WildFly Security Realms: Difference between revisions
| Line 46: | Line 46: | ||
=Management Realm= | =Management Realm= | ||
The ''management realm'' stores authentication and authorization information for the [[WildFly Management Interfaces|management API]]. Further authentication mechanism can be configured as part of the [<management/> element in host.xml|Host.xml#LtManagementGt] or {{[standalone.xml]}}. | |||
=Application Realm= | =Application Realm= | ||
=Adding a New Security Realm= | =Adding a New Security Realm= | ||
Revision as of 02:03, 10 February 2016
External
- RedHat Documentation Security Guide https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.3/html-single/Security_Guide/index.html#chap-Security_Realms
- jboss.org Security Realms Article https://docs.jboss.org/author/display/AS71/Security+Realms
Internal
Overview
A security realm is a WildFly-specific identity store of usernames, passwords and group membership information that can be used to authenticate users of the management interfaces, web applications and EJBs.
The security realm contains mappings between users and passwords, and users and roles - a mechanism for adding authentication and authorization to applications and JBoss management facilities and regular applications.
By default WildFly comes pre-configured with two realms:
Both of these use filesystem-based stores for users and group membership, and use a digest mechanism by default when authenticating.
New security realms can be configured. See Adding a New Security Realm.
The existing security realms can be reconfigured to use other authentication mechanisms, different from digest.
Security realms are not involved in any authorization decisions, however they can be configured to load a user's group membership information, which then can be subsequently used to make authorization decisions. The user is authenticated first, then the group membership information is loaded as part of a second step.
The management interfaces and the associates security realms are loaded as core services.
For a better upper level picture of WildFly security, see WildFly Security Concepts.
The Digest Mechanism
The digest mechanism used by the WildFly security realms is an authentication mechanism that authenticates the user by computing one-time, one-way hashes comprised of various pieces of information, including information stored in the users/passwords mapping property file. This allows WildFly to authenticate users without sending any passwords in plain text over network.
The user file contains the mapping between the user name and the password hash.
When a user attempts to authenticate, WildFly sends a one-time use number (nonce) to the client. The client generates a one-way has using their username, password, nonce and few other fields, and sends to WildFly instance the username, nonce and one-way hash. WildFly looks up the users's password hash and uses it along with the provided username, nonce and few other fields to generate another one-way hash in the same manner. If the hashes match, the user is authenticated.
Management Realm
The management realm stores authentication and authorization information for the management API. Further authentication mechanism can be configured as part of the [<management/> element in host.xml|Host.xml#LtManagementGt] or {{[standalone.xml]}}.