From ceccfb627cde46809dc06f7dd8c334239c01cb6c Mon Sep 17 00:00:00 2001 From: Prarthona Paul Date: Wed, 3 Jul 2024 11:49:52 -0400 Subject: [PATCH 1/2] bump elytron subsystem from community:18.0 to preview:18.0 and modelversion 19.0.0 to 20.0.0 --- .../extension/elytron/ElytronExtension.java | 3 +- .../elytron/ElytronSubsystemSchema.java | 3 +- .../elytron/ElytronSubsystemTransformers.java | 9 +- .../schema/wildfly-elytron_preview_18_0.xsd | 6441 +++++++++++++++++ 4 files changed, 6453 insertions(+), 3 deletions(-) create mode 100644 elytron/src/main/resources/schema/wildfly-elytron_preview_18_0.xsd diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/ElytronExtension.java b/elytron/src/main/java/org/wildfly/extension/elytron/ElytronExtension.java index 2c7a1f35e04..8266ce5d18c 100644 --- a/elytron/src/main/java/org/wildfly/extension/elytron/ElytronExtension.java +++ b/elytron/src/main/java/org/wildfly/extension/elytron/ElytronExtension.java @@ -76,8 +76,9 @@ public class ElytronExtension implements Extension { static final ModelVersion ELYTRON_17_0_0 = ModelVersion.create(17); static final ModelVersion ELYTRON_18_0_0 = ModelVersion.create(18); static final ModelVersion ELYTRON_19_0_0 = ModelVersion.create(19); + static final ModelVersion ELYTRON_20_0_0 = ModelVersion.create(20); - private static final ModelVersion ELYTRON_CURRENT = ELYTRON_19_0_0; + private static final ModelVersion ELYTRON_CURRENT = ELYTRON_20_0_0; static final String ISO_8601_FORMAT = "yyyy-MM-dd'T'HH:mm:ss.SSSZ"; diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemSchema.java b/elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemSchema.java index bf7e1f567dc..14f6e99baa4 100644 --- a/elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemSchema.java +++ b/elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemSchema.java @@ -54,8 +54,9 @@ public enum ElytronSubsystemSchema implements PersistentSubsystemSchema CURRENT = Feature.map(EnumSet.of(VERSION_18_0, VERSION_18_0_COMMUNITY)); + static final Map CURRENT = Feature.map(EnumSet.of(VERSION_18_0, VERSION_18_0_COMMUNITY, VERSION_18_0_PREVIEW)); private final VersionedNamespace namespace; diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemTransformers.java b/elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemTransformers.java index 3adf72a7804..a5838ced758 100644 --- a/elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemTransformers.java +++ b/elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemTransformers.java @@ -106,6 +106,8 @@ public String getSubsystemName() { public void registerTransformers(SubsystemTransformerRegistration registration) { ChainedTransformationDescriptionBuilder chainedBuilder = TransformationDescriptionBuilder.Factory.createChainedSubystemInstance(registration.getCurrentSubsystemVersion()); + // 20.0.0 (WildFly 34) to 19.0.0 (WildFly 32) + from20(chainedBuilder); // 19.0.0 (WildFly 32) to 18.0.0 (WildFly 29) from19(chainedBuilder); // 18.0.0 (WildFly 29) to 17.0.0 (WildFly 28) @@ -145,10 +147,15 @@ public void registerTransformers(SubsystemTransformerRegistration registration) // 2.0.0 (WildFly 12) to 1.2.0, (WildFly 11 and EAP 7.1.0) from2(chainedBuilder); - chainedBuilder.buildAndRegister(registration, new ModelVersion[] { ELYTRON_18_0_0, ELYTRON_17_0_0, ELYTRON_16_0_0, ELYTRON_15_1_0, ELYTRON_15_0_0, ELYTRON_14_0_0, ELYTRON_13_0_0, ELYTRON_12_0_0, ELYTRON_11_0_0, ELYTRON_10_0_0, ELYTRON_9_0_0, + chainedBuilder.buildAndRegister(registration, new ModelVersion[] { ELYTRON_19_0_0, ELYTRON_18_0_0, ELYTRON_17_0_0, ELYTRON_16_0_0, ELYTRON_15_1_0, ELYTRON_15_0_0, ELYTRON_14_0_0, ELYTRON_13_0_0, ELYTRON_12_0_0, ELYTRON_11_0_0, ELYTRON_10_0_0, ELYTRON_9_0_0, ELYTRON_8_0_0, ELYTRON_7_0_0, ELYTRON_6_0_0, ELYTRON_5_0_0, ELYTRON_4_0_0, ELYTRON_3_0_0, ELYTRON_2_0_0, ELYTRON_1_2_0 }); } + private static void from20(ChainedTransformationDescriptionBuilder chainedBuilder) { + ResourceTransformationDescriptionBuilder builder = chainedBuilder.createBuilder(ELYTRON_19_0_0, ELYTRON_18_0_0); + + } + private static void from19(ChainedTransformationDescriptionBuilder chainedBuilder) { ResourceTransformationDescriptionBuilder builder = chainedBuilder.createBuilder(ELYTRON_19_0_0, ELYTRON_18_0_0); diff --git a/elytron/src/main/resources/schema/wildfly-elytron_preview_18_0.xsd b/elytron/src/main/resources/schema/wildfly-elytron_preview_18_0.xsd new file mode 100644 index 00000000000..10545bd6ff8 --- /dev/null +++ b/elytron/src/main/resources/schema/wildfly-elytron_preview_18_0.xsd @@ -0,0 +1,6441 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Reference to the default authentication context to be associated with all deployments. + + + + + + + Reference to a capability providing a Provider[] which will be registered globally ahead of all existing Provider registrations. + + + + + + + Reference to a capability providing a Provider[] which will be registered globally after all existing Provider registrations. + + + + + + + A list of providers that are disallowed, and will be removed from the providers list. + + + + + + + Should the WildFly Elytron AuthConfigFactory implementation be automatically registered. + + + + + + + Reference to an SSLContext which should be globally registered as the default. + + + + + + + + + + + Type to contain a list of security properties to be set. + + + + + + + + + + + Representation of a key/value property pair. + + + + + + The key for this property. + + + + + + + The value for this property. + + + + + + + + + + + + Definition of a Web Services configuration. + + + + + + HTTP mechanism web services client will use when connecting to the server. + + + + + + + WS-security method web services client will use when connecting to the server. + + + + + + + + + Container for the authentication client definitions. + + + + + + + + + + + + Authentication configuration definition. + + + + + + + An ordered list of properties to be used to configure all of the providers. + + + + + + + + + + + + Credential to be used by the configuration. + + + + + + + Web Services client configuration definition. + + + + + + + + The unique name for the authentication-configuration, note names used for authentication-configurations must be unique across the whole context. + + + + + + + Reference to a previously defined authentication configuration to extend. + + + + + + + Enables anonymous authentication. + + + + + + + The name to use for authentication. + + + + + + + The name to use for authorization. + + + + + + + The name of the host to use. + + + + + + + The protocol to use. + + + + + + + The port to use. + + + + + + + The realm to use. + + + + + + + Reference to a security domain to use for a forwarded identity. + + + + + + + + The type of identity forwarding to use when security-domain is specified. The value "authenticaiton" forwards + the identity of the currently authenticated user, including credentials. The value "authorization" forwards + the underlying authorization identity, which allows for a different identity to be used for authentication. + + + + + + + + + + + + The SASL mechanism selector string. Allows to specify allowed/forbidden SASL mechanisms. + + + + + + + Reference to a kerberos security factory used to obtain a GSS kerberos credential. + + + + + + + + + Authentication context definition. + + + + + + + An ordered list of match-rules to be defined on this authentication context. + + + + + + + Match based on abstract type. + + + + + + + Match based on abstract type authority. + + + + + + + Match based on host. + + + + + + + Match based on local security domain. + + + + + + + Match based on no user. + + + + + + + Match based on path. + + + + + + + Match based on port. + + + + + + + Match based on protocol. + + + + + + + Match based on urn. + + + + + + + Match based on user. + + + + + + + The AuthenticationConfiguration to use with this match. + + + + + + + The SSLContext to use with this match. + + + + + + + + + + The unique name for the authentication-context, note names used for authentication-contexts must be unique across the whole context. + + + + + + + Reference to a previously defined authentication context to extend. + + match-rules defined here are added after the rules of the parent. + + + + + + + + + + + Container of Provider configuration. + + + + + + + + + + + + A PrincipalDecoder definition that is actually an aggregation of other PrincipalDecoders. + + + + + + + + + The name to use to represent this provider loader in the management model. + + + + + + + + + A reference to a Provider[] resource. + + + + + + + + + Definition of a single provider loader. + + + + + + + + + + + + + + + The name to use to represent this provider loader in the management model. + + + + + + + The name of the module to use to load the providers. + + If this is not specified the ClassLoader used to load the service will be used instead. + + + + + + + The fully qualified class names of the providers to load. + + If this attribute is not specified then service loader based discovery will be used instead. + + + + + + + The path to the configuration to use to initialise the provider. + + + + + + + A reference to a previously defined path that the path of the configuration is + relative to. + + + + + + + Argument to pass into the constructor as the Provider is instantiated. + + Can only be used where the class names to load are specified. + + + + + + + + + + + Container for the security domain definitions. + + + + + + + + + + + + + + + + The format type. + + + + + + + + + + + + The syslog transport method type. + + + + + + + + + + + + + Base type for all audit log types. + + + + + + The unique name for the audit log. + + + + + + + + + A security event listener definition that is actually an aggregation of other security event listeners. + + + + + + + + + + + + + + + A reference to a security event listener. + + + + + + + + + An audit log definition for persisting an audit log to a local file. + + + + + + + + The path to write the audit log to. + + + + + + + A reference to a previously defined path that the path of the audit log is + relative to. + + + + + + + Whether every event should be immediately synchronised to disk. + + + + + + + Whether every event should be immediately flushed to output stream. + When not specified, "synchronized" value is used. + + + + + + + The format to use to log the event. + + + + + + + The file encoding to use. + + + + + + + + + + + An audit log definition for persisting an audit log to a local file rotating the log after a time period + derived from the given suffix string, which should be in a format understood by java.time.format.DateTimeFormatter. + + + + + + + + The suffix string in a format which can be understood by java.time.format.DateTimeFormatter. + The period of the rotation is automatically calculated based on the suffix. + + + + + + + + + + + An audit log definition for persisting an audit log to a local file rotating the log after the + size of the file grows beyond a certain point and keeping a fixed number of backups. + + + + + + + + The maximum number of files to backup when rotating. + + + + + + + Whether the file should be rotated before the a new file is set. + + + + + + + The log file size the file should rotate at. + + + + + + + Format of date used as suffix of log file names in java.time.format.DateTimeFormatter. + The suffix does not play a role in determining when the file should be rotated. + + + + + + + + + + + An audit log definition for persisting an audit log to a local file. + + + + + + + + Address of the server to send syslog messages to. + + + + + + + The port number the remote syslog server is listening on. + + + + + + + The transport to use to communicate with the syslog server. + + + + + + + The format to use to log the event. + + + + + + + The host name to send within all events sent to the syslog server. + + + + + + + The name of ssl-context used to secure connection to the syslog server. + Applies only when SSL_TCP transport is used. + + + + + + + The RFC format to be used for formatting the log entry, default value of RFC5424. + + + + + + + The maximum amount of failed reconnect attempts that should be made for sending messages to a syslog server before the endpoint is closed, default value of 0 (no reconnect attempts). + + + + + + + + + + + A security event listener definition for a custom security event listener implementation. + + + + + + + + + The configuration to apply to the security event listener implementation. + + Note: If configuration is supplied the listener MUST implement a void initialize(Map<String, String>) method. + + + + + + + + + + + + + + + Container for the security domain definitions. + + + + + + + + + + + + Complex type for the definition of a single security domain. + + + + + + + + + + Which of the listed realms should be the default? + + + + + + + Reference to the PrincipalTransformer to be applied before the realm is selected. + + + + + + + Reference to the PrincipalTransformer to be applied after the realm is selected. + + + + + + + Reference to the PrincipalDecoder to be used by this domain. + + + + + + + Reference to an EvidenceDecoder to be used by the domain. + + + + + + + Reference to a RoleDecoder to be used by the domain. + + + + + + + Reference to a RealmMapper to be used by this security domain. + + + + + + + Reference to a RoleMapper to be used by the domain. + + + + + + + Reference to the PermissionMapper to be used by the domain. + + + + + + + A list of references to security domains that are trusted by this security domain. + + + + + + + A list of references to virtual security domains that are trusted by this security domain. + + + + + + + Where automatic outflow to a security domain is configured, if outflowing + the current identity is not authorized should the + anonymous identity of that domain be used instead? + + Outflowing an identity replaces any previously + established identity for the outflow domain for the + ongoing call, outflowing anonymous has the effect of + clearing the identity. + + + + + + + A list of references to security domains that any identity established for this + domain should automatically outflow to. + + + + + + + Reference to a security event listener to be notified of security events + emitted from this domain. + + + + + + + + + A reference to a security realm. + + + + + + + The PrincipalTransformer to be associated with this realm. + + + + + + + The RoleDecoder to be associated with this realm. + + + + + + + The RoleMapper to be associated with this realm. + + + + + + + + + Container for the security realm definitions. + + + + + + + + Custom realm definitions can implement either the SecurityRealm interface or the ModifiableSecurityRealm interface. + + Regardless of which interface is implemented management operations will not be exposed to manage the realm. However other + services that depend on the realm will still be able to perform a type check and cast to gain access to the modification API. + + + + + + + Custom realm configured as being modifiable will be expected to implement the ModifiableSecurityRealm interface. + + By configuring a realm as being modifiable management operations will be made available to manipulate the realm. + + + + + + + + + + + + + + + + + + + + + Base type for all realm definitions. + + + + + + The unique name for the realm, note names used for realms must be unique across the whole context. + + + + + + + + + A realm definition that is an aggregation of two realms, one for the authentication steps + and one for loading the identity for the authorization steps. + + + + + + + + The name of the realm to use for the authentication steps (obtaining or validating credentials). + + + + + + + The name of the realm to use for the authorization steps (loading of the identity). + + Exactly one of 'authorization-realm' and 'authorization-realms' must be specified. + + + + + + + A list of security realms that should be used for the authorizations steps resulting in an + aggregation of attributes if the identity is contained in multiple realms. + + Exactly one of 'authorization-realm' and 'authorization-realms' must be specified. + + + + + + + A principal transformer to be applied after the authentication steps but before the authorization + steps. + + + + + + + + + + + A realm definition that enables caching to another security realm. Caching strategy is LRU (Least Recently Used) where least accessed entries are discarded when maximum number of entries is reached. + + + + + + + + A reference to a cacheable security realm. + + + + + + + The maximum number of entries to keep in the cache. + + + + + + + The time in milliseconds that an item can stay in the cache. + + + + + + + + + + + Realm definition for a custom realm implementation. + + Generally subsystems that provide security realms should make them available + using the capabilities and requirements features of the application + server, this custom mechanism is provided for truly isolated realm implementations. + + + + + + + + + The configuration to apply to the SecurityRealm implementation. + + Note: If configuration is supplied the realm MUST implement initialize(Map<String, String>) method. + + + + + + + + + + + + + A realm definition for authentication and authorization of identities distributed between multiple realms. + + + + + + + + A list of security realms that should be used for authentication until one succeeds. + At least one realm must be specified. + + + + + + + Whether subsequent realms should be checked after an unavailable realm is reached. + If set to false or not set, when the unavailable realm is reached org.wildfly.security.auth.server.RealmUnavailableException is thrown and the search stops. + + + + + + + Whether a SecurityEvent signifying realm unavailability should be emitted. + + + + + + + + + + + A realm definition which wraps one realm and delegates to another in case the first is unavailable. + + + + + + + + The name of the realm to use as a default. + + + + + + + The name of the realm to use in case the default realm is unavailable. + + + + + + + Whenever security events should be emitted when failover takes place. + + + + + + + + + + + Realm definition for a realm which contains a single pre-defined identity. + + + + + + + + The name of the identity available from the security realm. + + + + + + + The name of the attribute associated with this identity. + + + + + + + The values associated with the identity attributes. + + + + + + + + + + + A security realm definition backed by database using JDBC. + + + + + + + + + + + The character set to use when converting the password string + to a byte array. + + + + + + + + + + + A realm definition which uses JAAS Login Context to verify user's credentials. + + + + + + + + + The location of the file with JAAS Login Context configuration. + + + + + + + + The name of the entry defined in JAAS configuration file that should be used. + + + + + + + The module with custom login module classes and optional custom callback handler class. + + + + + + + The class name of the callback handler to pass to JAAS Login Context. + + + + + + + + + + + The authentication query used to authenticate users based on specific key types. + + + + + + + + + + + + + + + The SQL statement used to obtain the keys(as table columns) for a specific user and map them accordingly with their type. + + + + + + + The name of the datasource used to connect to the database. + + + + + + + + + + + + + + + The configuration used to map a specific column in a table as an identity attribute. + + + + + + The column index from a query that representing the mapped attribute. + + + + + + + + + + + + The name of the identity attribute mapped from a column returned from a SQL query. + + + + + + + + + A key mapper that maps a column returned from a SQL query to a Clear Password key type. + + + + + + The column index from an authentication query that represents the user's password. + + + + + + + + + + + + + + A key mapper that maps a column returned from a SQL query to a Bcrypt key type. + + + + + + The column index from an authentication query that represents the user's password. + + + + + + + + + + + + The column index from an authentication query that represents the password's salt, if supported. + + + + + + + + + + + + The column index from an authentication query that represents the password's iteration count, if supported. + + + + + + + + + + + + The encoding of the password hash. + + + + + + + + + + + + + The encoding of the password salt. + + + + + + + + + + + + + + + A key mapper that maps a column returned from a SQL query to a Salted Simple Digest key type. + + + + + + The encryption algorithm name to use. + + + + + + + + + + + + + + + + + + + + + The column index from an authentication query that represents the user's password. + + + + + + + + + + + + The column index from an authentication query that represents the password's salt, if supported. + + + + + + + + + + + + The encoding of the password hash. + + + + + + + + + + + + + The encoding of the password salt. + + + + + + + + + + + + + + + A key mapper that maps a column returned from a SQL query to a Simple Digest key type. + + + + + + The encryption algorithm name to use. + + + + + + + + + + + + + + + + + The column index from an authentication query that represents the user's password. + + + + + + + + + + + + The encoding of the password hash. + + + + + + + + + + + + + + + A key mapper that maps a column returned from a SQL query to a Scram key type. + + + + + + The encryption algorithm name to use. + + + + + + + + + + + + + + + The column index from an authentication query that represents the user's password. + + + + + + + + + + + + The column index from an authentication query that represents the password's salt, if supported. + + + + + + + + + + + + The column index from an authentication query that represents the password's iteration count, if supported. + + + + + + + + + + + + The encoding of the password hash. + + + + + + + + + + + + + The encoding of the password salt. + + + + + + + + + + + + + + + A key mapper that maps a column returned from a SQL query to a Modular Crypt key type. + + + + + + The column index from an authentication query that represents the user password in Modular Crypt Format. + + + + + + + + + + + + + + + + + Reference to the KeyStore to be used by this realm. + + + + + + + + + + + Realm definition for a realm backed by a properties file. + + + + + + + + + The location of the properties file containing the users and their passwords. + The file should contain realm name declaration. + + + + + + + + + Are the passwords in properties file stored in plain text or pre-hashed? + (Pre-hashed form: HEX( MD5( username ":" realm ":" password ) ) ) + + + + + + + The realm name to use for digested passwords if one is not discovered in the properties file. + + + + + + + + + + + The location of the properties file containing the users and their groups. + + + + + + + + The name of the attribute in the returned AuthorizationIdentity that should contain the group membership information for the identity. + + + + + + + The string format for the password in the properties file if they are not + stored in plain text. + + + + + + + + + + + + + The character set to use when converting the password string + to a byte array. + + + + + + + + + + + + + A security realm definition backed by LDAP. + + + + + + + + + + + The name of dir-context used to connect to the LDAP server. + + + + + + + Should this realm instance support verification of credentials by directly connecting to LDAP as the account being authenticated? + + + + + + + Should direct verification in this realm to allow login attempt with blank password? + + + + + + + The string format for the password in the properties file if they are not + stored in plain text. + + + + + + + + + + + + + The character set to use when converting the password string + to a byte array. + + + + + + + + + + + + A simple security realm definition backed by the filesystem. + + + + + + + + + The location of the file to use to handle the security realm. + + + + + + + + The number of levels of directory hashing to apply + + + + + + + Whether the identity names should be stored encoded (Base32) in file names. + + + + + + + The string format for the password in the properties file if they are not + stored in plain text. + + + + + + + + + + + + + The character set to use when converting the password string + to a byte array. + + + + + + + A reference to the credential store that contains the secret key used to encrypt and decrypt the filesystem-realm. + + + + + + + An alias to the secret key used to encrypt and decrypt the filesystem-realm. + + + + + + + A reference to the key store that contains the key pair to perform filesystem integrity checks. + + + + + + + The alias within the key-store that identifies the PrivateKeyEntry to use to perform filesystem integrity checks + + + + + + + + + + + + Realm definition for a token realm where authentication and authorization are handled by + a given token validator. + + + + + + + + + + + + The name of the claim that should be used to obtain the principal's name. Defaults to 'username'. + + + + + + + + + + + A token validator to be used in conjunction with a token-based realm that handles security tokens based on the JWT/JWS standard. + + + + + + + + + The JWK kid. Tokens with the same kid will use this public key for signature verification. + + + + + + + RSA public key in PEM format. + + + + + + + + + + A list of strings representing the issuers supported by this configuration. During validation JWT tokens must have an "iss" claim that contains one of the values defined here. + + + + + + + A list of strings representing the audiences supported by this configuration. During validation JWT tokens must have an "aud" claim that contains one of the values defined here. + + + + + + + A public key in PEM Format. During validation, if a public key is provided, signature will be verified based on the key you provided here. + + + + + + + A key store from where the certificate with a public key should be loaded from. + + + + + + + The name of the certificate with a public key to load from the key store. + + + + + + + A predefined client-ssl-context that will be used to connect to the jwks endpoint specified in the jku token claim. This configuration is mandatory if you want to use remote keys with jku. + + + + + + + A policy that defines how host names should be verified when using HTTPS for fetching jwks. + + + + + + + + + A token validator to be used in conjunction with a token-based realm that handles OAuth2 Access Tokens and validate them based on RFC-7662 (OAuth2 Token Introspection). + + + + + + The identifier of a client registered within the OAuth2 Authorization Server that will be used to authenticate this server in order to validate bearer tokens arriving to this server. + + + + + + + The secret of the client identified by the given client-id. + + + + + + + An URL pointing to a RFC-7662 OAuth2 Token Introspection compatible endpoint. + + + + + + + A predefined client-ssl-context that will be used to connect to the token introspection endpoint when using SSL/TLS. This configuration is mandatory if the given token introspection url is using SSL/TLS. + + + + + + + A policy that defines how host names should be verified when using HTTPS. Allowed values: "ANY". + + + + + + + + + The configuration options that define how to connect to the LDAP server. + + + + + + + + + + + The configuration options that define how to connect to the LDAP server. + + + + + + + + + + + + + + The credential reference to credential store or clear text (password) + to use to authenticate and connect to the LDAP server. + Can be omitted if authentication-level is "none" (anonymous). + + + + + + + + Name of the connection. Allows to refer the DirContext. + + + + + + + The connection url. + + + + + + + The authentication level (security level/authentication mechanism) to use. + Corresponds to SECURITY_AUTHENTICATION ("java.naming.security.authentication") environment property. + Allowed values: "none", "simple", sasl_mech, where sasl_mech is a space-separated list of SASL mechanism names. + + + + + + + The principal to authenticate and connect to the LDAP server. + Can be omitted if authentication-level is "none" (anonymous). + + + + + + + Indicates if connection pooling is enabled. + + + + + + + If LDAP referrals should be followed. + Corresponds to REFERRAL ("java.naming.referral") environment property. + Allowed values: "ignore", "follow", "throw". + + + + + + + The name of ssl-context used to secure connection to the LDAP server. + + + + + + + The name of authentication-context used to secure connection and to authenticate to the LDAP server. + + + + + + + The timeout for connecting to the LDAP server in milliseconds. + + + + + + + The read timeout for an LDAP operation in milliseconds. + + + + + + + Name of module that will be used to load custom context. + + + + + + + + + The configuration options that define how principals are mapped to their corresponding entries in the underlying LDAP server. + + + + + + + The attribute mappings defined for this resource. + + + + + + + The user password credential mapping defined for this resource. + + + + + + + The user password credential mapping defined for this resource. + + + + + + + The X509 user certificate credential mapping defined for this resource. + + + + + + + The attributes of newly created identities. Required for modifiability. + + + + + + + + The RDN part of the principal's DN to be used to obtain the principal's name from an LDAP entry. + + + + + + + The base DN to be used when executing queries. + + + + + + + Indicates if queries are recursive. + + + + + + + The LDAP filter for getting identity by name. + The string "{0}" will be replaced by searched identity name and the "rdn_identifier" will be the value of the attribute "rdn-identifier". + + + + + + + The LDAP filter for iterating over identities of the realm. Optional, but required for modifiability. + + + + + + + The DN of parent of newly created identities. Optional, but required for modifiability. + + + + + + + + + + + + + + + The configuration used to map a specific LDAP attribute as an identity attribute. + + + + + + The name of the LDAP attribute to map to an identity attribute. + If not defined, DN of the whole entry is used as value. + + + + + + + The name of the identity attribute mapped from a specific LDAP attribute. + If not provided, the name of the attribute is the same as define in 'from'. + If the 'from' is not defined too, value 'dn' is used. + + + + + + + The name of LDAP attribute containing DN of entry to obtain value from. + + + + + + + The filter to use to obtain the values for a specific attribute. + String "{0}" will be replaced by username, "{1}" by user identity DN. + + + + + + + The name of the context where the filter should be performed. + + + + + + + Indicates if attribute LDAP search queries are recursive. + + + + + + + Sets recursive roles assignment - value determine maximum depth of recursion. (0 for no recursion) + + + + + + + Determine LDAP attribute of role entry which will be substitute for "{0}" in filter-name when searching roles of role. + Used only when role-recursion is set. + + + + + + + The RDN key to use as the value for an attribute, in case the value in its raw form is in X.500 format. + + + + + + + + + The configuration used to map a specific LDAP attribute (userPassword usually) as an identity password credential. + + + + + + The name of the LDAP attribute to map to an identity user password credential. + + + + + + + If the password credential is writable. + + + + + + + If the password credential is verifiable. + + + + + + + + + The configuration allowing to use the LDAP as storage of one time password (OTP) credentials. + + + + + + The name of the LDAP attribute to map to an OTP credential algorithm. + + + + + + + The name of the LDAP attribute to map to a Base64 encoded OTP credential hash. + + + + + + + The name of the LDAP attribute to map to an OTP credential seed. + + + + + + + The name of the LDAP attribute to map to an OTP credential sequence number. + + + + + + + + + The configuration allowing to use LDAP as storage of X509 credentials. + X509 credential is user certificate or information allowing to identify it. + (serial number, subject DN, digest of certificate) + At least one *-from attribute should be specified. This definition will be ignored otherwise. + If more *-from attributes is defined, user certificate must match all defined criteria. + + + + + + The name of the LDAP attribute to map to a user certificate digest. + If not defined, certificate digest will not be checked. + + + + + + + The digest algorithm (hash function) used to compute digest of the user certificate. + Will be used only if digest-from have been defined. + + + + + + + The name of the LDAP attribute to map to an encoded user certificate. + If not defined, encoded certificate will not be checked. + + + + + + + The name of the LDAP attribute to map to a serial number of user certificate. + If not defined, serial number will not be checked. + + + + + + + The name of the LDAP attribute to map to a subject DN of user certificate. + If not defined, subject DN will not be checked. + + + + + + + + + + + + + + + Attribute of newly created LDAP identity. + + + + + + The name of the LDAP attribute. + + + + + + + The value(s) of LDAP attribute delimited by space. + + + + + + + + + A container type to hold SecurityFactory definitions to obtain Credential instances. + + + + + + + + + + + + Base type for all SecurityFactory definitions which return a Credential. + + + + + + The unique name for the SecurityFactory, note names used for SecurityFactories must be unique + across the whole context. + + + + + + + + + Generic definition for a custom credential SecurityFactory implementation. + + + + + + + + + The configuration to apply to the SecurityFactory implementation. + + Note: If configuration is supplied the SecurityFactory MUST implement initialize(Map<String, String>) method. + + + + + + + + + + + + + + + + + The Krb5LoginModule additional option. + + + + + + + The key of the option. + + + + + + + The value of the option. + + + + + + + + + + The principal represented by the KeyTab + + + + + + + The path to the KeyTab to use to obtain the credential. + + + + + + + The name of another previously named path, or of one of the standard paths provided by the system. + If 'relative-to' is provided, the value of the 'path' attribute is treated as relative + to the path specified by this attribute. + + + + + + + How much lifetime (in seconds) should a cached credential have remaining before it is recreated. + + + + + + + How much lifetime (in seconds) should be requested for newly created credentials. + + + + + + + Amount of seconds before new try to obtain server credential should be done if it has failed last time. + Allows to prevent long waiting to unavailable KDC on every authentication. + + + + + + + If this for use server side or client side? + + + + + + + Should the KerberosTicket also be obtained and associated with the credential. + + This is required to be true where credentials are delegated to the server. + + + + + + + Should the JAAS step of obtaining the credential have debug logging enabled. + + + + + + + Should generated GSS credentials be wrapped to prevent improper disposal or not? + + + + + + + Is the keytab file with adequate principal required to exist at the time the service starts? + + + + + + + The mechanism names the credential should be usable with. + Names will be converted to OIDs and used together with OIDs from mechanism-oids attribute. + + + + + + + The mechanism OIDs the credential should be usable with. + Will be used together with OIDs derived from names from mechanism-names attribute. + + + + + + + + + + + + + A general container type to hold the various name rewriter and mapper definitions + as used within the subsystem. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Base type for all PermissionMapper definitions. + + + + + + The unique name for the PermissionMapper, note names used for PermissionMappers must be unique + across the whole context. + + + + + + + + + Generic definition for a custom PermissionMapper implementation. + + + + + + + + + The configuration to apply to the PermissionMapper implementation. + + Note: If configuration is supplied the PermissionMapper MUST implement initialize(Map<String, String>) method. + + + + + + + + + + + + + A PermissionMapper definition for a PermissionMapper that performs a logical operation using two referenced PermissionMappers. + + + + + + + + The logical operation to perform using the two referenced PermissionMappers. + + + + + + + Reference to the PermissionMapper to use to the left of the operation. + + + + + + + Reference to the PermissionMapper to use to the right of the operation. + + + + + + + + + + + The supported set of logical operations. + "and" assigns permissions which was assigned by both mappers + "or" assigns permissions which was assigned by at least one of mappers + "xor" assigns permissions which was assigned by exactly one of mappers + "unless" assigns permissions which was assigned by left mapper but not by right mapper + + + + + + + + + + + + + + A simple permission mapper that maps from defined principal and role names to predefined permissions. + + + + + + + + + + + + + + The name of the principal. + + + + + + + + + + + The name of the role. + + + + + + + + + + Deprecated. Use a reference to a 'permission-set' instead. + + + + + + The fully qualified class name of the permission. + + + + + + + The module to use to load the permission class. + + + + + + + The target-name to pass to the constructor of the permission. + + + + + + + The action to pass to the constructor of the permission. + + + + + + + + + + + + + + + + + + + + A RoleMapper definition that always returns a pre-defined set of permissions. + + + + + + + + + + Deprecated. Use a reference to a 'permission-set' instead. + + + + + + The fully qualified class name of the permission. + + + + + + + The module to use to load the permission class. + + + + + + + The target-name to pass to the constructor of the permission. + + + + + + + The action to pass to the constructor of the permission. + + + + + + + + + + + + + + + A reference to a permission set. + + + + + + + + + How multiple matching permission mappings will be combined. + + + + + + + + + + + + + + + + Base type for all PrincipalDecoder definitions. + + + + + + The unique name for the PrincipalDecoder, note names used for PrincipalDecoders must be unique + across the whole context. + + + + + + + + + Generic definition for a custom PrincipalDecoder implementation. + + + + + + + + + The configuration to apply to the PrincipalDecoder implementation. + + Note: If configuration is supplied the PrincipalDecoder MUST implement initialize(Map<String, String>) method. + + + + + + + + + + + + + A PrincipalDecoder definition that is actually an aggregation of other PrincipalDecoders. + + + + + + + + + + + + + + + A reference to a PrincipalDecoder + + + + + + + + + A PrincipalDecoder definition that is actually a concatenation of other PrincipalDecoders. + + + + + + + + + + + The string to use to join the results of the other PrincipalDecoders. + + + + + + + + + + + A PrincipalDecoder that always returns the same constant. + + + + + + + + The constant value that will always be returned by this PrincipalDecoder. + + + + + + + + + + + A PrincipalDecoder definition based on a X500 attribute. + + + + + + + + The oid of the attribute to map. + + + + + + + The oid of the attribute to map. + + + + + + + + + The joining string. + + + + + + + The 0-based starting occurrence of the attribute to map. + + + + + + + The maximum number of occurrences of the attribute to map. + + + + + + + When set to true, the attribute values will be processed and returned in reverse order. + + + + + + + If the Principal is not already an X500Principal should conversion be attempted? + + + + + + + The OIDs of the attributes that must be present in the principal. + + + + + + + The attribute names of the attributes that must be present in the principal. + + + + + + + + + + + Base type for all PrincipalTransformer definitions. + + + + + + The unique name for the PrincipalTransformer, note names used for PrincipalTransformer must be unique + across the whole context. + + + + + + + + + A PrincipalTransformer definition using regular expressions and Matcher based + replacement. + + + + + + + + The regular expression to use for this PrincipalTransformer. + + + + + + + The replacement string for this PrincipalTransformer. + + + + + + + Should all occurrences be replaced or just the first? + + + + + + + + + + + A PrincipalTransformer that instead of rewriting the name validates that it is + correct according to the supplied regular expression. + + + + + + + + The regular expression to use for this PrincipalTransformer. + + + + + + + If set to true, the name must match the given pattern to make validation successful. + If set to false, the name must not match the given pattern to make validation successful. + + + + + + + + + + + A PrincipalTransformer that always returns the same constant. + + + + + + + + The constant value that will always be returned by this PrincipalTransformer. + + + + + + + + + + + Generic definition for a custom PrincipalTransformer implementation. + + + + + + + + + The configuration to apply to the PrincipalTransformer implementation. + + Note: If configuration is supplied the PrincipalTransformer MUST implement initialize(Map<String, String>) method. + + + + + + + + + + + + + A PrincipalTransformer aggregating more PrincipalTransformers - original principal is tried to be transformed + by individual transformers in given order until some of them return non-null principal - that is returned. + + Typically can be used with chained principal transformers beginning with validating principal + transformer - to transform principals in different forms differently. + + + + + + + + + + + + + + + A PrincipalTransformer definition that is actually a chain of other PrincipalTransformers. + + + + + + + + + + + + + + + A PrincipalTransformer that adjusts a principal to upper or lower case. + + + + + + + + If set to true, principal is adjusted to upper case. If set to false, principal is adjusted + to lower case. + + + + + + + + + + + A reference to a PrincipalTransformer. + + + + + + + + + Base type for all RealmMapper definitions. + + + + + + The unique name for the RealmMapper, note names used for RealmMappers must be unique + across the whole context. + + + + + + + + + Generic definition for a custom RealmMapper implementation. + + + + + + + + + The configuration to apply to the RealmMapper implementation. + + Note: If configuration is supplied the RealmMapper MUST implement initialize(Map<String, String>) method. + + + + + + + + + + + + + A RealmMapper that always returns the same constant. + + + + + + + + The constant value that will always be returned by this RealmMapper. + + + + + + + + + + + A simple RealmMapper definition that attempts to extract the realm name using the capture group from the regular expression, if that does not provide a + match then the delegate RealmMapper is used instead. + + + + + + + + The regular expression which must contain at least one capture group to extract the realm from the name. + If the regular expression matches more than one capture group, the first capture group is used. + + + + + + + The RealmMapper to delegate to if the pattern does not match. If no delegate is specified then the default realm on + the domain will be used instead. + + + + + + + + + + + A RealmMapper implementation that first uses a regular expression to extract the realm name, this is then converted using the configured mapping of realm names. + + + + + + + + + + + The realm name to map from. + + + + + + + The realm name to map to. + + + + + + + + + + The regular expression which must contain at least one capture group to extract the realm from the name. + If the regular expression matches more than one capture group, the first capture group is used. + + + + + + + The RealmMapper to delegate to if the pattern does not match. If no delegate is specified then the default realm on + the domain will be used instead. + If the username does not match the pattern and a delegate realm-mapper is present, the result of delegate-realm-mapper is mapped via the realm-map. + + + + + + + + + + + Base type for all RoleDecoder definitions. + + + + + + The unique name for the RoleDecoder, note names used for RoleDecoders must be unique + across the whole context. + + + + + + + + + Generic definition for a custom RoleDecoder implementation. + + + + + + + + + The configuration to apply to the RoleDecoder implementation. + + Note: If configuration is supplied the RoleDecoder MUST implement initialize(Map<String, String>) method. + + + + + + + + + + + + + A RoleDecoder definition that maps a single attribute to roles. + + + + + + + + The attribute to take from the identity and map directly to roles. + + + + + + + + + + + A RoleDecoder definition that maps roles based on the IP address of a remote client. + + + + + + + + The IP address to match. + + Exactly one of 'source-address' and 'pattern' must be specified. + + + + + + + A regular expression that specifies the IP address to match. + + Exactly one of 'source-address' and 'pattern' must be specified. + + + + + + + The list of roles to assign if the IP address of the remote client matches. + + + + + + + + + + + A RoleDecoder definition that is actually an aggregation of other RoleDecoders. + + + + + + + + + + + + + + + A reference to a RoleDecoder. + + + + + + The name of the referenced RoleDecoder. + + + + + + + + + Base type for all RoleMapper definitions. + + + + + + The unique name for the RoleMapper, note names used for RoleMappers must be unique + across the whole context. + + + + + + + + + A RoleMapper definition that adds a specified prefix to every role. + + + + + + + + The prefix to add to each role. + + + + + + + + + + + A RoleMapper definition that adds a specified suffix to every role. + + + + + + + + The suffix to add to each role. + + + + + + + + + + + A RoleMapper definition that is actually an aggregation of other RoleMappers. + + + + + + + + + + + + + + + Generic definition for a custom RoleMapper implementation. + + + + + + + + + The configuration to apply to the RoleMapper implementation. + + Note: If configuration is supplied the RoleMapper MUST implement initialize(Map<String, String>) method. + + + + + + + + + + + + + A RoleMapper definition that always returns a pre-defined set of roles. + + + + + + + + + + + The role to be returned by the RoleMapper. + + + + + + + + + + + + + + The supported set of logical operations. + + + + + + + + + + + + + + A RoleMapper definition for a RoleMapper that performs a logical operation using two refereced RoleMappers. + + + + + + + + The logicial operation to perform using the two referenced RoleMappers. + + Allowed values: "and", "minus", "or", "xor". + + + + + + + Reference to the RoleMapper to use to the left of the operation. + + If not set the identity role mapper will be used instead. + + + + + + + Reference to the RoleMapper to use to the right of the operation. + + If not set the identity role mapper will be used instead. + + + + + + + + + + + A RoleMapper implementation that uses the configured mapping of role names. + + + + + + + + + + + The role name to map from. + + + + + + + Space separated list of roles to map to. + + + + + + + + + + When set to 'true' the mapped roles will retain all roles, that have defined mappings. + + + + + + + When set to 'true' the mapped roles will retain all roles, that have no defined mappings. + + + + + + + + + + + A RoleMapper definition that uses pattern to find matching roles and then replaces these roles with replacement pattern. + Role matches the pattern in given pattern can be found in any substring of the role name. + + + + + + + + The pattern used for matching. Can capture groups. + + + + + + + The replacement string. Can make use of captured groups. + + + + + + + If true, keep roles that did not match the provided pattern. + + + + + + + If true, replace all occurrences of pattern and not only the first one. + + + + + + + + + + + A reference to a RoleMapper + + + + + + The name of the referenced RoleMapper. + + + + + + + + + An EvidenceDecoder that derives the principal associated with the given evidence from the subject from + the first certificate in the certificate chain. + + + + + + + + + + + An EvidenceDecoder that derives the principal associated with the given evidence from an X.509 subject + alternative name from the first certificate in the given evidence. + + + + + + + + The subject alternative name type to decode from the given evidence. + + + + + + + + + + + + + + + + + The 0-based occurrence of the subject alternative name to map. This attribute is optional and only + used when there is more than one subject alternative name of the given alt-name-type + + + + + + + + + + + An EvidenceDecoder definition that is an aggregation of other EvidenceDecoders. + + + + + + + + + + + + + + + Generic definition for a custom EvidenceDecoder implementation. + + + + + + + + + The configuration to apply to the EvidenceDecoder implementation. + + Note: If configuration is supplied the EvidenceDecoder MUST implement the initialize(Map<String, String>) method. + + + + + + + + + + + + + A reference to an EvidenceDecoder + + + + + + + + + Base type for all EvidenceDecoder definitions. + + + + + + The unique name for the EvidenceDecoder, note names used for EvidenceDecoder must be unique + across the whole context. + + + + + + + + + + + Wrapper type to contain the configuration of the authentication mechanisms. + + + + + + + An ordered list of mechanism configurations, at the time of authentication the mechanism name, + host name, and protocol as specified by the mechanism will be compared against this list + for a first match. + + To configure a default configuration provide a definition with no mechanism-name, host-name, or + protocol and place it at the end of the list. Any definitions after a default definition will + never match. + + + + + + + + + + Definition of configuration to be used by authentication mechanisms. + + + + + + + + + This configuration will only apply where a mechanism with the name specified is used. + + If this attribute is omitted then this will match any mechanism name. + + + + + + + This configuration will only apply when the host name specified is provided by the mechanism. + + If this attribute is omitted then this will match any host name. + + + + + + + This configuration will only apply when the protocol specified is provided by the mechanism. + + If this attributed is omitted then this will match any protocol. + + + + + + + A principal transformer to apply before the realm is selected. + + + + + + + A principal transformer to apply after the realm is selected. + + + + + + + A final principal transformer to apply for this mechanism realm. + + + + + + + Reference to a RealmMapper to be used by this mechanism. + + + + + + + A reference to the security factory to obtain the credential for this mechanism. + + + + + + + + + + Definition of a realm name specific to the mechanism. + + This is the realm name that a mechanism may present to the remote client being authenticated, if a mechanism + only supports a single realm then only the first will be used and the remainder ignored. + + If a mechanism does not support realm names then the entire list will be ignored. + + + + + + The name of the realm. + + + + + + + A principal transformer to apply before the realm is selected. + + + + + + + A principal transformer to apply after the realm is selected. + + + + + + + A final principal transformer to apply for this mechanism realm. + + + + + + + Reference to a RealmMapper to be used by this mechanism realm. + + + + + + + + + Container for the permission set definitions. + + + + + + + + + + + Definition of a permission set. + + + + + + + + + The fully qualified class name of the permission. + + + + + + + The module to use to load the permission class. + + + + + + + The target-name to pass to the constructor of the permission. + + + + + + + The action to pass to the constructor of the permission. + + + + + + + + + + The unique name for the permission set, note names used for permission sets must be unique across the whole context. + + + + + + + + + + + Complex type definition to hold the various HTTP definitions within the subsystem. + + + + + + + + + + + + + + + Complex type for the definition of the server side HTTP authentication policy. + + + + + + + + + + The security-domain referenced by this resource. + + + + + + + The http-server-mechanism-factory referenced by this resource. + + + + + + + + + Base type for all http server factory definitions. + + + + + + The unique name for the http server factory, note names used for http server factories must be unique across the whole context. + + + + + + + + + A HTTP server factory definition that is actually an aggregation of other HTTP server factories. + + + + + + + + + + + + + + + A HTTP server factory definition that wraps another HTTP server factory and applies the specified configuration and filtering. + + + + + + + + + Filters to be applied to the available mechanisms by name. + + + + + + + + + + A regular expression that filters mechanism names using a regular expression pattern. + + + + + + + When set to true all mechanisms are disabled unless enabled by matching one of the defined filters. + + When set to false all mechanisms are enabled unless disabled by matching one of the defined filters. + + + + + + + + + + + + Additional properties that should be passed to the factory for HTTP mechanism detection and creation. + + + + + + + + + + + + + Reference to the HTTP server factory to be wrapped by this configuration. + + + + + + + + + + + A HTTP server factory definition that searches an array of Provider instances for all available HTTP server factories. + + + + + + + + Reference to the Provider[] capability to obtain the array of Providers to use. + + If not specified the system registered Providers are used instead. + + + + + + + + + + + A HTTP server factory definition that uses a ServiceLoader to search for HTTP server factory implementations. + + + + + + + + The name of the module to use. + + If this is not specified the ClassLoader used to load the service will be used instead. + + + + + + + + + + + A reference to a HTTP server mechanism factory. + + + + + + + + + + + Complex type definition type to hold the various SASL definitions within the subsystem. + + + + + + + + + + + + + + + + The SASL authentication policy for the server side. + + + + + + + + + + The security-domain referenced by this resource. + + + + + + + The sasl-server-factory referenced by this resource. + + + + + + + + + Base type for all sasl server factory definitions. + + + + + + The unique name for the sasl server factory, note names used for sasl server factories must be unique across the whole context. + + + + + + + + + A SASL server factory definition that is actually an aggregation of other SASL server factories. + + + + + + + + + + + + + + + A SaslServerFactory definition that wraps another SaslServerFactory and applies the specified configuration and filtering. + + + + + + + + + Filters to be applied to the available mechanisms by name. + + + + + + + + + + When set to true all mechanisms are disabled unless enabled by matching one of the defined filters. + When set to false all mechanisms are enabled unless disabled by matching one of the defined filters. + + + + + + + A regular expression filter that filters mechanism names using a regular expression pattern. + + + + + + + A predefined filter to filter mechanisms. + + + + + + + + + + + + Additional properties that should be passed to the factory for SASL mechanism detection and creation. + + + + + + + + + + + + + Reference to the SaslServerFactory to be wrapped by this configuration. + + + + + + + Override the protocol specified when creating a SASL mechanism. + + + + + + + Override the server name specified when creating a SASL mechanism. + + + + + + + + + + + The supported set of predefined filters. + + + + + + + + + + + + + + + + + + + + + + + A SaslServerFactory definition that wraps another SaslServerFactory and enables filtering of mechanisms based on the mechanism name and Provider name and version. + + Any mechanisms loaded by factories not located using a Provider will not be filtered by this definition. + + + + + + + + + Filters to be applied to the available mechanisms by name. + + + + + + + + + + This configuration will only apply where a mechanism with the name specified is used. + + If this attribute is omitted then this will match any mechanism name. + + + + + + + The name of the provider to match against. + + + + + + + Version to compare against the version reported by the provider. + + + + + + + When set to 'less-than' a Provider will match against the filter if the Provider's version is less-than the version specified here. + + Setting to 'greater-than' has the opposite effect. + + Has no effect if a provider-version has not been specified in the filter. + + + + + + + + + + + + + Reference to the SaslServerFactory to be wrapped by this configuration. + + + + + + + When set to true all provider loaded mechanisms are disabled unless macthed by one of the filters defined here. + + When set to false all provider loaded mechanisms are enabled unless matched. + + Any mechanisms from a factory not loaded by a Provider are unaffected. + + + + + + + + + + + The type of equality check to use in a comparison. + + + + + + + + + + + + A SaslServerFactory definition that searches an array of Provider instances for all available SaslServerFactories. + + + + + + + + Reference to the Provider[] capability to obtain the array of Providers to use. + + If not specified the system registered Providers are used instead. + + + + + + + + + + + A SaslServerFactory definition that uses a ServiceLoader to search for SaslServerFactory implementations. + + + + + + + + The name of the module to use. + + If this is not specified the ClassLoader used to load the service will be used instead. + + + + + + + + + + + A reference to a SaslServerFactory + + + + + + + + + + + Complex type to contain the definitions of the various components needed + for SSL, the end result being that these components can be combined together to + create a fully defined SSLContext. + + + + + + + + + + + + + + + + + + + Container for KeyManager definitions. + + + + + + + + + + + Definition of a single KeyManager. + + + + + + + Credential to be used by the underlying KeyManager when accessing the entries in the underlying KeyStore. + + + + + + + + The unique name of this KeyManager. + + + + + + + The algorithm name to use to initialise the KeyManagerFactory. + + + + + + + Reference to the KeyStore to use with the KeyManager. + + + + + + + A filter to apply to the aliases provided by KeyStore to choose key to use from keys in KeyStore. + + Can either be a comma separated list of aliases to return or one of the following formats ALL:-alias1:-alias2, NONE:+alias1:+alias2 + + + + + + + The name of the provider to use to + instantiate the KeyManagerFactory, if the provider is not + specified then the first provider found that can + create an instance of the specified 'type' will be + used. + + + + + + + The name of the providers defined within the subsystem to obtain the Providers + to search for the one that can create the required KeyManagerFactory type. + + If this is not specified then the global list of Providers is used instead. + + + + + + + If this attribute is set and if the file that backs the KeyStore does not exist, then + a self-signed certificate will be generated on first use and it will be persisted to + the file that backs the KeyStore. The value of this attribute will be used for the + Common Name value in the self-signed certificate. + + The use of this attribute is intended for testing purposes only. This attribute is not + intended for production use. + + + + + + + + + Container for TrustManager definitions. + + + + + + + + + + + Definition of a single TrustManager. + + + + + + + + + + + The unique name of this TrustManager. + + + + + + + The algorithm name to use to initialise the TrustManagerFactory. + + + + + + + Reference to the KeyStore to use with the TrustManager. + + + + + + + A filter to apply to the aliases provided by KeyStore. + + Can either be a comma separated list of aliases to return or one of the following formats ALL:-alias1:-alias2, NONE:+alias1:+alias2 + + + + + + + The name of the provider to use to + instantiate the TrustManagerFactory, if the provider is not + specified then the first provider found that can + create an instance of the specified 'type' will be + used. + + + + + + + The name of the providers defined within the subsystem to obtain the Providers + to search for the one that can create the required TrustManagerFactory type. + + If this is not specified then the global list of Providers is used instead. + + + + + + + The maximum number of non-self-issued intermediate certificates that may exist in a certification path for OCSP and CRL checks. If neither OCSP and CRL is configured, this attribute has no effect. + + + + + + + Check revocation status only of leaf certificates. + + + + + + + Accept certificate if revocation status is unknown. + + + + + + + + + Enables certificate revocation list checks to a trust manager. + + + + + + The path to the configuration to use to initialise the provider. + + + + + + + The base path of the certificate revocation list file. + + + + + + + The maximum number of non-self-issued intermediate certificates that may exist in a certification path. + + + + + + + + + The presence of this element enables checking the peer's certificate against multiple certificate revocation lists. + + + + + + + + + + + The presence of this element enables checking the peer's certificate against a certificate revocation list. + + + + + + Path to the certificate revocation list. + + + + + + + The base path of the certificate revocation list file. + + + + + + + + + Enables online certificate status protocol checks to a trust manager. + + + + + + OCSP responder URI to override those extracted from certificate. + + + + + + + Prefer certificate revocation list revocation over OCSP if certificate-revocation-list is defined. + + + + + + + The alias for OCSP Responder certificate. Keep undefined to use the issuer of certificate being validated. + + + + + + + The keystore for responder-certificate. Keep undefined to use trust-manager keystore. Requires responder-certificate to be defined. + + + + + + + + + Container for Server SNI SSLContext definitions. + + + + + + + + + + + Definitions of a single server side SNI SSLContext. + + + + + + + + + The unique name of this Server side SNI SSLContext. + + + + + + + The SSLContext to use if SNI is not in use + + + + + + + + + Definitions of a single server side SNI SSLContext. + + + + + + + The host name that this element matches. If it begins with a '*' it is considered a wildcard match. + + + + + + + The SSLContext to use if the name matches. + + + + + + + + + Container for Server SSLContext definitions. + + + + + + + + + + + Definitions of a single server side SSLContext. + + + + + + The unique name of this Server side SSLContext. + + + + + + + Reference to the SecurityDomain to use for authentication during SSL session establishment. + + + + + + + The filter to be applied to the cipher suites made available by this SSLContext. + + + + + + + The filter to be applied to the TLSv1.3 cipher suites made available by this SSLContext. + + + + + + + List of protocols supported by this SSLContext. + + + + + + + To request (but not to require) a client certificate on SSL handshake. + If a security domain is referenced and supports X509 evidence, this will be set to true automatically. + Ignored when need-client-auth is set. + + + + + + + To require a client certificate on SSL handshake. + Connection without trusted client certificate (see trust-manager) will be rejected. + + + + + + + Rejecting of the client certificate by the security domain will not prevent the connection. + Allows a fall through to use other authentication mechanisms (like form login) when the client certificate is rejected by security domain. + Has an effect only when the security domain is set. + This does not bypass the underlying trust manager check - see need-client-auth to allow connection without client certificate. + + + + + + + Configure the SSLContext to honor local cipher suites preference. + + + + + + + The maximum number of SSL sessions in the cache. The default value -1 means use the JVM default value. Value zero means there is no limit. + + + + + + + The timeout for SSL sessions, in seconds. The default value -1 means use the JVM default value. Value zero means there is no limit. + + + + + + + Should the resulting SSLEngine, SSLSocketFactory, and SSLSocket instances returned by this SSLContext + be wrapped to prevent further configuration changes. + + Note: The WildFly HTTP2 support requires raw access to these objects so if HTTP2 is being used this + should be set to false. + + + + + + + Reference to the KeyManager to be used by this SSLContext. + + + + + + + Reference to the TrustManager to be used by this SSLContext. + + + + + + + A principal transformer to apply before the realm is selected. + + + + + + + A principal transformer to apply after the realm is selected. + + + + + + + A final principal transformer to apply for this mechanism realm. + + + + + + + Reference to a RealmMapper to be used by this mechanism. + + + + + + + The name of the provider to use. + If not specified, all providers from providers will be passed to the SSLContext. + + + + + + + The name of the providers to obtain the Provider[] to use to load the SSLContext. + + + + + + + + + Container for client SSLContext definitions. + + + + + + + + + + + Definitions of a single client side SSLContext. + + + + + + The unique name of this client side SSLContext. + + + + + + + The filter to be applied to the cipher suites made available by this SSLContext. + + + + + + + The filter to be applied to the TLSv1.3 cipher suites made available by this SSLContext. + + + + + + + List of protocols supported by this SSLContext. + + + + + + + Reference to the KeyManager to be used by this SSLContext. + + + + + + + Reference to the TrustManagers to be used by this SSLContext. + + + + + + + The name of the provider to use. + If not specified, all providers from providers will be passed to the SSLContext. + + + + + + + The name of the providers to obtain the Provider[] to use to load the SSLContext. + + + + + + + + + Container for the KeyStore definitions. + + + + + + + + + + + + + + + keystore implementation details + + + + + + The KeyStore type, e.g. jks, pkcs#12. + + + + + + + The name of the provider to use to + instantiate the KeyStore, if the provider is not + specified then the first provider found that can + create an instance of the specified 'type' will be + used. + + + + + + + The name of the providers defined within the subsystem to obtain the Providers + to search for the one that can create the required KeyStore type. + + If this is not specified then the global list of Providers is used instead. + + + + + + + + + + An individual names KeyStore definition. + + + + + + + The credential reference to credential store or clear text (password) + to use to initialize or load the KeyStore. + + + + + + + Implementation details + + + + + + + The location of the file to use to initialise the KeyStore instance. + + + + + + + + + A filter to apply to the aliases made available by this KeyStore. + + Can either be a comma separated list of aliases to return or one of the following formats ALL:-alias1:-alias2, NONE:+alias1:+alias2 + + + + + + + + + An individual names LdapKeyStore definition. + + + + + + + Configuration for item creation. Define how will look LDAP entry of newly created keystore item. + + + + + + + + Attribute of newly created entry. At least objectClass attribute and required + attributes (which are not part of keystore item) should be defined here. + + + + + + + The LDAP attribute name. + + + + + + + The default value(s) of LDAP attribute delimited by space. + + + + + + + + + + The LDAP path, where will be newly created keystore items created. + + + + + + + The LDAP attribute name, which will be part of new entry path. + Into value of this attribute will be passed alias of the keystore item. + (Can be independent on alias-attribute - alias is used here only as initial entry name, + as it is only identification of item, which keystore has.) + + + + + + + + + Search LDAP configuration + + + + + + + The LDAP path, where will be keystore items searched. + + + + + + + If the search in search-path should be recursive. + + + + + + + The time limit for LDAP search in milliseconds. + + + + + + + The LDAP filter, which will be used to obtain keystore item by alias. + The string "{0}" will be replaced by the searched alias and the "alias_attribute" value will be the value of the attribute "alias-attribute". + + + + + + + The LDAP filter, which will be used to obtain keystore item by certificate. + The string "{0}" will be replaced by searched encoded certificate and the "certificate_attribute" will be the value of the attribute "certificate-attribute". + + + + + + + The LDAP filter, which will be used to obtain keystore item by certificate. + The "alias_attribute" will be the value of the attribute "alias-attribute". + + + + + + + + + Mapping of keystore item parts to LDAP attributes. + + + + + + + The LDAP attribute, where is item alias expected. + + + + + + + The LDAP attribute, where is encoded certificate expected. + + + + + + + The type of certificate. Used for decoding of byte array from certificate-attribute. + For possible certificate types see Java documentation of CertificateFactory. + + + + + + + The LDAP attribute, where is encoded certificate expected. + + + + + + + The encoding of CertPath, which is used to store certificate chain into certificate-chain-attribute. + For possible chain encodings see Java documentation of CertPath. + + + + + + + + The LDAP attribute, where is encoded key expected. + + + + + + + The type of key. Used for decoding of byte array from key-attribute. + For possible KeyStore types see Java documentation of KeyStore. + + + + + + + + + + The name of ldap-key-store used to referencing it. + + + + + + + The name of dir-context used to connect to the LDAP server. + + + + + + + + + An individual names filtering KeyStore definition. + + + + + + + The name of key-store, which will be used as source of data. + + + + + + + A filter to apply to the aliases made available by this KeyStore. + + Can either be a comma separated list of aliases to return or one of the following formats ALL:-alias1:-alias2, NONE:+alias1:+alias2 + + + + + + + + + Container for certificate authority account definitions. + + + + + + + + + + + Definition of a single certificate authority account. + + + + + + + + + The unique name of this certificate authority account. + + + + + + + The reference to certificate authority to use. + + + + + + + A list of URLs that the certificate authority can contact about any issues related to this account. + + + + + + + + + Container for certificate authority definitions. + + + + + + + + + + + Definition of a single certificate authority. + + + + + + The unique name of this certificate authority. + + + + + + + URL of the certificate authority. + + + + + + + URL of the certificate authority to use in pre-production. + + + + + + + + + Definition of a certificate authority account key. + + + + + + + Credential to be used when accessing the certificate authority account key. + + + + + + + + Reference to the KeyStore that contains the certificate authority account key. + + + + + + + The alias of the certificate authority account key in the KeyStore. + + + + + + + + + + + Complex type to contain the definitions of the credential stores. + + + + + + + + + + + + An individual credential store definition. + + + + + + + Map of credentials store implementation specific properties. + + + + + + + + + + + + Credential to be used by as protection parameter for the Credential Store. + + + + + + + + + The credential store type, e.g. KeyStoreCredentialStore. + + + + + + + The name of the provider to use to instantiate the CredentialStoreSpi. + If the provider is not specified then the first provider found that can + create an instance of the specified 'type' will be used. + + + + + + + The name of the providers defined within the subsystem to obtain the Providers + to search for the one that can create the required CredentialStore type. + If this is not specified then the global list of Providers is used instead. + + + + + + + The name of the providers defined within the subsystem to obtain the Providers + to search for the one that can create the required JCA objects within credential store. + This is valid only for key-store based CredentialStore. + If this is not specified then the global list of Providers is used instead. + + + + + + + A reference to a previously defined path that the file name is + relative to. + + + + + + + File name of credential store storage. + + Deprecated: Use "path" attribute instead. + + + + + + + File name of credential store storage. + + + + + + + Specifies whether credential store is modifiable. + + + + + + + Specifies whether credential store should create storage when it doesn't exist. + + + + + + + + + A simple credential store which stores SecretKeyCredential instances in a properties file. + + This credential store does not encrypt the stored keys, the purpose of this credential store is + to provide initial access to keys used to protect other configuration values. + + + + + + The unique name of this credential store definition. + + + + + + + A reference to a previously defined path that the file name is + relative to. + + + + + + + The path to the credential store file. + + + + + + + Specifies whether credential store should create storage when it doesn't exist. + + + + + + + If an entry with the default-alias does not exist should one be dynamically added using the + configured key-size? + + + + + + + The default key size when generating secret keys. + + + + + + + The default alias to use if dynamically adding an entry. + + + + + + + + + + + An expression resolver backed by a list of sub-expression resolvers which can be used to decrypt encrypted expressions. + + + + + + + + + The default resolver to use for expressions which do not specify the name of the resolver. + + + + + + + The prefix for expressions that should be resolved using this expression resolver. + + + + + + + + + Definition of a single expression resolver. + + + + + + The unique name of this expression resolver. + + + + + + + Reference to the credential store which contains the secret key to be used by this resolver. + + + + + + + The alias of the secret key contained within the credential store. + + + + + + + + + + + Minimal attributes required to specify the location to a file. + + + + + + A reference to a previously defined path that the file name is + relative to. + + + + + + + The remaining path to the file referenced. + + + + + + + + + Minimal attributes required to specify the location to a file. + + + + + + A reference to a previously defined path that the file name is + relative to. + + + + + + + The remaining path to the file referenced. + + + + + + + + + A reference to a file. + + + + + + + + It is possible that a KeyStore definition can be created to a + non-existent file and the file be automatically created when the store is saved, however + no error will be reported where the file does not exist to begin with. + + If the intent is that the store will always exist in advance set + this to 'true' so that an error will be reported if the file is missing. + + + + + + + + + + The attributes required for a custom component. + + + + + + The module to use to load the custom component. + + + + + + + The fully qualified class name of the custom component implementation to + load. + + The specified class must have a public no-args constructor. + + + + + + + + + The optional configuration for a custom component. + + + + + + + + + + A list of String. + + + + + + + + A definition that sets up a policy provider. + + + + + + + + + + The name of the policy provider definition. + + + + + + + + + A policy provider definition that sets up JACC and related services. + + + + + + The name of a java.security.Policy implementation referencing a policy provider. + + + + + + + The name of a javax.security.jacc.PolicyConfigurationFactory implementation referencing a policy configuration factory provider. + + + + + + + The name of the module to load the provider from. + + + + + + + + + A custom policy provider definition. + + + + + + The name of a java.security.Policy implementation referencing a policy provider. + + + + + + + The name of the module to load the provider from. + + + + + + + + + JASPI Configurations. + + + + + + + + + + + An individual JASPI configuration. + + + + + + + + + + + + + + + The name of this JASPI configuration. + + + + + + + The layer this configuration should be associated with. + + If set to '*' this configuration will be associated with all layers and resolved according the the + resolution rules defined within the JSR-196 specification. + + + + + + + The application context this configuration should be associated with. + + If set to '*' this configuration will be associated with all application contexts and resolved according the the + resolution rules defined within the JSR-196 specification. + + + + + + + Descrption for this JASPI configuration. + + + + + + + + + + + Configuration options to be passed into the ServerAuthModule during initialisation. + + + + + + + + + + + + + The fully qualified class name of the class implementing the ServerAuthModule interface. + + + + + + + The name of the module to use to load the ServerAuthModule. + + + + + + + The control flag to control how the response from this module is interpreted. + + + + + + + + + The control flag for JASPI modules. + + + + + + + + + + + + + + Allowed key sizes. + + + + + + + + + + + + + A host name verification policy. + + + + + + + + + + + + Complex type for the definition of a single virtual security domain. + + + + + + + Where automatic outflow to a security domain is configured, if outflowing + the current identity is not authorized should the + anonymous identity of that domain be used instead? + + Outflowing an identity replaces any previously + established identity for the outflow domain for the + ongoing call, outflowing anonymous has the effect of + clearing the identity. + + + + + + + A list of references to security domains that any identity established for this + virtual domain should automatically outflow to. + + + + + + + The authentication mechanism that will be used with the virtual security domain. + Allowed values: 'OIDC', 'MP-JWT'. + The default value is 'OIDC'. + + + + + + + + + + Container for client dynamic SSL context definitions. + + + + + + + + + + + Definitions of a single client side dynamic SSL context. This context chooses SSL context based on peer's host and port information. + + + + + + The unique name of this client side dynamic SSL context. + + + + + + + The authentication context that will be used to query for rules when deciding which ssl context to use when connecting to a peer. + + + + + + From 4b4840032ec8484beecfa494e7de069adfa89eac Mon Sep 17 00:00:00 2001 From: Prarthona Paul Date: Wed, 3 Jul 2024 11:51:27 -0400 Subject: [PATCH 2/2] WFCORE-6802 [Preview] OCSP stapling support --- elytron/pom.xml | 1 + .../elytron/ElytronDescriptionConstants.java | 9 + .../elytron/ElytronSubsystemSchema.java | 4 +- .../extension/elytron/SSLDefinitions.java | 224 ++++++++-- .../wildfly/extension/elytron/TlsParser.java | 62 +++ .../extension/elytron/TrivialService.java | 8 +- .../_private/ElytronSubsystemMessages.java | 2 + .../elytron/LocalDescriptions.properties | 11 + .../schema/wildfly-elytron_preview_18_0.xsd | 88 +++- .../extension/elytron/TlsTestCase.java | 55 ++- .../elytron-subsystem-preview-18.0.xml | 404 ++++++++++++++++++ pom.xml | 2 +- 12 files changed, 833 insertions(+), 37 deletions(-) create mode 100644 elytron/src/test/resources/org/wildfly/extension/elytron/elytron-subsystem-preview-18.0.xml diff --git a/elytron/pom.xml b/elytron/pom.xml index cc8111ab237..9104c075546 100644 --- a/elytron/pom.xml +++ b/elytron/pom.xml @@ -414,6 +414,7 @@ jacc-with-providers.xml legacy*.xml elytron-subsystem-community*.xml + elytron-subsystem-preview*.xml src/main/resources/schema/wildfly-elytron_18_0.xsd diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/ElytronDescriptionConstants.java b/elytron/src/main/java/org/wildfly/extension/elytron/ElytronDescriptionConstants.java index 87fd07f4ae6..d1d8d47f1be 100644 --- a/elytron/src/main/java/org/wildfly/extension/elytron/ElytronDescriptionConstants.java +++ b/elytron/src/main/java/org/wildfly/extension/elytron/ElytronDescriptionConstants.java @@ -12,6 +12,7 @@ */ interface ElytronDescriptionConstants { + String ACCEPT_OCSP_STAPLING = "accept-ocsp-stapling"; String ACCOUNT_KEY = "account-key"; String ACTION = "action"; String ACTIVE_SESSION_COUNT = "active-session-count"; @@ -73,6 +74,8 @@ interface ElytronDescriptionConstants { String BCRYPT_MAPPER = "bcrypt-mapper"; String CAA_IDENTITIES = "caa-identities"; + String CACHE_SIZE = "cache-size"; + String CACHE_LIFETIME = "cache-lifetime"; String CACHING_REALM = "caching-realm"; String CASE_PRINCIPAL_TRANSFORMER = "case-principal-transformer"; String CALLBACK_HANDLER = "callback-handler"; @@ -246,6 +249,7 @@ interface ElytronDescriptionConstants { String IDENTITY_MAPPING = "identity-mapping"; String IDENTITY_REALM = "identity-realm"; String IGNORE_UNAVAILABLE_REALMS = "ignore-unavailable-realms"; + String IGNORE_EXTENSIONS = "ignore-extensions"; String IMPLEMENTATION = "implementation"; String IMPLEMENTATION_PROPERTIES = "implementation-properties"; String IMPORT_CERTIFICATE = "import-certificate"; @@ -366,6 +370,8 @@ interface ElytronDescriptionConstants { String OBTAIN_CERTIFICATE = "obtain-certificate"; String OBTAIN_KERBEROS_TICKET = "obtain-kerberos-ticket"; String OCSP = "ocsp"; + String OCSP_STAPLING = "ocsp-stapling"; + String OCSP_STAPLING_SOFT_FAIL = "ocsp-stapling-soft-fail"; String OID = "oid"; String ONLY_LEAF_CERT = "only-leaf-cert"; String OPERATIONS = "operations"; @@ -467,6 +473,9 @@ interface ElytronDescriptionConstants { String RESPONDER = "responder"; String RESPONDER_CERTIFICATE = "responder-certificate"; String RESPONDER_KEYSTORE = "responder-keystore"; + String RESPONDER_OVERRIDE = "responder-override"; + String RESPONDER_URI = "responder-uri"; + String RESPONSE_TIMEOUT = "response-timeout"; String REVERSE = "reverse"; String REVOKE_CERTIFICATE = "revoke-certificate"; String RIGHT = "right"; diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemSchema.java b/elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemSchema.java index 14f6e99baa4..af518cc5178 100644 --- a/elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemSchema.java +++ b/elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemSchema.java @@ -193,7 +193,9 @@ private void addCredentialStoreParser(PersistentResourceXMLDescription.Persisten private void addTlsParser(PersistentResourceXMLDescription.PersistentResourceXMLBuilder builder) { TlsParser tlsParser = new TlsParser(); - if (this.since(ElytronSubsystemSchema.VERSION_18_0_COMMUNITY) && this.enables(getDynamicClientSSLContextDefinition())) { + if (this.since(ElytronSubsystemSchema.VERSION_18_0_PREVIEW) && this.enables(SSLDefinitions.OCSP_STAPLING)) { + builder.addChild(tlsParser.tlsParserPreview_18_0); + } else if (this.since(ElytronSubsystemSchema.VERSION_18_0_COMMUNITY) && this.enables(getDynamicClientSSLContextDefinition())) { builder.addChild(tlsParser.tlsParserCommunity_18_0); } else if (this.since(ElytronSubsystemSchema.VERSION_14_0)) { builder.addChild(tlsParser.tlsParser_14_0); diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/SSLDefinitions.java b/elytron/src/main/java/org/wildfly/extension/elytron/SSLDefinitions.java index e46fbfc91da..938e2e23038 100644 --- a/elytron/src/main/java/org/wildfly/extension/elytron/SSLDefinitions.java +++ b/elytron/src/main/java/org/wildfly/extension/elytron/SSLDefinitions.java @@ -26,6 +26,7 @@ import static org.wildfly.extension.elytron.FileAttributeDefinitions.RELATIVE_TO; import static org.wildfly.extension.elytron.FileAttributeDefinitions.pathName; import static org.wildfly.extension.elytron._private.ElytronSubsystemMessages.ROOT_LOGGER; +import static org.wildfly.security.provider.util.ProviderUtil.findProvider; import java.io.File; import java.io.FileInputStream; @@ -232,6 +233,36 @@ class SSLDefinitions { //.setDefaultValue(new ModelNode(CipherSuiteSelector.OPENSSL_DEFAULT_CIPHER_SUITE_NAMES)) .build(); + static final SimpleAttributeDefinition ACCEPT_OCSP_STAPLING = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.ACCEPT_OCSP_STAPLING, ModelType.BOOLEAN, true) + .setAllowExpression(true) + .setRestartAllServices() + .setStability(Stability.PREVIEW) + .setDefaultValue(ModelNode.FALSE) + .build(); + + static final SimpleAttributeDefinition OCSP_STAPLING_SOFT_FAIL = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.OCSP_STAPLING_SOFT_FAIL, ModelType.BOOLEAN, true) + .setAllowExpression(true) + .setRestartAllServices() + .setStability(Stability.PREVIEW) + .setDefaultValue(ModelNode.TRUE) + .build(); + + static final SimpleAttributeDefinition ACCEPT_OCSP_RESPONDER_CERTIFICATE = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.RESPONDER_CERTIFICATE, ModelType.STRING, true) + .setAllowExpression(true) + .setRestartAllServices() + .setStability(Stability.PREVIEW) + .setRequired(false) + .build(); + + static final SimpleAttributeDefinition ACCEPT_OCSP_RESPONDER_KEYSTORE = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.RESPONDER_KEYSTORE, ModelType.STRING, true) + .setAllowExpression(true) + .setRestartAllServices() + .setStability(Stability.PREVIEW) + .setCapabilityReference(KEY_STORE_CAPABILITY, SSL_CONTEXT_CAPABILITY) + .setRequired(false) + .setRequires(ElytronDescriptionConstants.RESPONDER_CERTIFICATE) + .build(); + private static final String[] ALLOWED_PROTOCOLS = { "SSLv2", "SSLv2Hello", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3" }; static final StringListAttributeDefinition PROTOCOLS = new StringListAttributeDefinition.Builder(ElytronDescriptionConstants.PROTOCOLS) @@ -398,6 +429,55 @@ class SSLDefinitions { .setRestartAllServices() .build(); + static final SimpleAttributeDefinition RESPONSE_TIMEOUT = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.RESPONSE_TIMEOUT, ModelType.INT, true) + .setValidator(new IntRangeValidator(1)) + .setDefaultValue(new ModelNode(5000)) + .setAllowExpression(true) + .setRestartAllServices() + .setStability(Stability.PREVIEW) + .build(); + + static final SimpleAttributeDefinition CACHE_SIZE = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.CACHE_SIZE, ModelType.INT, true) + .setDefaultValue(new ModelNode(256)) + .setAllowExpression(true) + .setRestartAllServices() + .setStability(Stability.PREVIEW) + .build(); + + static final SimpleAttributeDefinition CACHE_LIFETIME = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.CACHE_LIFETIME, ModelType.INT, true) + .setDefaultValue(new ModelNode(3600)) + .setAllowExpression(true) + .setRestartAllServices() + .setStability(Stability.PREVIEW) + .build(); + + static final SimpleAttributeDefinition RESPONDER_URI = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.RESPONDER_URI, ModelType.STRING, true) + .setRequires(ElytronDescriptionConstants.RESPONDER_OVERRIDE) + .setAllowExpression(true) + .setRestartAllServices() + .setStability(Stability.PREVIEW) + .build(); + + static final SimpleAttributeDefinition RESPONDER_OVERRIDE = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.RESPONDER_OVERRIDE, ModelType.BOOLEAN, true) + .setDefaultValue(ModelNode.FALSE) + .setAllowExpression(true) + .setRestartAllServices() + .setStability(Stability.PREVIEW) + .build(); + + static final SimpleAttributeDefinition IGNORE_EXTENSIONS = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.IGNORE_EXTENSIONS, ModelType.BOOLEAN, true) + .setDefaultValue(ModelNode.FALSE) + .setAllowExpression(true) + .setRestartAllServices() + .setStability(Stability.PREVIEW) + .build(); + + static final ObjectTypeAttributeDefinition OCSP_STAPLING = new ObjectTypeAttributeDefinition.Builder(ElytronDescriptionConstants.OCSP_STAPLING, RESPONSE_TIMEOUT, CACHE_SIZE, CACHE_LIFETIME, RESPONDER_URI, RESPONDER_OVERRIDE, IGNORE_EXTENSIONS) + .setRequired(false) + .setRestartAllServices() + .setStability(Stability.PREVIEW) + .build(); + /* * Runtime Attributes */ @@ -941,31 +1021,6 @@ private File resolveFileLocation(String path, String relativeTo, InjectedValue

(SSLContext.class, ServiceController.Mode.ACTIVE, ServiceController.Mode.PASSIVE, attributes, SSL_CONTEXT_RUNTIME_CAPABILITY) { @@ -1316,7 +1371,29 @@ protected ValueSupplier getValueSupplier(ServiceBuilder final int maximumSessionCacheSize = MAXIMUM_SESSION_CACHE_SIZE.resolveModelAttribute(context, model).asInt(); final int sessionTimeout = SESSION_TIMEOUT.resolveModelAttribute(context, model).asInt(); final boolean wrap = WRAP.resolveModelAttribute(context, model).asBoolean(); - + final String ocspStapling = OCSP_STAPLING.resolveModelAttribute(context, model).asStringOrNull(); + final int responseTimeout; + final int cacheSize; + final int cacheLifetime; + final String responderURI; + final boolean responderOverride; + final boolean ignoreExtensions; + + if (ocspStapling != null) { + responseTimeout = RESPONSE_TIMEOUT.resolveModelAttribute(context, model).asInt(); + cacheSize = CACHE_SIZE.resolveModelAttribute(context, model).asInt(); + cacheLifetime = CACHE_LIFETIME.resolveModelAttribute(context, model).asInt(); + responderURI = RESPONDER_URI.resolveModelAttribute(context, model).asString(); + responderOverride = RESPONDER_OVERRIDE.resolveModelAttribute(context, model).asBoolean(); + ignoreExtensions = IGNORE_EXTENSIONS.resolveModelAttribute(context, model).asBoolean(); + } else { + responseTimeout = 0; + cacheSize = 0; + cacheLifetime = 0; + responderURI = null; + responderOverride = false; + ignoreExtensions = false; + } return () -> { SecurityDomain securityDomain = securityDomainInjector.getOptionalValue(); X509ExtendedKeyManager keyManager = getX509KeyManager(keyManagerInjector.getOptionalValue()); @@ -1366,6 +1443,15 @@ protected ValueSupplier getValueSupplier(ServiceBuilder .setSessionTimeout(sessionTimeout) .setWrap(wrap); + if (ocspStapling != null) { + builder.setResponseTimeout(responseTimeout) + .setCacheSize(cacheSize) + .setCacheLifetime(cacheLifetime) + .setResponderURI(responderURI) + .setResponderOverride(responderOverride) + .setIgnoreExtensions(ignoreExtensions); + } + if (ROOT_LOGGER.isTraceEnabled()) { ROOT_LOGGER.tracef( "ServerSSLContext supplying: securityDomain = %s keyManager = %s trustManager = %s " @@ -1461,7 +1547,7 @@ static ResourceDefinition getClientSSLContextDefinition(boolean serverOrHostCont .build(); AttributeDefinition[] attributes = new AttributeDefinition[]{CIPHER_SUITE_FILTER, CIPHER_SUITE_NAMES, PROTOCOLS, - KEY_MANAGER, TRUST_MANAGER, providersDefinition, PROVIDER_NAME}; + KEY_MANAGER, TRUST_MANAGER, providersDefinition, PROVIDER_NAME, ACCEPT_OCSP_STAPLING, OCSP_STAPLING_SOFT_FAIL, ACCEPT_OCSP_RESPONDER_CERTIFICATE, ACCEPT_OCSP_RESPONDER_KEYSTORE}; AbstractAddStepHandler add = new TrivialAddHandler(SSLContext.class, attributes, SSL_CONTEXT_RUNTIME_CAPABILITY) { @Override @@ -1475,15 +1561,41 @@ protected ValueSupplier getValueSupplier(ServiceBuilder final List protocols = PROTOCOLS.unwrap(context, model); final String cipherSuiteFilter = CIPHER_SUITE_FILTER.resolveModelAttribute(context, model).asString(); // has default value, can't be null final String cipherSuiteNames = CIPHER_SUITE_NAMES.resolveModelAttribute(context, model).asStringOrNull(); // doesn't have a default value yet since we are disabling TLS 1.3 by default + final boolean acceptOCSPStapling = ACCEPT_OCSP_STAPLING.resolveModelAttribute(context, model).asBoolean(); + final boolean softFail = OCSP_STAPLING_SOFT_FAIL.resolveModelAttribute(context, model).asBoolean(); + final String trustManagerName = TRUST_MANAGER.resolveModelAttribute(context,model).asString(); + String responderCertAlias = ACCEPT_OCSP_RESPONDER_CERTIFICATE.resolveModelAttribute(context, model).asStringOrNull(); + String responderKeystore = ACCEPT_OCSP_RESPONDER_KEYSTORE.resolveModelAttribute(context, model).asStringOrNull(); + return () -> { X509ExtendedKeyManager keyManager = getX509KeyManager(keyManagerInjector.getOptionalValue()); X509ExtendedTrustManager trustManager = getX509TrustManager(trustManagerInjector.getOptionalValue()); Provider[] providers = filterProviders(providersInjector.getOptionalValue(), providerName); + if (providers == null) { + providers = filterProviders(java.security.Security.getProviders(), providerName); + } SSLContextBuilder builder = new SSLContextBuilder(); if (keyManager != null) builder.setKeyManager(keyManager); + if (acceptOCSPStapling) { + final String algorithm = TrustManagerFactory.getDefaultAlgorithm(); + Provider provider = findProvider(providers, providerName, TrustManagerFactory.class, algorithm); + final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm(), provider); + X509RevocationTrustManager.Builder revocationBuilder = X509RevocationTrustManager.builder(); + revocationBuilder.setTrustManagerFactory(trustManagerFactory); + revocationBuilder.setTrustStore(getModifiableTrustManagerService(context, trustManagerName).getModifiableValue()); + revocationBuilder.setOcspResponderCert((X509Certificate) getModifiableKeyStoreService(context, responderKeystore).getModifiableValue().getCertificate(responderCertAlias)); + revocationBuilder.setCheckRevocation(true); + revocationBuilder.setSoftFail(softFail); + trustManager = revocationBuilder.build(); + } + if (trustManager != null) builder.setTrustManager(trustManager); - if (providers != null) builder.setProviderSupplier(() -> providers); + if (providers != null) { + Provider[] finalProviders = providers; + builder.setProviderSupplier(() -> finalProviders); + } + builder.setCipherSuiteSelector(CipherSuiteSelector.aggregate(cipherSuiteNames != null ? CipherSuiteSelector.fromNamesString(cipherSuiteNames) : null, CipherSuiteSelector.fromString(cipherSuiteFilter))); if (!protocols.isEmpty()) { List list = new ArrayList<>(); @@ -1496,7 +1608,8 @@ protected ValueSupplier getValueSupplier(ServiceBuilder )); } builder.setClientMode(true) - .setWrap(false); + .setWrap(false) + .setAcceptOCSPStapling(acceptOCSPStapling); if (ROOT_LOGGER.isTraceEnabled()) { ROOT_LOGGER.tracef( @@ -1689,4 +1802,55 @@ public InjectedValue getPathManagerInjector() { } } + private static TrustManagerFactory createTrustManagerFactory(Provider[] providers, String providerName, String algorithm) throws StartException { + TrustManagerFactory trustManagerFactory = null; + + if (providers != null) { + for (Provider current : providers) { + if (providerName == null || providerName.equals(current.getName())) { + try { + // TODO - We could check the Services within each Provider to check there is one of the required type/algorithm + // However the same loop would need to remain as it is still possible a specific provider can't create it. + return TrustManagerFactory.getInstance(algorithm, current); + } catch (NoSuchAlgorithmException ignored) { + } + } + } + if (trustManagerFactory == null) + throw ROOT_LOGGER.unableToCreateManagerFactory(TrustManagerFactory.class.getSimpleName(), algorithm); + } + + try { + return TrustManagerFactory.getInstance(algorithm); + } catch (NoSuchAlgorithmException e) { + throw new StartException(e); + } + } + + public static ModifiableKeyStoreService getModifiableTrustManagerService(OperationContext context, String trustManagerName) throws OperationFailedException { + ServiceRegistry serviceRegistry = context.getServiceRegistry(false); + RuntimeCapability runtimeCapability = TRUST_MANAGER_RUNTIME_CAPABILITY.fromBaseCapability(trustManagerName); + ServiceName serviceName = runtimeCapability.getCapabilityServiceName(); + + ServiceController serviceContainer = getRequiredService(serviceRegistry, serviceName, TrustManager.class); + ServiceController.State serviceState = serviceContainer.getState(); + if (serviceState != ServiceController.State.UP) { + throw ROOT_LOGGER.requiredServiceNotUp(serviceName, serviceState); + } + + String keyStoreName = null; + Set serviceNames = serviceContainer.requires(); + for(ServiceName name : serviceNames) { + if (name.getCanonicalName().contains(KEY_STORE_CAPABILITY)) { + keyStoreName = (name).getCanonicalName().substring(KEY_STORE_CAPABILITY.length() + 1); + } + } + + if (keyStoreName == null) { + throw ROOT_LOGGER.unableToLoadKeystoreCapabilityService(); + } else { + return getModifiableKeyStoreService(context, keyStoreName); + } + } + } diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/TlsParser.java b/elytron/src/main/java/org/wildfly/extension/elytron/TlsParser.java index cd8592d815e..5596a3556f5 100644 --- a/elytron/src/main/java/org/wildfly/extension/elytron/TlsParser.java +++ b/elytron/src/main/java/org/wildfly/extension/elytron/TlsParser.java @@ -180,6 +180,30 @@ class TlsParser { .addAttribute(SSLDefinitions.FINAL_PRINCIPAL_TRANSFORMER) .addAttribute(SSLDefinitions.REALM_MAPPER); + private PersistentResourceXMLBuilder serverSslContextPreviewParser_18_0 = PersistentResourceXMLDescription.builder(PathElement.pathElement(SERVER_SSL_CONTEXT)) + .setXmlWrapperElement(SERVER_SSL_CONTEXTS) + .setMarshallDefaultValues(true) + .addAttribute(SSLDefinitions.SECURITY_DOMAIN) + .addAttribute(SSLDefinitions.CIPHER_SUITE_FILTER) + .addAttribute(SSLDefinitions.CIPHER_SUITE_NAMES) + .addAttribute(SSLDefinitions.PROTOCOLS) + .addAttribute(SSLDefinitions.WANT_CLIENT_AUTH) + .addAttribute(SSLDefinitions.NEED_CLIENT_AUTH) + .addAttribute(SSLDefinitions.AUTHENTICATION_OPTIONAL) + .addAttribute(SSLDefinitions.USE_CIPHER_SUITES_ORDER) + .addAttribute(SSLDefinitions.MAXIMUM_SESSION_CACHE_SIZE) + .addAttribute(SSLDefinitions.SESSION_TIMEOUT) + .addAttribute(SSLDefinitions.WRAP) + .addAttribute(SSLDefinitions.KEY_MANAGER) + .addAttribute(SSLDefinitions.TRUST_MANAGER) + .addAttribute(SSLDefinitions.PROVIDERS) + .addAttribute(SSLDefinitions.PROVIDER_NAME) + .addAttribute(SSLDefinitions.PRE_REALM_PRINCIPAL_TRANSFORMER) + .addAttribute(SSLDefinitions.POST_REALM_PRINCIPAL_TRANSFORMER) + .addAttribute(SSLDefinitions.FINAL_PRINCIPAL_TRANSFORMER) + .addAttribute(SSLDefinitions.REALM_MAPPER) + .addAttribute(SSLDefinitions.OCSP_STAPLING); // new OCSP_STAPLING element + private PersistentResourceXMLBuilder clientSslContextParser = PersistentResourceXMLDescription.builder(PathElement.pathElement(CLIENT_SSL_CONTEXT)) .setXmlWrapperElement(CLIENT_SSL_CONTEXTS) .addAttribute(SSLDefinitions.SECURITY_DOMAIN) @@ -224,6 +248,28 @@ class TlsParser { .addAttribute(SSLDefinitions.PROVIDERS) .addAttribute(SSLDefinitions.PROVIDER_NAME); + private PersistentResourceXMLBuilder clientSslContextParserPreview_18_0 = PersistentResourceXMLDescription.builder(PathElement.pathElement(CLIENT_SSL_CONTEXT)) + .setXmlWrapperElement(CLIENT_SSL_CONTEXTS) + .addAttribute(SSLDefinitions.SECURITY_DOMAIN) + .addAttribute(SSLDefinitions.CIPHER_SUITE_FILTER) + .addAttribute(SSLDefinitions.CIPHER_SUITE_NAMES) + .addAttribute(SSLDefinitions.PROTOCOLS) + .addAttribute(SSLDefinitions.WANT_CLIENT_AUTH) + .addAttribute(SSLDefinitions.NEED_CLIENT_AUTH) + .addAttribute(SSLDefinitions.AUTHENTICATION_OPTIONAL) + .addAttribute(SSLDefinitions.USE_CIPHER_SUITES_ORDER) + .addAttribute(SSLDefinitions.MAXIMUM_SESSION_CACHE_SIZE) + .addAttribute(SSLDefinitions.SESSION_TIMEOUT) + .addAttribute(SSLDefinitions.WRAP) + .addAttribute(SSLDefinitions.KEY_MANAGER) + .addAttribute(SSLDefinitions.TRUST_MANAGER) + .addAttribute(SSLDefinitions.PROVIDERS) + .addAttribute(SSLDefinitions.PROVIDER_NAME) + .addAttribute(SSLDefinitions.ACCEPT_OCSP_STAPLING) //new + .addAttribute(SSLDefinitions.OCSP_STAPLING_SOFT_FAIL) // new + .addAttribute(SSLDefinitions.ACCEPT_OCSP_RESPONDER_KEYSTORE) // new + .addAttribute(SSLDefinitions.ACCEPT_OCSP_RESPONDER_CERTIFICATE); //new + private PersistentResourceXMLBuilder certificateAuthorityAccountParser = PersistentResourceXMLDescription.builder(PathElement.pathElement(CERTIFICATE_AUTHORITY_ACCOUNT)) .setXmlWrapperElement(CERTIFICATE_AUTHORITY_ACCOUNTS) .addAttribute(CertificateAuthorityAccountDefinition.CERTIFICATE_AUTHORITY) @@ -371,4 +417,20 @@ public void marshallSingleElement(AttributeDefinition attribute, ModelNode mappi .addChild(serverSslSniContextParser) .addChild(dynamicClientSslContextParser) // new .build(); + + final PersistentResourceXMLDescription tlsParserPreview_18_0 = decorator(TLS) + .addChild(decorator(KEY_STORES) + .addChild(keyStoreParser) + .addChild(ldapKeyStoreParser) + .addChild(filteringKeyStoreParser) + ) + .addChild(keyManagerParser_12_0) + .addChild(trustManagerParser_14_0) + .addChild(serverSslContextPreviewParser_18_0) // new parser with ocsp_stapling + .addChild(clientSslContextParserPreview_18_0) // new parser with ocsp_stapling + .addChild(certificateAuthorityParser) + .addChild(certificateAuthorityAccountParser) + .addChild(serverSslSniContextParser) + .addChild(dynamicClientSslContextParser) + .build(); } diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/TrivialService.java b/elytron/src/main/java/org/wildfly/extension/elytron/TrivialService.java index 63dd86dfe36..e62e44c18f6 100644 --- a/elytron/src/main/java/org/wildfly/extension/elytron/TrivialService.java +++ b/elytron/src/main/java/org/wildfly/extension/elytron/TrivialService.java @@ -45,7 +45,11 @@ void setValueSupplier(ValueSupplier valueSupplier) { @Override public void start(StartContext context) throws StartException { - value = checkNotNullParam("valueSupplier", valueSupplier).get(); + try { + value = checkNotNullParam("valueSupplier", valueSupplier).get(); + } catch (Exception e) { + throw new RuntimeException(e); + } if (valueConsumer != null) { valueConsumer.accept(value); } @@ -69,7 +73,7 @@ public T getValue() throws IllegalStateException, IllegalArgumentException { @FunctionalInterface interface ValueSupplier { - T get() throws StartException; + T get() throws Exception; default void dispose() {} diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/_private/ElytronSubsystemMessages.java b/elytron/src/main/java/org/wildfly/extension/elytron/_private/ElytronSubsystemMessages.java index 5a1390105c3..84b39549042 100644 --- a/elytron/src/main/java/org/wildfly/extension/elytron/_private/ElytronSubsystemMessages.java +++ b/elytron/src/main/java/org/wildfly/extension/elytron/_private/ElytronSubsystemMessages.java @@ -732,5 +732,7 @@ public interface ElytronSubsystemMessages extends BasicLogger { * * If no suitable section is available add a new section. */ + @Message(id = 1221, value = "Unable to load keystore capability service from trustManager") + OperationFailedException unableToLoadKeystoreCapabilityService(); } diff --git a/elytron/src/main/resources/org/wildfly/extension/elytron/LocalDescriptions.properties b/elytron/src/main/resources/org/wildfly/extension/elytron/LocalDescriptions.properties index 36d6297c7e5..aa1aa1edfd1 100644 --- a/elytron/src/main/resources/org/wildfly/extension/elytron/LocalDescriptions.properties +++ b/elytron/src/main/resources/org/wildfly/extension/elytron/LocalDescriptions.properties @@ -1386,6 +1386,10 @@ elytron.client-ssl-context.key-refresh=Refresh KeyManager used by SSLContext. elytron.client-ssl-context.trust-manager=Reference to the trust manager to use within the SSLContext. elytron.client-ssl-context.provider-name=The name of the provider to use. If not specified, all providers from providers will be passed to the SSLContext. elytron.client-ssl-context.providers=The name of the providers to obtain the Provider[] to use to load the SSLContext. +elytron.client-ssl-context.accept-ocsp-stapling=Indicates whether the client would accept OCSP stapled responses fom the model or not. +elytron.client-ssl-context.ocsp-stapling-soft-fail=Determines client behaviour upon receiving an unknown OCSP-stapled response from the server. +elytron.client-ssl-context.responder-certificate=The alias for OCSP Responder certificate. Keep undefined to use the issuer of certificate in validation. +elytron.client-ssl-context.responder-keystore=The keystore for responder-certificate. Keep undefined to use trust-manager keystore. Requires responder-certificate to be defined. # Runtime Attributes elytron.client-ssl-context.active-session-count=The count of current active sessions. @@ -1521,6 +1525,13 @@ elytron.server-ssl-context.ssl-session.peer-certificates.signature-algorithm=The elytron.server-ssl-context.ssl-session.peer-certificates.signature=The signature of the certificate. elytron.server-ssl-context.ssl-session.peer-certificates.version=The certificate version. +elytron.server-ssl-context.ocsp-stapling=Support for OCSP Stapling for server ssl context. +elytron.server-ssl-context.ocsp-stapling.response-timeout=Enables online certificate status protocol Stapling for the server SSL context. +elytron.server-ssl-context.ocsp-stapling.cache-size=Controls the maximum cache size in entries. +elytron.server-ssl-context.ocsp-stapling.cache-lifetime=Controls the maximum life of a cached response in seconds. +elytron.server-ssl-context.ocsp-stapling.responder-uri=The responder to contact in case the certificate used by the server does not have the Authority Info Access (AIA) extension. This does not override the AIA extension value unless "responder-override" is set to true. +elytron.server-ssl-context.ocsp-stapling.responder-override=Determines whether the Authority information from the AIA extension value would be overridden by the value of the `responderURI`. +elytron.server-ssl-context.ocsp-stapling.ignore-extensions=determines whether the forwarding of OCSP extensions specified in the "status_request" or "status_request_v2" TLS extensions is disabled or not. # Operations elytron.server-ssl-context.ssl-session.invalidate=Invalidate the SSLSession (Note: This does not terminate current connections, only prevents future connections from joining or resuming this session). diff --git a/elytron/src/main/resources/schema/wildfly-elytron_preview_18_0.xsd b/elytron/src/main/resources/schema/wildfly-elytron_preview_18_0.xsd index 10545bd6ff8..1f019a259c8 100644 --- a/elytron/src/main/resources/schema/wildfly-elytron_preview_18_0.xsd +++ b/elytron/src/main/resources/schema/wildfly-elytron_preview_18_0.xsd @@ -5145,6 +5145,9 @@ Definitions of a single server side SSLContext. + + + @@ -5298,6 +5301,61 @@ + + + + Enables online certificate status protocol Stapling for the server SSL context. + + + + + + Controls the maximum amount of time in millisecond the server will use to obtain OCSP responses, + whether from the cache or by contacting an OCSP responder. + + + + + + + Controls the maximum cache size in entries. + + + + + + + Controls the maximum life of a cached response in seconds. + + + + + + + The responder to contact in case the certificate used by the server does + not have the Authority Info Access (AIA) extension. This does not override + the AIA extension value unless "responder-override" is set to true. + + + + + + + Determines whether the Authority information from the AIA extension + value would be overridden by the value of the `responderURI`. + + + + + + + determines whether the forwarding of OCSP extensions specified in the + "status_request" or "status_request_v2" TLS extensions is disabled or not. + + + + + @@ -5372,6 +5430,34 @@ + + + + Indicates whether the client would accept OCSP stapled responses fom the model or not. + + + + + + + Indicates the behaviour of the client when the stapled status of the server's certificate is unknown. + + + + + + + The alias for OCSP Responder certificate. Keep undefined to use the issuer of certificate being validated. + + + + + + + The keystore for responder-certificate. Keep undefined to use trust-manager keystore. Requires responder-certificate to be defined. + + + @@ -6438,4 +6524,4 @@ - + \ No newline at end of file diff --git a/elytron/src/test/java/org/wildfly/extension/elytron/TlsTestCase.java b/elytron/src/test/java/org/wildfly/extension/elytron/TlsTestCase.java index f84d56bd908..5c4a26b7780 100644 --- a/elytron/src/test/java/org/wildfly/extension/elytron/TlsTestCase.java +++ b/elytron/src/test/java/org/wildfly/extension/elytron/TlsTestCase.java @@ -27,6 +27,7 @@ import java.security.cert.X509Certificate; import java.util.Arrays; import java.util.Calendar; +import java.util.Collections; import java.util.Date; import java.util.HashMap; import java.util.HashSet; @@ -59,6 +60,7 @@ import org.jboss.as.controller.security.CredentialReference; import org.jboss.as.subsystem.test.AbstractSubsystemTest; import org.jboss.as.subsystem.test.KernelServices; +import org.jboss.as.version.Stability; import org.jboss.dmr.ModelNode; import org.jboss.msc.service.ServiceController; import org.jboss.msc.service.ServiceName; @@ -109,13 +111,15 @@ public class TlsTestCase extends AbstractSubsystemTest { private static final String NEGOTIATED_PROTOCOL = "negotiatedProtocol"; private static final String INIT_TEST_FILE = "/trust-manager-reload-test.truststore"; + private static final String INIT_TEST_SERVER_SSL_CONTEXT = "serverContext"; + private static final String INIT_TEST_CLIENT_SSL_CONTEXT = "clientContext"; private static final String INIT_TEST_TRUSTSTORE = "myTS"; private static final String INIT_TEST_TRUSTMANAGER = "myTM"; public static String disabledAlgorithms; public TlsTestCase() { - super(ElytronExtension.SUBSYSTEM_NAME, new ElytronExtension()); + super(ElytronExtension.SUBSYSTEM_NAME, new ElytronExtension(), Stability.PREVIEW); } private KernelServices services = null; @@ -328,7 +332,7 @@ public void prepare() throws Throwable { if (services != null) return; String subsystemXml; subsystemXml = JdkUtils.getJavaSpecVersion() <= 12 ? "tls-sun.xml" : "tls-oracle13plus.xml"; - services = super.createKernelServicesBuilder(new TestEnvironment()).setSubsystemXmlResource(subsystemXml).build(); + services = super.createKernelServicesBuilder(new TestEnvironment(Stability.PREVIEW)).setSubsystemXmlResource(subsystemXml).build(); if (!services.isSuccessfulBoot()) { if (services.getBootError() != null) { Assert.fail(services.getBootError().toString()); @@ -644,6 +648,53 @@ public void testOcspSimple() { MatcherAssert.assertThat(trustManager, CoreMatchers.instanceOf(X509RevocationTrustManager.class)); } + @Test + public void testOcspStaplingServerSimple() { + ModelNode operation = new ModelNode(); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add(ElytronDescriptionConstants.SERVER_SSL_CONTEXT, INIT_TEST_SERVER_SSL_CONTEXT); + operation.get(ClientConstants.OP).set(ClientConstants.ADD); + operation.get(ElytronDescriptionConstants.KEY_MANAGER).set("ServerKeyManager"); + operation.get(ElytronDescriptionConstants.PROVIDERS).set("ManagerProviderLoader"); + Assert.assertEquals(SUCCESS, services.executeOperation(operation).get(OUTCOME).asString()); + + operation.get(ClientConstants.OP).set(ClientConstants.WRITE_ATTRIBUTE_OPERATION); + operation.get(ClientConstants.NAME).set(ElytronDescriptionConstants.OCSP_STAPLING); + operation.get(ClientConstants.VALUE).set(Collections.emptySet()); + Assert.assertEquals(SUCCESS, services.executeOperation(operation).get(OUTCOME).asString()); + + operation.get(ClientConstants.OP).set(ClientConstants.WRITE_ATTRIBUTE_OPERATION); + operation.get(ClientConstants.NAME).set(ElytronDescriptionConstants.OCSP_STAPLING + "." + ElytronDescriptionConstants.RESPONSE_TIMEOUT); + operation.get(ClientConstants.VALUE).set(2500); + operation.get(ClientConstants.OP).set(ClientConstants.WRITE_ATTRIBUTE_OPERATION); + operation.get(ClientConstants.NAME).set(ElytronDescriptionConstants.OCSP_STAPLING + "." + ElytronDescriptionConstants.CACHE_SIZE); + operation.get(ClientConstants.VALUE).set(512); + operation.get(ClientConstants.OP).set(ClientConstants.WRITE_ATTRIBUTE_OPERATION); + operation.get(ClientConstants.NAME).set(ElytronDescriptionConstants.OCSP_STAPLING + "." + ElytronDescriptionConstants.CACHE_LIFETIME); + operation.get(ClientConstants.VALUE).set(7200); + operation.get(ClientConstants.OP).set(ClientConstants.WRITE_ATTRIBUTE_OPERATION); + operation.get(ClientConstants.NAME).set(ElytronDescriptionConstants.OCSP_STAPLING + "." + ElytronDescriptionConstants.RESPONDER_URI); + operation.get(ClientConstants.VALUE).set("http://localhost:8080/ocsp"); + operation.get(ClientConstants.OP).set(ClientConstants.WRITE_ATTRIBUTE_OPERATION); + operation.get(ClientConstants.NAME).set(ElytronDescriptionConstants.OCSP_STAPLING + "." + ElytronDescriptionConstants.RESPONDER_OVERRIDE); + operation.get(ClientConstants.VALUE).set(true); + operation.get(ClientConstants.OP).set(ClientConstants.WRITE_ATTRIBUTE_OPERATION); + operation.get(ClientConstants.NAME).set(ElytronDescriptionConstants.OCSP_STAPLING + "." + ElytronDescriptionConstants.IGNORE_EXTENSIONS); + operation.get(ClientConstants.VALUE).set(true); + Assert.assertEquals(SUCCESS, services.executeOperation(operation).get(OUTCOME).asString()); + } + +// @Test + public void testOcspStaplingClientSimple() { + ModelNode operation = new ModelNode(); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add(ElytronDescriptionConstants.CLIENT_SSL_CONTEXT, INIT_TEST_CLIENT_SSL_CONTEXT); + operation.get(ClientConstants.OP).set(ClientConstants.ADD); + operation.get(ElytronDescriptionConstants.TRUST_MANAGER).set("CaTrustManager"); + operation.get(ElytronDescriptionConstants.PROVIDERS).set("ManagerProviderLoader"); + operation.get(ElytronDescriptionConstants.ACCEPT_OCSP_STAPLING).set(true); + operation.get(ElytronDescriptionConstants.OCSP_STAPLING_SOFT_FAIL).set(true); + Assert.assertEquals(SUCCESS, services.executeOperation(operation).get(OUTCOME).asString()); + } + private SSLContext getSslContext(String contextName) { return getSslContext(contextName, true); } diff --git a/elytron/src/test/resources/org/wildfly/extension/elytron/elytron-subsystem-preview-18.0.xml b/elytron/src/test/resources/org/wildfly/extension/elytron/elytron-subsystem-preview-18.0.xml new file mode 100644 index 00000000000..37eab49a1e5 --- /dev/null +++ b/elytron/src/test/resources/org/wildfly/extension/elytron/elytron-subsystem-preview-18.0.xml @@ -0,0 +1,404 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/pom.xml b/pom.xml index 0152d34b53b..14ae4a8564d 100644 --- a/pom.xml +++ b/pom.xml @@ -242,7 +242,7 @@ 2.2.2.SP01 ${version.org.wildfly.openssl.natives} ${version.org.wildfly.openssl.natives} - 2.5.0.Final + 2.5.1.CR1-SNAPSHOT 4.1.0.Final 3.0.3.Final 1.0.0.Final