Support for multiple security realms - Distributed Identities

In  elytron

Overview

By stacking LoginModules it was possible using PicketBox to attempt to authenticate using one remote store and if that failed try the next store in the list.

This RFE will implement distributed security realm, which will allow to use multiple security realms for authentication by sequentially invoking list of configured realms until a realm with existing realm identity is found.

Issue Metadata

Issue

Dev Contacts

QE Contacts

Testing By

[ ] Engineering

[x] QE

Affected Projects or Components

  • Wildfly (documentation)

  • Wildfly Core

  • Elytron

Requirements

Hard Requirements

Add DistributedRealm to Elytron, which will be a SecurityRealm wrapper containing a list of SecurityRealms allowing to sequentially invoke them until one succeeds.

<security-realms>
    ...
    <distributed-realm name="TheRealm" realms="realm1 realm2 realm3" />
</security-realms>

If any of the queried realms is unavailable (throws RealmUnavailableException), the exception will be propagated - the query will fail. Eg. Authentication information for user user is stored in realm2. The realm realm1 is unavailable, so querying distributed-realm for user will result in an exception, as the realms are queried sequentially.

Test Plan

Unit tests will be added to Wildfly Elytron Subsystem model tests (parsing, persisting, transformers) will be added to Wildfly Core

Community Documentation

distributed-realm documentation will be added to Wildfly documentation