateless-session-bean=ManagedStatelessBean:read-resource(include-runtime)

Dynamic discovery of Jakarta Enterprise Beans over HTTP

With JBoss EAP 7.4, you can use dynamic discovery of Jakarta Enterprise Beans over HTTP. To use this capability, add a configuration similar to the following to the ejb-remote profile:

<remote connector-ref="http-remoting-connector" thread-pool-name="default">
    <channel-creation-options>
        <option name="MAX_OUTBOUND_MESSAGES" value="1234" type="remoting"/>
    </channel-creation-options>
    <profiles>
        <profile name="my-profile">
            <remote-http-connection name="ejb-http-connection" uri="http://127.0.0.1:8180/wildfly-services"/>
        </profile>
    </profiles>
</remote>

Global configuration of compression for remote Jakarta Enterprise Beans calls

With JBoss EAP 7.4, you can configure compression of calls to remote Jakarta Enterprise Beans globally. To configure compression globally on a stand-alone client, specify the default.compression property in the jboss-ejb-client.properties file. To configure compression globally on a server, include the default-compression attribute in the <client-conext> element in the jboss-ejb-client.xml descriptor file in the application deployment unit.

<jboss-ejb-client xmlns="urn:jboss:ejb-client:1.4">
    <client-context default-compression="5">
        <profile name="example-profile" />
    </client-context>
</jboss-ejb-client>

New attribute for setting the principal propagation behavior in Elytron

In JBoss EAP 7.4, a new optional attribute is added to the application-security-domain element of the ejb3 subsystem. With the new attribute, legacy-compliant-principal-propagation, you can control the principal propagation behavior of your Jakarta Enterprise Beans application that uses Elytron security.

The default value of legacy-compliant-principal-propagation is true. Therefore, the principal propagation behavior is legacy security subsystem compliant by default.

If you configure the attribute to false, Elytron provides any local unsecured Jakarta Enterprise Beans that have no incoming run as identity with an anonymous principal. This configuration complies with Elytron’s previous behavior.

For information about Elytron integration with the ejb subsystem, see Elytron integration with the ejb subsystem in the Developing Jakarta Enterprise Beans Applications guide.

Configuring the wildfly.jpa.skipquerydetach persistence unit property

You can configure the wildfly.jpa.skipquerydetach persistence unit property from the persistence.xml file of a container-managed persistence context.

The default value for wildfly.jpa.skipquerydetach is false. Use this setting to set a transaction-scoped persistence context to immediately detach query results from an open persistence context.

Configure wildfly.jpa.skipquerydetach as true, to set a transaction-scoped persistence context to detach query results when a persistence context is closed. This enables a non-standard specification extension.

For applications that have the non-standalone specification extension jboss.as.jpa.deferdetach set as true, you can also set wildfly.jpa.skipquerydetach as true.

Integrating Elytron with web services clients

You can now configure web services clients to use the Elytron client configuration to obtain its credentials, authentication method, and SSL context.

When you use JBossWS API to assign any configuration properties to the web services client, then the username, password, and SSL context from the Elytron client are also loaded and configured. The following authentication methods are configurable:

You can use the <webservices/> element in wildfly-config.xml to specify that the credentials are for either HTTP Basic authentication,g UsernameToken Profile authentication or both.

Ability for RESTEasy 3.x to access all standard MicroProfile ConfigSources

RESTEasy 3.x can now access all standard MicroProfile ConfigSources. The following additional ConfigSources are also added to RESTEasy 3.x:

Previously, these capabilities were only included in RESTEasy 4.x. With this update, RESTEasy can access configuration parameters with or without the MicroProfile ConfigSources. In the absence of a MicroProfile Config implementation, RESTEasy falls back to the older method of gathering parameters from ServletContext parameters and init parameters.

Configuring SameSite cookie attribute

You can now configure the SameSite attribute for cookies in the current JBoss EAP release with a samesite-cookie predicated handler in the undertow subsystem. With this handler, you can update your server configuration without having to change your applications. This enhancement supports changes to the processing of cookies that were recently implemented in major web browsers to improve security.

Configuring Eclipse MicroProfile REST client API in resteasy CDI modules

The Eclipse MicroProfile REST client API is now an optional dependency that you can configure in resteasy CDI modules.

Duplicate messages on the JMS core bridge

On rare instances for a server with an overloaded target queue, sending large messages over the JMS core bridge might cause duplication of your messages.

Ability to pause a topic

With JBoss EAP 7.4, you can pause a topic in addition to pausing a queue. When you pause a topic, JBoss EAP receives messages but does not deliver them. When you resume the topic, JBoss EAP delivers the messages. To pause a topic, issue a command similar to the following example:

/subsystem=messaging-activemq/server=default/jms-topic=topic:pause()

To resume a topic, issue a command similar to the following example:

/subsystem=messaging-activemq/server=default/jms-topic=topic:resume()

Ability to detect network isolation of broker

You can now ping a configurable list of hosts to detect network isolation of the broker. You can use the following parameters to configure this functionality:

For example, to check the network status by pinging the IP address 10.0.0.1, issue the following command:

/subsystem=messaging-activemq/server=default:write-attribute(name=network-check-list, value="10.0.0.1")

call-timeout attribute

The call-timeout attribute on the JMS core bridge is configurable as a part of ActiveMQ Artemis. In this release, you are able to configure the call-timeout variable in EAP itself with the management API.

Red Hat AMQ connection pools

Red Hat AMQ recently began supporting connection pools in addition to single thread DB connections. With JBoss EAP 7.4, you can now use a connection pool when using Red Hat AMQ with JBoss EAP.

New environment variable for starting your server

You can now add the MODULE_OPTS environment variable to the script configuration files in your JBoss EAP 7.4 instance.

In a standalone server, use the following files:

For servers in a domain, you can add the module-options attributes to a host JVM configuration or a server’s JVM configuration.

The MODULE_OPTS environment variable affects the entire server. For example, if you have a Java agent that requires logging, set the value of MODULE_OPTS to -javaagent:my-agent.jar. This will initialize your agent after you configure logging.

Providing custom Galleon feature-pack support to your JBoss EAP S2I image

You can use three new environment variables to provide custom Galleon feature-pack support for your JBoss EAP S2I image. You can use the environment variables outlined in the following table during your S2I build phase:

Read-only server configuration directory

JBoss EAP supports a read-only server configuration directory. You can use the --read-only-server-config command line parameter to lock down the server configuration when the server configuration directory is a read-only directory. This functionality is available only when running JBoss EAP as a standalone server.

Instructions to deploy JBoss EAP quickstarts on OpenShift

For a JBoss EAP release, all OpenShift-compatible quickstarts now include instructions to deploy JBoss EAP quickstarts on OpenShift. The readme.html file of the quickstarts include the following sections:

New Galleon layer for the Distributable Web subsystem

JBoss EAP provides the web-passivation layer to supply the distributable-web subsystem configured with a local web container cache. The web-passivation layer is a decorator layer.

Red Hat CodeReady Workspaces supports JBoss EAP 7.4 development files

You can use a JBoss EAP 7.4 development file, YAML file, to define a JBoss EAP development environment on CRW. You can download example JBoss EAP 7.4 development files from the jboss-eap-quickstarts GitHub web page.

A development file includes the following components:

On CRW, you can choose one of the following ways to create a JBoss EAP 7.4 workspace environment: