Entre les versions 11 et 25 de WildFly, les sous-systèmes elytron et security ont cohabité. C’est le cas aussi pour JBoss EAP 7.x.
Le script ci-dessous permet de migrer une configuration complète vers elytron et de supprimer le sous-système security.
batch
# Management
/core-service=management/management-interface=http-interface \
:undefine-attribute(name=security-realm)
/core-service=management/management-interface=http-interface \
:write-attribute(name=http-authentication-factory, \
value=management-http-authentication)
/core-service=management/management-interface=http-interface \
:write-attribute(name=http-upgrade.sasl-authentication-factory, \
value=management-sasl-authentication)
# Undertow
/subsystem=undertow/server=default-server/https-listener=https \
:write-attribute(name=ssl-context, value=applicationSSC)
/subsystem=undertow/server=default-server/https-listener=https \
:undefine-attribute(name=security-realm)
/subsystem=elytron/http-authentication-factory=application-http-authentication \
:add(security-domain=ApplicationDomain, http-server-mechanism-factory=global)
/subsystem=elytron/http-authentication-factory=application-http-authentication \
:write-attribute( \
name=mechanism-configurations, \
value=[{mechanism-name=BASIC, \
mechanism-realm-configurations=[{realm-name=ApplicationRealm}]}])
/subsystem=undertow/server=default-server/host=default-host/setting=http-invoker\
:undefine-attribute(name=security-realm)
/subsystem=undertow/server=default-server/host=default-host/setting=http-invoker\
:write-attribute(name=http-authentication-factory, \
value=application-http-authentication)
# Remoting
/subsystem=elytron/http-authentication-factory=application-sasl-authentication \
:add(security-domain=ApplicationDomain, http-server-mechanism-factory=global)
/subsystem=elytron/http-authentication-factory=application-sasl-authentication \
:write-attribute( \
name=mechanism-configurations, \
value=[{mechanism-name=JBOSS-LOCAL-USER, \
realm-mapper="local"}, \
{mechanism-name=DIGEST-MD5, \
mechanism-realm-configurations=[{realm-name=ApplicationRealm}]}])
/subsystem=remoting/http-connector=http-remoting-connector \
:undefine-attribute(name=security-realm)
/subsystem=remoting/http-connector=http-remoting-connector \
:write-attribute(name=sasl-authentication-factory, \
value=application-sasl-authentication)
# Messaging
/subsystem=messaging-activemq/server=default \
:write-attribute(name=elytron-domain, value=ApplicationDomain)
# EJB3
/subsystem=ejb3/application-security-domain=other \
:add(security-domain=ApplicationDomain)
# Cleaning
/core-service=management/security-realm=ApplicationRealm:remove
/core-service=management/security-realm=ManagementRealm:remove
/subsystem=security:remove
run-batchScript testé avec WildFly 22 et JBoss EAP 7.4.7, en profil full.
Pour le passer en profil par défaut, il faut supprimer la commande qui concerne /subsystem=messaging-activemq.
L’utilisation de ce script est particulièrement utile avec JBoss EAP 7.4 depuis son support de JDK 17 (>= 7.4.7). En effet, les anciens security domains ne sont plus supportés depuis le JDK 14.
