In order to avoid the configuration of the WildFly server (JDBC driver, datasource, SSL setup, security domain and deployment) I have provided a fully configured
WildFly application server instance within the Download section as shortcut for the impatient.
This server instance is even already deployed with the RBAC-demo application. Download the provisioned server into a directory of
your choice. The chosen database must be up and running.
Now I will explain the configuration of a pure
WildFly 8.2
Application Server in detail.
-
Start the server.
Open a terminal and change to
<JBOSS_HOME>/bin
. Now start the server by typing
wildfly-8.2.0.Final/bin$ ./standalone.sh --server-config=standalone-full.xml
A <JDK1.7+>/bin/java
needs to be on the PATH
or
prepare a JAVA_HOME
environment variable.
-
Add a Management user.
Open another terminal, change again to
<JBOSS_HOME>/bin
and type
wildfly-8.2.0.Final/bin$ ./add-user.sh
Follow the advices and keep the presettings. This new user is not "going to be used for one AS process to connect to another AS process",
hence type 'no' for the last question. You can use this account to log into the management console of the server:
http://localhost:9990/console/App.html
However, we will use the CLI (command line interpreter) for the configurations.
-
Connect to the server.
Reuse the open terminal and type
./jboss-cli.sh --connect
[standalone@localhost:9990 /]
This connects you to the local running server instance.
-
JDBC driver and Datasource.
You'll have to specify a file path to an JAR containing the driver.
[standalone@localhost:9990 /] deploy <PATH_TO_JDBC_DRIVER>
[standalone@localhost:9990 /]
The next command gives you the list of the deployed JDBC drivers. We need this list because of the name of the driver as given by the server instance:
[standalone@localhost:9990 /] /subsystem=datasources/:installed-drivers-list
{
"outcome" => "success",
"result" => [
{
"driver-name" => "mysql-connector-java-5.1.34-bin.jar_com.mysql.jdbc.Driver_5_1",
"deployment-name" => "mysql-connector-java-5.1.34-bin.jar_com.mysql.jdbc.Driver_5_1",
"driver-module-name" => undefined,
"module-slot" => undefined,
"driver-datasource-class-name" => undefined,
"driver-xa-datasource-class-name" => undefined,
"driver-class-name" => "com.mysql.jdbc.Driver",
"driver-major-version" => 5,
"driver-minor-version" => 1,
"jdbc-compliant" => false
},
{
"driver-name" => "postgresql-9.4-1201.jdbc41.jar",
"deployment-name" => "postgresql-9.4-1201.jdbc41.jar",
"driver-module-name" => undefined,
"module-slot" => undefined,
"driver-datasource-class-name" => undefined,
"driver-xa-datasource-class-name" => undefined,
"driver-class-name" => "org.postgresql.Driver",
"driver-major-version" => 9,
"driver-minor-version" => 4,
"jdbc-compliant" => false
},
{
"driver-name" => "h2",
"deployment-name" => undefined,
"driver-module-name" => "com.h2database.h2",
"module-slot" => "main",
"driver-datasource-class-name" => "",
"driver-xa-datasource-class-name" => "org.h2.jdbcx.JdbcDataSource",
"driver-class-name" => "org.h2.Driver",
"driver-major-version" => 1,
"driver-minor-version" => 3,
"jdbc-compliant" => true
},
{
"driver-name" => "mysql-connector-java-5.1.34-bin.jar_com.mysql.fabric.jdbc.FabricMySQLDriver_5_1",
"deployment-name" => "mysql-connector-java-5.1.34-bin.jar_com.mysql.fabric.jdbc.FabricMySQLDriver_5_1",
"driver-module-name" => undefined,
"module-slot" => undefined,
"driver-datasource-class-name" => undefined,
"driver-xa-datasource-class-name" => undefined,
"driver-class-name" => "com.mysql.fabric.jdbc.FabricMySQLDriver",
"driver-major-version" => 5,
"driver-minor-version" => 1,
"jdbc-compliant" => false
}
]
}
[standalone@localhost:9990 /]
In case of the MySQL JDBC JAR: there are actual two drivers contained. We need the one without the 'Fabric':
[standalone@localhost:9990 /] data-source add --name=dms_prototype --connection-url=jdbc:mysql://localhost:3306/rbac_test --jndi-name=java:/jdbc/DocumentBaseDS --driver-name=mysql-connector-java-5.1.34-bin.jar_com.mysql.jdbc.Driver_5_1 --user-name=rbac --password=changeit --max-pool-size=15 --min-pool-size=5
[standalone@localhost:9990 /]
Review your datasource configuration with
[standalone@localhost:9990 /] /subsystem=datasources/data-source=dms_prototype/:read-resource
{
"outcome" => "success",
"result" => {
"allocation-retry" => undefined,
"allocation-retry-wait-millis" => undefined,
"allow-multiple-users" => false,
"background-validation" => undefined,
"background-validation-millis" => undefined,
"blocking-timeout-wait-millis" => undefined,
"capacity-decrementer-class" => undefined,
"capacity-decrementer-properties" => undefined,
"capacity-incrementer-class" => undefined,
"capacity-incrementer-properties" => undefined,
"check-valid-connection-sql" => undefined,
"connection-listener-class" => undefined,
"connection-listener-property" => undefined,
"connection-properties" => undefined,
"connection-url" => "jdbc:mysql://localhost:3306/rbac_test",
"datasource-class" => undefined,
"driver-class" => undefined,
"driver-name" => "mysql-connector-java-5.1.34-bin.jar_com.mysql.jdbc.Driver_5_1",
"enabled" => true,
"exception-sorter-class-name" => undefined,
"exception-sorter-properties" => undefined,
"flush-strategy" => undefined,
"idle-timeout-minutes" => undefined,
"initial-pool-size" => undefined,
"jndi-name" => "java:/jdbc/DocumentBaseDS",
"jta" => true,
"max-pool-size" => 15,
"min-pool-size" => 5,
"new-connection-sql" => undefined,
"password" => "changeit",
"pool-prefill" => undefined,
"pool-use-strict-min" => undefined,
"prepared-statements-cache-size" => undefined,
"query-timeout" => undefined,
"reauth-plugin-class-name" => undefined,
"reauth-plugin-properties" => undefined,
"security-domain" => undefined,
"set-tx-query-timeout" => false,
"share-prepared-statements" => false,
"spy" => false,
"stale-connection-checker-class-name" => undefined,
"stale-connection-checker-properties" => undefined,
"track-statements" => "NOWARN",
"transaction-isolation" => undefined,
"url-delimiter" => undefined,
"url-selector-strategy-class-name" => undefined,
"use-ccm" => true,
"use-fast-fail" => false,
"use-java-context" => true,
"use-try-lock" => undefined,
"user-name" => "rbac",
"valid-connection-checker-class-name" => undefined,
"valid-connection-checker-properties" => undefined,
"validate-on-match" => false,
"statistics" => {
"jdbc" => undefined,
"pool" => undefined
}
}
}
[standalone@localhost:9990 /]
The datasource can be enabled, if necessary, by typing
[standalone@localhost:9990 /] /subsystem=datasources/data-source=dms_prototype/:enable
[standalone@localhost:9990 /]
-
SSL setup.
First we need to create a key pair. Open another terminal and change to
<JBOSS_HOME>/standalone/configuration
,
then type:
wildfly-8.2.0.Final/standalone/configuration$ export JAVA_HOME=/opt/java/jdk1.8.0_45
wildfly-8.2.0.Final/standalone/configuration$ ${JAVA_HOME}/bin/keytool -genkeypair -alias server -keyalg RSA -keystore server.keystore -validity 365 -storepass changeit -dname "cn=myserver" -keypass changeit
Done, switch back to the JBOSS CLI. We need to create a security realm with a server identity:
[standalone@localhost:9990 /] /core-service=management/security-realm=MySecurityRealm/:add(map-groups-to-roles=true)
{"outcome" => "success"}
[standalone@localhost:9990 /]
Review the just made configuration:
[standalone@localhost:9990 /] /core-service=management/security-realm=MySecurityRealm/:read-resource(recursive=true)
{
"outcome" => "success",
"result" => {
"map-groups-to-roles" => true,
"authentication" => undefined,
"authorization" => undefined,
"plug-in" => undefined,
"server-identity" => undefined
}
}
[standalone@localhost:9990 /]
The server identity still has to be defined. The next command uses the recently created keystore:
[standalone@localhost:9990 /] /core-service=management/security-realm=MySecurityRealm/server-identity=ssl:add(keystore-path=server.keystore, keystore-relative-to=jboss.server.config.dir, keystore-password=changeit, alias=server)
{
"outcome" => "success",
"response-headers" => {
"operation-requires-reload" => true,
"process-state" => "reload-required"
}
}
[standalone@localhost:9990 /] reload
[standalone@localhost:9990 /]
Again, review the just made configuration:
[standalone@localhost:9990 /] /core-service=management/security-realm=MySecurityRealm/:read-resource(recursive=true)
{
"outcome" => "success",
"result" => {
"map-groups-to-roles" => true,
"authentication" => undefined,
"authorization" => undefined,
"plug-in" => undefined,
"server-identity" => {"ssl" => {
"alias" => "server",
"enabled-cipher-suites" => undefined,
"enabled-protocols" => [
"TLSv1",
"TLSv1.1",
"TLSv1.2"
],
"key-password" => undefined,
"keystore-password" => "changeit",
"keystore-path" => "server.keystore",
"keystore-provider" => "JKS",
"keystore-relative-to" => "jboss.server.config.dir",
"protocol" => "TLS"
}}
}
}
[standalone@localhost:9990 /]
Next we create a HTTP listener by referencing our security realm:
[standalone@localhost:9990 /] /subsystem=undertow/server=default-server/https-listener=ssl-listener-1/:add(socket-binding=https,security-realm=MySecurityRealm)
{"outcome" => "success"}
[standalone@localhost:9990 /]
Again, review the just made configuration:
[standalone@localhost:9990 /] /subsystem=undertow/server=default-server/https-listener=ssl-listener-1/:read-resource(recursive=false)
{
"outcome" => "success",
"result" => {
"allow-encoded-slash" => false,
"allow-equals-in-cookie-value" => false,
"always-set-keep-alive" => true,
"buffer-pipelined-data" => true,
"buffer-pool" => "default",
"decode-url" => true,
"enabled" => true,
"enabled-cipher-suites" => undefined,
"enabled-protocols" => undefined,
"max-buffered-request-size" => 16384,
"max-cookies" => 200,
"max-header-size" => 51200,
"max-headers" => 200,
"max-parameters" => 1000,
"max-post-size" => 10485760L,
"no-request-timeout" => -1,
"read-timeout" => undefined,
"receive-buffer" => undefined,
"record-request-start-time" => false,
"request-parse-timeout" => -1,
"resolve-peer-address" => false,
"security-realm" => "MySecurityRealm",
"send-buffer" => undefined,
"socket-binding" => "https",
"tcp-backlog" => undefined,
"tcp-keep-alive" => undefined,
"url-charset" => "UTF-8",
"verify-client" => "NOT_REQUESTED",
"worker" => "default",
"write-timeout" => undefined
}
}
[standalone@localhost:9990 /]
-
Security Domain.
We need such a domain to protect the application. Type
[standalone@localhost:9990 /] /subsystem=security/security-domain=MyFormAuthentication/:add
{"outcome" => "success"}
[standalone@localhost:9990 /]
Now we have to specify the desired login module and its options. Like the configuration of the datasource this depends on the particular database.
The 'principalsQuery' and 'rolesQuery' module options are different for PostgreSQL:
[standalone@localhost:9990 /] /subsystem=security/security-domain=MyFormAuthentication/authentication=classic:add(login-modules=[{"code"=>"de.christofreichardt.jboss.login.SaltedPasswordLoginModule", "flag"=>"required", "module-options"=>["dsJndiName"=>"java:/jdbc/DocumentBaseDS","principalsQuery"=>"SELECT DISTINCT password, salt FROM useradmin WHERE snapshot = (SELECT MAX(id) FROM snapshot) AND disabled = 'N' AND failures < trials AND BINARY user = ?", "rolesQuery"=>"SELECT groupname FROM useradmin WHERE snapshot = (SELECT MAX(id) FROM snapshot) AND BINARY user = ?", "useFirstPass"=>"false"]}])
{
"outcome" => "success",
"response-headers" => {
"operation-requires-reload" => true,
"process-state" => "reload-required"
}
}
[standalone@localhost:9990 /] reload
[standalone@localhost:9990 /]
-
Deployment.
You'll need to enter the path to the RBAC distribution:
[standalone@localhost:9990 /] deploy -f <PATH_TO_RBAC_DISTRIBUTION>/RBAC/RBAC-web/target/RBAC-web-0.0.1-SNAPSHOT.war
[standalone@localhost:9990 /]
That's it. Everything needed is configured.
-
(Shutdown the Application Server)
Of course the server needs to be running when executing the test client.
wildfly-8.2.0.Final/bin$ ./jboss-cli.sh -c --command=shutdown