From 06236a7e7e5013daac63ea45c038ec1cae7d999c Mon Sep 17 00:00:00 2001
From: Leonidas Spyropoulos <artafinde@archlinux.org>
Date: Mon, 20 Dec 2021 18:18:21 +0000
Subject: [PATCH] keycloak: Update configuration for keycloak 16
Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>
---
roles/keycloak/templates/standalone.xml.j2 | 570 ++++++++++-----------
1 file changed, 264 insertions(+), 306 deletions(-)
diff --git a/roles/keycloak/templates/standalone.xml.j2 b/roles/keycloak/templates/standalone.xml.j2
index 6ef12dff6..409e1ff90 100644
--- a/roles/keycloak/templates/standalone.xml.j2
+++ b/roles/keycloak/templates/standalone.xml.j2
@@ -1,6 +1,6 @@
-<?xml version='1.0' encoding='UTF-8'?>
+<?xml version="1.0" ?>
-<server xmlns="urn:jboss:domain:16.0">
+<server xmlns="urn:jboss:domain:19.0">
<extensions>
<extension module="org.jboss.as.clustering.infinispan"/>
<extension module="org.jboss.as.connector"/>
@@ -14,7 +14,6 @@
<extension module="org.jboss.as.mail"/>
<extension module="org.jboss.as.naming"/>
<extension module="org.jboss.as.remoting"/>
- <extension module="org.jboss.as.security"/>
<extension module="org.jboss.as.transactions"/>
<extension module="org.jboss.as.weld"/>
<extension module="org.keycloak.keycloak-server-subsystem"/>
@@ -29,31 +28,6 @@
<extension module="org.wildfly.extension.undertow"/>
</extensions>
<management>
- <security-realms>
- <security-realm name="ManagementRealm">
- <authentication>
- <local default-user="$local" skip-group-loading="true"/>
- <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
- </authentication>
- <authorization map-groups-to-roles="false">
- <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
- </authorization>
- </security-realm>
- <security-realm name="ApplicationRealm">
- <server-identities>
- <ssl>
- <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
- </ssl>
- </server-identities>
- <authentication>
- <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
- <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
- </authentication>
- <authorization>
- <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
- </authorization>
- </security-realm>
- </security-realms>
<audit-log>
<formatters>
<json-formatter name="json-formatter"/>
@@ -68,8 +42,8 @@
</logger>
</audit-log>
<management-interfaces>
- <http-interface security-realm="ManagementRealm">
- <http-upgrade enabled="true"/>
+ <http-interface http-authentication-factory="management-http-authentication">
+ <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
<socket-binding http="management-http"/>
</http-interface>
</management-interfaces>
@@ -84,8 +58,69 @@
</access-control>
</management>
<profile>
+ <subsystem xmlns="urn:jboss:domain:logging:8.0">
+ <console-handler name="CONSOLE">
+ <level name="INFO"/>
+ <formatter>
+ <named-formatter name="COLOR-PATTERN"/>
+ </formatter>
+ </console-handler>
+ <periodic-rotating-file-handler name="FILE" autoflush="true">
+ <formatter>
+ <named-formatter name="PATTERN"/>
+ </formatter>
+ <file relative-to="jboss.server.log.dir" path="server.log"/>
+ <suffix value=".yyyy-MM-dd"/>
+ <append value="true"/>
+ </periodic-rotating-file-handler>
+ <logger category="com.arjuna">
+ <level name="WARN"/>
+ </logger>
+ <logger category="io.jaegertracing.Configuration">
+ <level name="WARN"/>
+ </logger>
+ <logger category="org.jboss.as.config">
+ <level name="DEBUG"/>
+ </logger>
+ <logger category="sun.rmi">
+ <level name="WARN"/>
+ </logger>
+ <root-logger>
+ <level name="INFO"/>
+ <handlers>
+ <handler name="CONSOLE"/>
+ <handler name="FILE"/>
+ </handlers>
+ </root-logger>
+ <formatter name="PATTERN">
+ <pattern-formatter pattern="%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
+ </formatter>
+ <formatter name="COLOR-PATTERN">
+ <pattern-formatter pattern="%K{level}%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
+ </formatter>
+ </subsystem>
<subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
<subsystem xmlns="urn:jboss:domain:core-management:1.0"/>
+ <subsystem xmlns="urn:jboss:domain:datasources:6.0">
+ <datasources>
+ <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
+ <connection-url>jdbc:postgresql://localhost:5432/{{ keycloak_db_name }}</connection-url>
+ <driver>postgresql</driver>
+ <security>
+ <user-name>{{ vault_keycloak_db_user }}</user-name>
+ <password>{{ vault_keycloak_db_password }}</password>
+ </security>
+ </datasource>
+ <drivers>
+ <driver name="postgresql" module="org.postgresql">
+ <xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
+ </driver>
+ <driver name="h2" module="com.h2database.h2">
+ <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
+ </driver>
+ </drivers>
+ </datasources>
+ </subsystem>
<subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
<deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
</subsystem>
@@ -146,45 +181,148 @@
</thread-pool>
</thread-pools>
<default-security-domain value="other"/>
+ <application-security-domains>
+ <application-security-domain name="other" security-domain="ApplicationDomain"/>
+ </application-security-domains>
<default-missing-method-permissions-deny-access value="true"/>
<statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
<log-system-exceptions value="true"/>
</subsystem>
- <subsystem xmlns="urn:wildfly:health:1.0" security-enabled="false"/>
- <subsystem xmlns="urn:jboss:domain:io:3.0">
- <worker name="default"/>
- <buffer-pool name="default"/>
- </subsystem>
- <subsystem xmlns="urn:jboss:domain:jaxrs:2.0"/>
- <subsystem xmlns="urn:jboss:domain:jca:5.0">
- <archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
- <bean-validation enabled="true"/>
- <default-workmanager>
- <short-running-threads>
- <core-threads count="50"/>
- <queue-length count="50"/>
- <max-threads count="50"/>
- <keepalive-time time="10" unit="seconds"/>
- </short-running-threads>
- <long-running-threads>
- <core-threads count="50"/>
- <queue-length count="50"/>
- <max-threads count="50"/>
- <keepalive-time time="10" unit="seconds"/>
- </long-running-threads>
- </default-workmanager>
- <cached-connection-manager/>
- </subsystem>
- <subsystem xmlns="urn:jboss:domain:jmx:1.3">
- <expose-resolved-model/>
- <expose-expression-model/>
- <remoting-connector/>
- </subsystem>
- <subsystem xmlns="urn:jboss:domain:jpa:1.1">
- <jpa default-extended-persistence-inheritance="DEEP"/>
+ <subsystem xmlns="urn:wildfly:elytron:15.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
+ <providers>
+ <aggregate-providers name="combined-providers">
+ <providers name="elytron"/>
+ <providers name="openssl"/>
+ </aggregate-providers>
+ <provider-loader name="elytron" module="org.wildfly.security.elytron"/>
+ <provider-loader name="openssl" module="org.wildfly.openssl"/>
+ </providers>
+ <audit-logging>
+ <file-audit-log name="local-audit" path="audit.log" relative-to="jboss.server.log.dir" format="JSON"/>
+ </audit-logging>
+ <security-domains>
+ <security-domain name="ManagementDomain" default-realm="ManagementRealm" permission-mapper="default-permission-mapper">
+ <realm name="ManagementRealm" role-decoder="groups-to-roles"/>
+ <realm name="local" role-mapper="super-user-mapper"/>
+ </security-domain>
+ <security-domain name="ApplicationDomain" default-realm="ApplicationRealm" permission-mapper="default-permission-mapper">
+ <realm name="ApplicationRealm" role-decoder="groups-to-roles"/>
+ <realm name="local"/>
+ </security-domain>
+ </security-domains>
+ <security-realms>
+ <identity-realm name="local" identity="$local"/>
+ <properties-realm name="ApplicationRealm">
+ <users-properties path="application-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ApplicationRealm"/>
+ <groups-properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
+ </properties-realm>
+ <properties-realm name="ManagementRealm">
+ <users-properties path="mgmt-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ManagementRealm"/>
+ <groups-properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
+ </properties-realm>
+ </security-realms>
+ <mappers>
+ <simple-permission-mapper name="default-permission-mapper" mapping-mode="first">
+ <permission-mapping>
+ <principal name="anonymous"/>
+ <permission-set name="default-permissions"/>
+ </permission-mapping>
+ <permission-mapping match-all="true">
+ <permission-set name="login-permission"/>
+ <permission-set name="default-permissions"/>
+ </permission-mapping>
+ </simple-permission-mapper>
+ <constant-realm-mapper name="local" realm-name="local"/>
+ <simple-role-decoder name="groups-to-roles" attribute="groups"/>
+ <constant-role-mapper name="super-user-mapper">
+ <role name="SuperUser"/>
+ </constant-role-mapper>
+ </mappers>
+ <permission-sets>
+ <permission-set name="login-permission">
+ <permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
+ </permission-set>
+ <permission-set name="default-permissions">
+ <permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
+ <permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/>
+ <permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
+ </permission-set>
+ </permission-sets>
+ <http>
+ <http-authentication-factory name="management-http-authentication" security-domain="ManagementDomain" http-server-mechanism-factory="global">
+ <mechanism-configuration>
+ <mechanism mechanism-name="DIGEST">
+ <mechanism-realm realm-name="ManagementRealm"/>
+ </mechanism>
+ </mechanism-configuration>
+ </http-authentication-factory>
+ <http-authentication-factory name="application-http-authentication" security-domain="ApplicationDomain" http-server-mechanism-factory="global">
+ <mechanism-configuration>
+ <mechanism mechanism-name="BASIC">
+ <mechanism-realm realm-name="ApplicationRealm"/>
+ </mechanism>
+ </mechanism-configuration>
+ </http-authentication-factory>
+ <provider-http-server-mechanism-factory name="global"/>
+ </http>
+ <sasl>
+ <sasl-authentication-factory name="management-sasl-authentication" sasl-server-factory="configured" security-domain="ManagementDomain">
+ <mechanism-configuration>
+ <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
+ <mechanism mechanism-name="DIGEST-MD5">
+ <mechanism-realm realm-name="ManagementRealm"/>
+ </mechanism>
+ </mechanism-configuration>
+ </sasl-authentication-factory>
+ <sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" security-domain="ApplicationDomain">
+ <mechanism-configuration>
+ <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
+ <mechanism mechanism-name="DIGEST-MD5">
+ <mechanism-realm realm-name="ApplicationRealm"/>
+ </mechanism>
+ </mechanism-configuration>
+ </sasl-authentication-factory>
+ <configurable-sasl-server-factory name="configured" sasl-server-factory="elytron">
+ <properties>
+ <property name="wildfly.sasl.local-user.default-user" value="$local"/>
+ <property name="wildfly.sasl.local-user.challenge-path" value="${jboss.server.temp.dir}/auth"/>
+ </properties>
+ </configurable-sasl-server-factory>
+ <mechanism-provider-filtering-sasl-server-factory name="elytron" sasl-server-factory="global">
+ <filters>
+ <filter provider-name="WildFlyElytron"/>
+ </filters>
+ </mechanism-provider-filtering-sasl-server-factory>
+ <provider-sasl-server-factory name="global"/>
+ </sasl>
+ <tls>
+ <key-stores>
+ <key-store name="applicationKS">
+ <credential-reference clear-text="password"/>
+ <implementation type="JKS"/>
+ <file path="application.keystore" relative-to="jboss.server.config.dir"/>
+ </key-store>
+ </key-stores>
+ <key-managers>
+ <key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
+ <credential-reference clear-text="password"/>
+ </key-manager>
+ </key-managers>
+ <server-ssl-contexts>
+ <server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
+ </server-ssl-contexts>
+ </tls>
</subsystem>
- <subsystem xmlns="urn:jboss:domain:infinispan:12.0">
- <cache-container name="keycloak" modules="org.keycloak.keycloak-model-infinispan">
+ <subsystem xmlns="urn:wildfly:health:1.0" security-enabled="false"/>
+ <subsystem xmlns="urn:jboss:domain:infinispan:13.0">
+ <cache-container name="ejb" default-cache="passivation" marshaller="PROTOSTREAM" aliases="sfsb" modules="org.wildfly.clustering.ejb.infinispan">
+ <local-cache name="passivation">
+ <locking isolation="REPEATABLE_READ"/>
+ <transaction mode="BATCH"/>
+ <file-store passivation="true" purge="false"/>
+ </local-cache>
+ </cache-container>
+ <cache-container name="keycloak" marshaller="JBOSS" modules="org.keycloak.keycloak-model-infinispan">
<local-cache name="realms">
<heap-memory size="10000"/>
</local-cache>
@@ -207,15 +345,15 @@
</local-cache>
<local-cache name="actionTokens">
<heap-memory size="-1"/>
- <expiration max-idle="-1" interval="300000"/>
+ <expiration interval="300000" max-idle="-1"/>
</local-cache>
</cache-container>
- <cache-container name="server" default-cache="default" modules="org.wildfly.clustering.server">
+ <cache-container name="server" default-cache="default" marshaller="PROTOSTREAM" modules="org.wildfly.clustering.server">
<local-cache name="default">
<transaction mode="BATCH"/>
</local-cache>
</cache-container>
- <cache-container name="web" default-cache="passivation" modules="org.wildfly.clustering.web.infinispan">
+ <cache-container name="web" default-cache="passivation" marshaller="PROTOSTREAM" modules="org.wildfly.clustering.web.infinispan">
<local-cache name="passivation">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
@@ -227,14 +365,7 @@
</local-cache>
<local-cache name="routing"/>
</cache-container>
- <cache-container name="ejb" aliases="sfsb" default-cache="passivation" modules="org.wildfly.clustering.ejb.infinispan">
- <local-cache name="passivation">
- <locking isolation="REPEATABLE_READ"/>
- <transaction mode="BATCH"/>
- <file-store passivation="true" purge="false"/>
- </local-cache>
- </cache-container>
- <cache-container name="hibernate" modules="org.infinispan.hibernate-cache">
+ <cache-container name="hibernate" marshaller="JBOSS" modules="org.infinispan.hibernate-cache">
<local-cache name="entity">
<heap-memory size="10000"/>
<expiration max-idle="100000"/>
@@ -246,10 +377,44 @@
<local-cache name="timestamps"/>
</cache-container>
</subsystem>
+ <subsystem xmlns="urn:jboss:domain:io:3.0">
+ <worker name="default"/>
+ <buffer-pool name="default"/>
+ </subsystem>
+ <subsystem xmlns="urn:jboss:domain:jaxrs:2.0"/>
+ <subsystem xmlns="urn:jboss:domain:jca:5.0">
+ <archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
+ <bean-validation enabled="true"/>
+ <default-workmanager>
+ <short-running-threads>
+ <core-threads count="50"/>
+ <queue-length count="50"/>
+ <max-threads count="50"/>
+ <keepalive-time time="10" unit="seconds"/>
+ </short-running-threads>
+ <long-running-threads>
+ <core-threads count="50"/>
+ <queue-length count="50"/>
+ <max-threads count="50"/>
+ <keepalive-time time="10" unit="seconds"/>
+ </long-running-threads>
+ </default-workmanager>
+ <cached-connection-manager/>
+ </subsystem>
+ <subsystem xmlns="urn:jboss:domain:jmx:1.3">
+ <expose-resolved-model/>
+ <expose-expression-model/>
+ <remoting-connector/>
+ </subsystem>
+ <subsystem xmlns="urn:jboss:domain:jpa:1.1">
+ <jpa default-extended-persistence-inheritance="DEEP"/>
+ </subsystem>
<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
<web-context>auth</web-context>
<providers>
- <provider>classpath:${jboss.home.dir}/providers/*</provider>
+ <provider>
+ classpath:${jboss.home.dir}/providers/*
+ </provider>
</providers>
<master-realm-name>master</master-realm-name>
<scheduled-task-interval>900</scheduled-task-interval>
@@ -328,65 +493,6 @@
<provider name="metrics-listener" enabled="true"/>
</spi>
</subsystem>
- <subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
- <buffer-cache name="default"/>
- <server name="default-server">
- <http-listener name="default" socket-binding="http" redirect-socket="https" proxy-address-forwarding="true" enable-http2="true"/>
- <https-listener name="https" socket-binding="https" proxy-address-forwarding="true" security-realm="ApplicationRealm" enable-http2="true"/>
- <host name="default-host" alias="localhost">
- <location name="/" handler="welcome-content"/>
- <http-invoker security-realm="ApplicationRealm"/>
- </host>
- </server>
- <servlet-container name="default">
- <jsp-config/>
- <websockets/>
- </servlet-container>
- <handlers>
- <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
- </handlers>
- </subsystem>
- <subsystem xmlns="urn:jboss:domain:logging:8.0">
- <console-handler name="CONSOLE">
- <level name="INFO"/>
- <formatter>
- <named-formatter name="COLOR-PATTERN"/>
- </formatter>
- </console-handler>
- <periodic-rotating-file-handler name="FILE" autoflush="true">
- <formatter>
- <named-formatter name="PATTERN"/>
- </formatter>
- <file relative-to="jboss.server.log.dir" path="server.log"/>
- <suffix value=".yyyy-MM-dd"/>
- <append value="true"/>
- </periodic-rotating-file-handler>
- <logger category="com.arjuna">
- <level name="WARN"/>
- </logger>
- <logger category="io.jaegertracing.Configuration">
- <level name="WARN"/>
- </logger>
- <logger category="org.jboss.as.config">
- <level name="DEBUG"/>
- </logger>
- <logger category="sun.rmi">
- <level name="WARN"/>
- </logger>
- <root-logger>
- <level name="INFO"/>
- <handlers>
- <handler name="CONSOLE"/>
- <handler name="FILE"/>
- </handlers>
- </root-logger>
- <formatter name="PATTERN">
- <pattern-formatter pattern="%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
- </formatter>
- <formatter name="COLOR-PATTERN">
- <pattern-formatter pattern="%K{level}%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
- </formatter>
- </subsystem>
<subsystem xmlns="urn:jboss:domain:mail:4.0">
<mail-session name="default" jndi-name="java:jboss/mail/Default">
<smtp-server outbound-socket-binding-ref="mail-smtp"/>
@@ -397,7 +503,7 @@
<remote-naming/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:remoting:4.0">
- <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
+ <http-connector name="http-remoting-connector" connector-ref="default" sasl-authentication-factory="application-sasl-authentication"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
<subsystem xmlns="urn:jboss:domain:security-manager:1.0">
@@ -407,175 +513,6 @@
</maximum-set>
</deployment-permissions>
</subsystem>
- <subsystem xmlns="urn:jboss:domain:security:2.0">
- <security-domains>
- <security-domain name="other" cache-type="default">
- <authentication>
- <login-module code="Remoting" flag="optional">
- <module-option name="password-stacking" value="useFirstPass"/>
- </login-module>
- <login-module code="RealmDirect" flag="required">
- <module-option name="password-stacking" value="useFirstPass"/>
- </login-module>
- </authentication>
- </security-domain>
- <security-domain name="jboss-web-policy" cache-type="default">
- <authorization>
- <policy-module code="Delegating" flag="required"/>
- </authorization>
- </security-domain>
- <security-domain name="jaspitest" cache-type="default">
- <authentication-jaspi>
- <login-module-stack name="dummy">
- <login-module code="Dummy" flag="optional"/>
- </login-module-stack>
- <auth-module code="Dummy"/>
- </authentication-jaspi>
- </security-domain>
- <security-domain name="jboss-ejb-policy" cache-type="default">
- <authorization>
- <policy-module code="Delegating" flag="required"/>
- </authorization>
- </security-domain>
- </security-domains>
- </subsystem>
- <subsystem xmlns="urn:jboss:domain:datasources:6.0">
- <datasources>
- <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
- <connection-url>jdbc:postgresql://localhost:5432/{{ keycloak_db_name }}</connection-url>
- <driver>postgresql</driver>
- <security>
- <user-name>{{ vault_keycloak_db_user }}</user-name>
- <password>{{ vault_keycloak_db_password }}</password>
- </security>
- </datasource>
- <drivers>
- <driver name="postgresql" module="org.postgresql">
- <xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
- </driver>
- <driver name="h2" module="com.h2database.h2">
- <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
- </driver>
- </drivers>
- </datasources>
- </subsystem>
- <subsystem xmlns="urn:wildfly:elytron:13.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
- <providers>
- <aggregate-providers name="combined-providers">
- <providers name="elytron"/>
- <providers name="openssl"/>
- </aggregate-providers>
- <provider-loader name="elytron" module="org.wildfly.security.elytron"/>
- <provider-loader name="openssl" module="org.wildfly.openssl"/>
- </providers>
- <audit-logging>
- <file-audit-log name="local-audit" path="audit.log" relative-to="jboss.server.log.dir" format="JSON"/>
- </audit-logging>
- <security-domains>
- <security-domain name="ApplicationDomain" default-realm="ApplicationRealm" permission-mapper="default-permission-mapper">
- <realm name="ApplicationRealm" role-decoder="groups-to-roles"/>
- <realm name="local"/>
- </security-domain>
- <security-domain name="ManagementDomain" default-realm="ManagementRealm" permission-mapper="default-permission-mapper">
- <realm name="ManagementRealm" role-decoder="groups-to-roles"/>
- <realm name="local" role-mapper="super-user-mapper"/>
- </security-domain>
- </security-domains>
- <security-realms>
- <identity-realm name="local" identity="$local"/>
- <properties-realm name="ApplicationRealm">
- <users-properties path="application-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ApplicationRealm"/>
- <groups-properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
- </properties-realm>
- <properties-realm name="ManagementRealm">
- <users-properties path="mgmt-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ManagementRealm"/>
- <groups-properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
- </properties-realm>
- </security-realms>
- <mappers>
- <simple-permission-mapper name="default-permission-mapper" mapping-mode="first">
- <permission-mapping>
- <principal name="anonymous"/>
- <permission-set name="default-permissions"/>
- </permission-mapping>
- <permission-mapping match-all="true">
- <permission-set name="login-permission"/>
- <permission-set name="default-permissions"/>
- </permission-mapping>
- </simple-permission-mapper>
- <constant-realm-mapper name="local" realm-name="local"/>
- <simple-role-decoder name="groups-to-roles" attribute="groups"/>
- <constant-role-mapper name="super-user-mapper">
- <role name="SuperUser"/>
- </constant-role-mapper>
- </mappers>
- <permission-sets>
- <permission-set name="login-permission">
- <permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
- </permission-set>
- <permission-set name="default-permissions">
- <permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
- <permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/>
- <permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
- </permission-set>
- </permission-sets>
- <http>
- <http-authentication-factory name="management-http-authentication" security-domain="ManagementDomain" http-server-mechanism-factory="global">
- <mechanism-configuration>
- <mechanism mechanism-name="DIGEST">
- <mechanism-realm realm-name="ManagementRealm"/>
- </mechanism>
- </mechanism-configuration>
- </http-authentication-factory>
- <provider-http-server-mechanism-factory name="global"/>
- </http>
- <sasl>
- <sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" security-domain="ApplicationDomain">
- <mechanism-configuration>
- <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
- <mechanism mechanism-name="DIGEST-MD5">
- <mechanism-realm realm-name="ApplicationRealm"/>
- </mechanism>
- </mechanism-configuration>
- </sasl-authentication-factory>
- <sasl-authentication-factory name="management-sasl-authentication" sasl-server-factory="configured" security-domain="ManagementDomain">
- <mechanism-configuration>
- <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
- <mechanism mechanism-name="DIGEST-MD5">
- <mechanism-realm realm-name="ManagementRealm"/>
- </mechanism>
- </mechanism-configuration>
- </sasl-authentication-factory>
- <configurable-sasl-server-factory name="configured" sasl-server-factory="elytron">
- <properties>
- <property name="wildfly.sasl.local-user.default-user" value="$local"/>
- </properties>
- </configurable-sasl-server-factory>
- <mechanism-provider-filtering-sasl-server-factory name="elytron" sasl-server-factory="global">
- <filters>
- <filter provider-name="WildFlyElytron"/>
- </filters>
- </mechanism-provider-filtering-sasl-server-factory>
- <provider-sasl-server-factory name="global"/>
- </sasl>
- <tls>
- <key-stores>
- <key-store name="applicationKS">
- <credential-reference clear-text="password"/>
- <implementation type="JKS"/>
- <file path="application.keystore" relative-to="jboss.server.config.dir"/>
- </key-store>
- </key-stores>
- <key-managers>
- <key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
- <credential-reference clear-text="password"/>
- </key-manager>
- </key-managers>
- <server-ssl-contexts>
- <server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
- </server-ssl-contexts>
- </tls>
- </subsystem>
<subsystem xmlns="urn:jboss:domain:transactions:6.0">
<core-environment node-identifier="${jboss.tx.node.id:1}">
<process-id>
@@ -586,6 +523,27 @@
<coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
<object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
</subsystem>
+ <subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
+ <buffer-cache name="default"/>
+ <server name="default-server">
+ <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
+ <https-listener name="https" socket-binding="https" ssl-context="applicationSSC" enable-http2="true"/>
+ <host name="default-host" alias="localhost">
+ <location name="/" handler="welcome-content"/>
+ <http-invoker http-authentication-factory="application-http-authentication"/>
+ </host>
+ </server>
+ <servlet-container name="default">
+ <jsp-config/>
+ <websockets/>
+ </servlet-container>
+ <handlers>
+ <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
+ </handlers>
+ <application-security-domains>
+ <application-security-domain name="other" security-domain="ApplicationDomain"/>
+ </application-security-domains>
+ </subsystem>
<subsystem xmlns="urn:jboss:domain:weld:4.0"/>
</profile>
<interfaces>
@@ -608,4 +566,4 @@
<remote-destination host="${jboss.mail.server.host:localhost}" port="${jboss.mail.server.port:25}"/>
</outbound-socket-binding>
</socket-binding-group>
-</server>
+</server>
\ No newline at end of file
--
GitLab