Securing WildFly Management Console with LDAP

This is a two-part tutorial about using LDAP on WildFly application server. In this first one we will learn how to configure the management console to use LDAP for authentication. In the next one we will learn how to use KeyCloak to authenticate and authorize application users against the LDAP server. We will use ApacheDS … Read more

How to create a custom Elytron Realm

In this tutorial we will learn how to create a custom Realm in Elytron, which is the equivalent of the old legacy Login Modules, and we will test it with a sample Web application. The starting point for creating a custom Ream in Elytron is the interface SecurityRealm which contains the contract for a realm backed … Read more

Using Elytron Credential Stores in WildFly

The elytron subsystem allows using Credential Stores as secure storage for your credentials. Using a credential store is a replacement of the standard password vault mechanism to store passwords and other sensitive strings. Credential stores allow for easier credential management within WildFly, without having to use an external tool. It is however still possible to … Read more

Configuring TLS 1.3 on WildFly application Server

This tutorial will teach you how to configure Transport Layer Security (TLS) v.1.3 on WildFly application server. TLS 1.3 offers improved speed compared to TLS 1.2. The earlier version of TLS (1.2) required two round-trips to finish a TLS handshake. On the other hand, TLS 1.3 only needs to complete a single round-trip. This substantially … Read more

How to use failover and distributed Realms in Elytron

In this tutorial we will learn how to create failover and distributed Elytron Realms to add resilience and distribution to your identity lookup. The option to stack multiple login modules is already available in the legacy Security Model. As the legacy security model is soon going to be deprecated, all the missing features are now … Read more

Securing JBoss / WildFly Management Interfaces: the easy way

This is the second tutorial about securing WildFly. In the first one, we have discussed how to secure the HTTP channel for Web applications:  How to configure SSL/HTTPS on WildFly In this tutorial we will learn how to secure JBoss / WildFly Management interfaces using Elytron. Firstly, we will at first demonstrate how to create … Read more

Solving Invalid secret key format

This issue happens when a Java module is unable to access com.sun.crypto libraries earlier than its Classloader modules. You will typically see a Stack trace which looks like this: Caused by: Invalid secret key format at com.sun.crypto.provider.JceKeyStore.engineLoad( at Source) at org.picketbox.util.KeyStoreUtil.getKeyStore( at org.picketbox.util.KeyStoreUtil.getKeyStore( at org.picketbox.plugins.vault.PicketBoxSecurityVault.getKeyStore( One way to solve this issue is to … Read more

How to enable certificate forwarding in WildFly

In this tutorial we will learn how to do client certificate authentications when WildFly is located behind a reverse proxy. The most common use cases for reverse proxies are: When the reverse proxy is located on a DMZ When youe Web applications are located on a VLAN (e.g. private network). When the reverse proxy reads … Read more

Configuring HTTP Basic Authentication with WildFly

In this tutorial we will learn how to configure HTTP basic authentication with WildFly. Basic authentication is a simple authentication policy built into the HTTP protocol. The client sends an HTTP request with the Authorization header that contains the word Basic word followed by a space and a base64-encoded string username:password. As an example, in … Read more