Darran Lofthouse created WFCORE-5022:
----------------------------------------
Summary: The /subsystem=elytron/policy=* can be simplified a lot further
Key: WFCORE-5022
URL:
https://issues.redhat.com/browse/WFCORE-5022
Project: WildFly Core
Issue Type: Enhancement
Components: Security
Affects Versions: 12.0.1.Final
Reporter: Darran Lofthouse
Assignee: Darran Lofthouse
Fix For: 13.0.0.Beta1
At the moment this resource is quite verbose but the tasks it performs are very simple.
{code}
[standalone@localhost:9990 /] /subsystem=elytron/policy=*:read-resource-description
{
"outcome" => "success",
"result" => [{
"address" => [
("subsystem" => "elytron"),
("policy" => "*")
],
"outcome" => "success",
"result" => {
"description" => "A definition that sets up a policy
provider.",
"max-occurs" => 1,
"capabilities" => [{
"name" => "org.wildfly.security.policy",
"dynamic" => false
}],
"access-constraints" => {
"sensitive" => {"elytron-security" =>
{"type" => "elytron"}},
"application" => {"elytron-security" =>
{"type" => "elytron"}}
},
"attributes" => {
"custom-policy" => {
"type" => OBJECT,
"description" => "A custom policy provider
definition.",
"expressions-allowed" => false,
"required" => true,
"nillable" => true,
"alternatives" => ["jacc-policy"],
"value-type" => {
"class-name" => {
"type" => STRING,
"description" => "The name of a
java.security.Policy implementation referencing a policy provider.",
"expressions-allowed" => false,
"required" => true,
"nillable" => false,
"min-length" => 1L,
"max-length" => 2147483647L
},
"module" => {
"type" => STRING,
"description" => "The name of the module to
load the provider from.",
"expressions-allowed" => false,
"required" => false,
"nillable" => true,
"min-length" => 1L,
"max-length" => 2147483647L
}
},
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" => "no-services"
},
"default-policy" => {
"type" => STRING,
"description" => "Not used.",
"expressions-allowed" => false,
"required" => false,
"nillable" => true,
"min-length" => 1L,
"max-length" => 2147483647L,
"deprecated" => {
"since" => "1.2.0",
"reason" => "The 'default-policy'
attribute is ignored, as a policy resource should be configured with only one
policy."
},
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" => "no-services"
},
"jacc-policy" => {
"type" => OBJECT,
"description" => "A policy provider definition that
sets up JACC and related services.",
"expressions-allowed" => false,
"required" => true,
"nillable" => true,
"alternatives" => ["custom-policy"],
"value-type" => {
"policy" => {
"type" => STRING,
"description" => "The name of a
java.security.Policy implementation referencing a policy provider.",
"expressions-allowed" => false,
"required" => false,
"nillable" => true,
"default" =>
"org.wildfly.security.authz.jacc.JaccDelegatingPolicy",
"min-length" => 1L,
"max-length" => 2147483647L
},
"configuration-factory" => {
"type" => STRING,
"description" => "The name of a
javax.security.jacc.PolicyConfigurationFactory implementation referencing a policy
configuration factory provider.",
"expressions-allowed" => false,
"required" => false,
"nillable" => true,
"default" =>
"org.wildfly.security.authz.jacc.ElytronPolicyConfigurationFactory",
"min-length" => 1L,
"max-length" => 2147483647L
},
"module" => {
"type" => STRING,
"description" => "The name of the module to
load the provider from.",
"expressions-allowed" => false,
"required" => false,
"nillable" => true,
"min-length" => 1L,
"max-length" => 2147483647L
}
},
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" => "no-services"
}
},
"operations" => undefined,
"notifications" => undefined,
"children" => {}
}
}]
}
{code}
Firstly it only makes sense to have a single policy defined, the outcome of this resource
is JVM wide registration so multiple definitions would lead to undefined behaviour.
Secondly this provides two primary functions.
1. Instantation of
https://docs.oracle.com/javase/8/docs/api/java/security/Policy.html and
registration via a call to
https://docs.oracle.com/javase/8/docs/api/java/security/Policy.html#setPo...
This first point needs a class name for the policy as well as a module.
2. Registration of the JVM wide
https://jakarta.ee/specifications/platform/8/apidocs/javax/security/jacc/...
again needing a classname and module.
This is also not working correctly but the immediate bug is being addressed under
WFCORE-5020
The JACC APIs don't actually provide a nice way to register this so maybe this is
something we should also propose via the spec, but this piece is effectively a class name
and module name.
We have ended up with custom and jacc variants as alternatives. Really both variants are
optional but if the resource is defined at least one must be set.
It may make sense for JACC to move to it's own subsystem for a couple of reasons.
The JVM wide policy will likely need to be possible in both subsystems but use a
capability to ensure it is defined in only one. We probably should move it's
registration into the boot operations so registration is complete before DUPs begin.
The PolicyConfigurationFactory would then be in a JACC subsystem only. Again handling
during a boot operation may be preferable otherwise we see issues like WFLY-13615 but
failing that ensuring the deployment depend upon the registration happening may be
sufficient.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)