Support the EE 8 Security API (JSR-375) with WildFly Elytron

In elytron ee

Table of Contents

Overview
Issue Metadata
Requirements
Implementation Plan
Test Plan
Community Documentation

Overview

This enhancement is adding support for the new Security API in Java EE 8 defined under JSR-375 with WildFly Elytron.

Issue Metadata

Issue

WFLY-7186

This enhancement depends on

WFLY-10810

Dev Contacts

Darran Lofthouse

QE Contacts

Affected Projects or Components

This enhancement makes use of the WildFly Elytron JASPI implementation and integration which is distributed across the following projects: - * WildFly Elytron * Elytron Web * WildFly Core * WildFly

Other Interested Projects

Requirements

Hard Requirements

Applications making use of JSR-375 should be deployable against a WildFly Elytron security domain and any authentication should result in the establishment of a WildFly Elytron SecurityIdentity.

Whilst it should be possible to load the identity from the SecurityDomain deployments can also make use of non-integrated mode for the underlying JASPI integration which will instead result in ad-hoc identities being created.

As a WildFly Elytron SecurityIdentity is established calls such as the following should obtain this identity: -

SecurityDomain.getCurrent().getCurrentSecurityIdentity();

Propagation of the established SecurityIdentity to other containers within the application server will be supported as normal.

Nice-to-Have Requirements

Non-Requirements

As JSR-375 makes use of identity stores defined in the deployments it will predominantly be used in non-integrated mode for JASPI which will mean features such as reloading an identity used in the batch subsystem or used for identity propagation will not be available.

As the establishment of the identity for JSR-375 happens late in the request handling automatic outflow from security domains can not be relied for identity propagation, instead inflow should be used on the target container.

Implementation Plan

No implementation is required to support this feature, support for JSR-375 has already been added to the application server and currently operates on top of the PicketBox JASPI implementation, once the WildFly Elytron JASPI implementation is merged support for the Security API on top of WildFly Elytron will be automatically available,

Test Plan

A small number of smoke tests will be added to the WildFly testsuite to verify the integration.

Beyond that testsuites such as the Soteria testsuite are available for more thorough test coverage so we don’t need to duplicate this.

Community Documentation

As this enhancement is adding support for an already documented specification the community documentation to be added will focus on specifics related to the integration with WildFly Elytron, for example the steps to deployment starting with a clean server configuration.