Creating a custom credential store for wildfly

Ricky's Hodgepodge

Recent Entries

Using jakartaee 10 security OIDC with wildfly 27 preview
Thursday, September 15 2022
Creating a custom credential store for wildfly
Saturday, July 23 2022
Installing magisk in my lineage phone
Sunday, May 15 2022
Using test-containers for Java with podman
Saturday, January 15 2022
Wildfly bootable jar inside the OpenShift sandbox
Saturday, December 11 2021
Configuring nginx as reverse proxy for wildfly
Sunday, November 21 2021
Java ldappasswd implementation for the password modify extended operation
Saturday, October 30 2021
OpenSSL3 FIPS for wildfly?
Saturday, October 16 2021
Configuring BCFIPS in wildfly via elytron
Sunday, August 1 2021
Adding custom layers to bootable JAR
Saturday, February 27 2021

Quicksearch

Comments

Andrew Hughes about Using jakartaee 10 security OIDC with wildfly 27 preview
Sun, 25.09.2022 20:59
Hello, Thanks for the tutorial. Can you help me understand the relationship between the JASPI [...]
ricky about Can wildfly use BCFIPS provider for SSL running with jdk-11?
Sun, 20.03.2022 18:52
Check my following post: https://blogs.nologin.es/rickyepoderi/index.php?/archives/190-Configu [...]
Isaac about Can wildfly use BCFIPS provider for SSL running with jdk-11?
Wed, 16.03.2022 23:37
Hey, im trying to do this exactly how you have. I downloaded bc-fips-1.0.2-sources.jar, edited [...]
Lenny about Configuring BCFIPS in wildfly via elytron
Fri, 28.01.2022 19:45
Thank you. Apparently there is an issue with Elytron ( https://github.com/wildfly-security/wil [...]
ricky about Configuring BCFIPS in wildfly via elytron
Fri, 28.01.2022 11:28
Hi Lenny! I don't remember testing BCFIPS with jdk 8 but, if using version 8, I think that the [...]
Lenny about Configuring BCFIPS in wildfly via elytron
Wed, 26.01.2022 14:56
Hi, Do you have similar steps for openjdk 8 and wildfly 18. We had it configured in FIPS mo [...]
Erwin Steffens about Using custom URLs to perform SSO in an android application
Wed, 20.01.2021 12:14
Hi Ricky, Thanks for this post. This works for us. The only thing we are struggling with i [...]
David Wellborn about Authentication and caching in Wildfly
Thu, 23.07.2020 21:22
This is about the most complete and accurate "documentation" I've seen on the caching. I have [...]

Syndicate This Blog

Author

rickyepoderi

Visitor Locations

Blog Administration

Open login screen

Powered by

Saturday, July 23. 2022

Creating a custom credential store for wildfly

Java
Today an entry about custom credential stores in wildfly is going to be presented. With the new elytron subsystem the way of securely manage passwords inside the configuration is using a credential store. But what happen if a custom implementation is needed for any reason, is it possible to develop a custom credential store? Yes, it is, and that is the goal of the current post. :-)

  1. The first step is downloading, installing and starting the last wildfly server. 

    
wget https://github.com/wildfly/wildfly/releases/download/26.1.1.Final/wildfly-26.1.1.Final.zip
unzip wildfly-26.1.1.Final.zip
cd wildfly-26.1.1.Final/bin
./add-user.sh -u admin -p admin
./standalone.sh

  2. The credential stores are just provided by a standard JavaSE Provider. So in order to create a custom implementation two classes should be developed.

    • The one that extends the CredentialStoreSpi. This class is the real implementation of the store, with methods like store, retrieve or getAliases to manage the secret values. The standard implementations are placed in this folder and, for example, the MapCredentialStore is a simple Map implementation which is a useful starting point.

    • But the Provider is also needed to register the previous implementation. Inside elytron the provider class is WildFlyElytronCredentialStoreProvider. It adds the services for the standard stores with the correct types, algorithms and implementation classes.

  3. For the entry a simple credential store that saves the secrets in a properties file is going to be developed. But to make it a bit more interesting the values in the file are going to be encrypted using a PBE algorithm. The PBE key will be derived from the password passed to the credential store. This point is a bit weak and maybe it was better to use a hardcoded key, but I think that this way the entry is more educational. As always, the implementation is just an example you can extend, improve and adapt to your needs. The full maven project can be downloaded from here and it is also in my personal github account.

    For details in the implementation just check the store class but let's show the provider constructor.

    
    public CustomCredentialStoreProvider() {
        super("CustomCredentialStoreProvider", "0.1", "Custom CredentialStore Provider");
        putService(new Service(this, "CredentialStore", "CustomCredentialStoreProvider",
                "es.rickyepoderi.ccs.CustomCredentialStore", Collections.emptyList(),
                Collections.emptyMap()));
    }

    The class registers the implementation putting the service with type CredentialStore (it should be this value), algorithm is CustomCredentialStoreProvider (this name will be used later to configure the store inside wildfly) and the implementation class is es.rickyepoderi.ccs.CustomCredentialStore. No aliases or attributes are defined.

  4. The final part of the coding process is adding a META-INF/services/java.security.Provider file that will make the JDK automatically detect the provider (ServiceLoader technique). 

    
cat src/main/resources/META-INF/services/java.security.Provider
es.rickyepoderi.ccs.CustomCredentialStoreProvider

  5. So we have our custom credential store implementation ready. Just compile it and create the jar.

    
cd custom-credential-store
mvn clean package

    The final file will be place in the target directory.

  6. Now the interesting part, using CLI add the library as a module inside wildfly.

    
module add --name=es.rickyepoderi.ccs --resources=/path/to/custom-credential-store/target/custom-credential-store-0.0.1.jar --dependencies=org.wildfly.security.elytron

  7. The provider should be loaded into elytron to make it available to the server (if you remember I did the same with the Bouncy Castle FIPS jars in a previous entry).

    
/subsystem=elytron/provider-loader=ccs:add(module=es.rickyepoderi.ccs)

    As the provider was defined in the service file no more arguments are needed. The provider class will be located automatically.

  8. The custom credential can be configured at this point.

    
/subsystem=elytron/credential-store=ccs:add(providers=ccs, credential-reference={clear-text=XXXXXX}, location=custom.properties, relative-to=jboss.server.config.dir, type=CustomCredentialStoreProvider, create=true)

    The type should be CustomCredentialStoreProvider (the algorithm registered inside the provider). The store will use the provided password (please here it is provided in plain which is a nonsense, as I commented this is just an example) to create a PBE key and the values will be encrypted with it. The underlying file is specified using location and relative-to options and placed inside the configuration folder of the server. By default the implementation encrypts values using PBEWithHmacSHA512AndAES_256 algorithm but it can be changed using the implementation-properties option. In general that option can pass custom attributes to the implementation and the example manages several of them you can try and play with.

  9. Finally a secret is created inside the store ready to be used.

    
/subsystem=elytron/credential-store=ccs:add-alias(alias=alias1, secret-value=sa)

    And if you check the properties file the alias will be there with the value encrypted.

    
grep alias1 ../standalone/configuration/custom.properties 
alias1=oDaesxvoSWLkiwWo89sjzA\=\=\:MFkwOAYJKoZIhvcNAQUMMCsEFGTaNHH+6TJiT6PrGPC/tByEaGIWAgIQAAIBIDAMBggqhkiG9w0CCwUAMB0GCWCGSAFlAwQBKgQQDzqM6mftjvjqCg49J2td7Q\=\=

  10. That secret will be used to connect to the default H2 datasource that is defined in the wildfly server (that is why the secret value was sa).

    
batch
/subsystem=datasources/data-source=ExampleDS:undefine-attribute(name=password)
/subsystem=datasources/data-source=ExampleDS:write-attribute(name=credential-reference, value={store=ccs, alias=alias1})
run-batch
reload

    The server should be reloaded OK and the datasource should be able to connect to the H2 database.

    
/subsystem=datasources/data-source=ExampleDS:test-connection-in-pool
{
    "outcome" => "success",
    "result" => [true]
}

    It works successfully!

That is all. The entry is a simple example to develop your own credential store. This is usually not needed and standard stores provided by wildfly should be enough for you. But, if for whatever reason, there is a specific requirement that forces you to implement a custom credential store, here you have an example. Remember my implementation uses the password provided to the store to derive a PBE key and encrypt values with it (it was done to show how to recover that password but maybe using a hadcoded key was a better idea). It is just a proof of concept. The entry details the implementation and the configuration of the store inside the server. Links to the maven project were available before, please use it with care.

Best regards!

Posted by rickyepoderi in Java at 11:31 | Comments (0)

Comments
Display comments as (Linear | Threaded)

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.