Support for multiple security realms - Failover

In  elytron

Overview

Our security realms are able to indicate unavailability by throwing a RealmUnavailableException

We should support fail over to an alternative realm.

A common request is fail over to a local file based realm if an LDAP or database server has gone down allowing administrators to retain access to the server.

Issue Metadata

Issue

Dev Contacts

QE Contacts

Testing By

[ ] Engineering

[x] QE

Affected Projects or Components

  • Wildfly (documentation)

  • Wildfly Core

  • Elytron

Requirements

Hard Requirements

Add FailoverRealm to Elytron, which will be a SecurityRealm wrapper containing delegate and failover realm. If the delegate throws a RealmUnavailableException during RealmIdentity lookup, it will be caught and failover realm will be used instead. Configuration in WFCore will look like following:

<security-realms>
    ...
    <failover-realm name="TheRealm" delegate-realm="LdapRealm" failover-realm="LocalRealm" />
    ...
</security-realms>

failover-realm will emit SecurityRealmUnavailableEvent to the corresponding SecurityDomain whenever it fails over. This can be turned off by adding emit-events attribute and setting it to false.

Test Plan

Tests will be added to Wildfly Elytron Subsystem test added to Wildfly Core (parsing, persisting, transformer)

Community Documentation

failover-realm documentation will be added to Wildfly documentation