[jboss-jira] [JBoss JIRA] (ELY-320) Potential simplification of FileSystemSecurityRealm

David Lloyd (JIRA) issues at jboss.org
Thu Oct 8 06:56:00 EDT 2015 

    [ https://issues.jboss.org/browse/ELY-320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13116357#comment-13116357 ] 

David Lloyd commented on ELY-320:
---------------------------------

Using two files seems less than ideal though.  The advantage is that the user can use standard tools to update the attributes (with a text editor) and the keystore (using keytool or equivalent); the disadvantage is that updates to the realm cannot be atomic, leaving room for leftover files and other similar glitches.

A good approach may be to have a text file with a base64-encoded keystore as the header, and properties at the trailer - or vice-versa.  Or even the keystore *as* a property, in base64 format.

> Potential simplification of FileSystemSecurityRealm
> ---------------------------------------------------
>
>                 Key: ELY-320
>                 URL: https://issues.jboss.org/browse/ELY-320
>             Project: WildFly Elytron
>          Issue Type: Enhancement
>          Components: Realms
>            Reporter: David Lloyd
>
> An offhand comment by [~dlofthouse] got me thinking about a possibly major simplification and improvement to the file system realm.
> Right now it uses XML to store the identity and all its credentials; this is fairly complex and also not very secure.
> As an alternative approach, the realm could be rewritten to store each identity in two parts: authentication information and authorization information.  The authentication information could consist of a KeyStore (probably a org.wildfly.security.keystore.WrappingPasswordKeyStore which could be enhanced to support modular crypt or another general format of password), whose aliases correspond to credential names.  The authorization information could simply be a properties file which is loaded in to become Attributes.  Recent identities could be cached for efficiency.
> This would massively simplify the realm implementation, and also improve the security of the stored credentials.



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list