 Thank you for staying for so long It's definitely worse of it because paper chat paper chat x top is Very new It's actually a project or product actually This is still not Available in a commercial product But paper will surely tell us more Yeah, thanks for interaction So welcome to your last presentation today It's cool to have some audience at such a late hour The presentation will be about new security subsystem in wildfly or for wildfly Because the new and hot and awesome wildfly 10 which was released one week before doesn't contain Erythron Nevertheless, it only means that you still have a time to prepare for this revolution Yeah, I always loved the second slide on presentations of Oracle employees and I wanted to put this climber to my Presentation so now is the time and you can enjoy it. So Information in this presentation are without any very warranty Yeah, so If you if you break something Yeah, I am not responsible for it and not my employee employer What is the program of this presentation I will start with Conclusion because I have to catch a classical music concert at half past seven and I don't know how the demo will go then some social social stuff because I've read somewhere that Some ice breakers should be in every good presentation and I want this presentation to be good and Then we will talk about why we are changing security subsystem in Erythron and What features are already implemented and what we can expect in in the future Shortly we will look into compatibility issues which we can expect and then if time allows and God God's allows Hello, we will try demo. So the conclusion Erythron is a set of API's and SPI's Which cover whole Security of the application server It unifies security configuration, which is now invited fragmented to several places for example SSL configuration I can count at least three places as securities domain security realms and under tau for instance where you can configure and There is also a need for strong mechanisms not only just base authentication and for For this purpose the Erythron was introduced When the Erythron was announced on a wildfire death mailing list About one and a half year ago David Lloyd wrote that it will completely replace picket box and jazz as wildfire security solution Yeah, we will see so it was something At the message and now The social part I will talk about me and I will ask something about you so I work in red hat and My focus is on security and in last month also containers and clouds The other roles which I play in my life more or less successfully is happy father Experience hobby runner and organ player and what about you? Are you Java e friends? Right raise your hands, please Yeah, nice nearly everybody and Have you ever tried to play with security configuration in about fly? Yeah Security domains realms SSL configuration. Yeah, not so much, but And do you run? Yeah, share share your enthusiasm nice so the social part is Successfully completed at now Let's continue with small serious business a social part Why we are replacing the current security solution which is working so somehow Let's dive into the history of jazz Just is actually client site API which predated G2e specification and originally G2e didn't came with With some security solution and left the decisions about security on the vendors for example Jbos And at the times mainly simple security solutions were in demand and It means validating user name passwords and As a result the jazz Seen as a good solution to solve This this problem this are So the vendors implemented it but not in standard way with Jbos AS 7 preference was to switch to more strong authentication mechanisms which means such some mechanisms and This wasn't compatible with jazz as a result new solution was introduced yet the jazz was covered by security domains and now we have also security realms which covers this Sussell and As a result we have two solutions Which solve the same problem, but from different perspective and it's confusing for users for administrators and This is the main purpose which led to initiation of Elytron project What is already implemented in Elytron? It's yeah, it's mainly the set of APIs and SPIs One of them is server Password Factory which provides implementation of several types of passwords and password mechanisms and Representations as hash passwords sorted passwords And it provides also API to some level of transformation from one for from one Representation of passwords for example from plain I want to convert to some other Representation and when it is supported we have API for it The other area our security realms which we can compare somehow to login modules in in security domains like legacy security domains and the security realms represent integration point with user store so Where your user population leaves for example? You have users in LDAP or in database So through security realms you can access and sometimes manage the users It contains yeah, as I said it contains also modifiable API so It's different to login modules. You can Directly change through the API the user population and for example attributes of users security domains are The points against which the authentication starts So if you have web application It can say or administrator can say yet This application will be protected by this security domain and security domain references security realms which provides users for example for authentication So some mechanisms are based on existing Jbo susser solution and the completely new is HTTP authentication framework which introduces something like susser into into HTTP and everything is packaged as new Java JCA security provider which is registered by by electron extension we will see it later and Also, there is ongoing work on integration to other subsystems like web server and EJBs also Remoting and the other subsystem which needs to handle with security Under the umbrella of electron. We can also count the new wildfire security manager, which is already in Already in wildfire versions, which we have now You can try it when you start the wildfire with minus sec mg mgr argument If you make simple comparison of the subsystems as we have it now in the integration branch the old security subsystem has XML schema file with four four hundred lines and The electron subsystem which is not completed yet. For example, the SSL configuration is missing there And it already have two and half thousand lines So yeah, it will be huge thing and If we look into the configuration how it looks like usually in legacy security subsystem You have security domain Which contains references to login modules with some configuration of authentication The electron subsystem has something similar. It has security realms With the user population security domain which references the security realm and then for example HTTP authentication which references security domain or Sussell authentication which references security domain and what we can expect In the next days and weeks Petter is working on credential store API SPI which will which will replace Security vaults which are currently used to store sensitive information. So if you don't want to store for example database password in your application server configuration you will put it or currently you put it into the vault and in the future you will use credential API SPI to store it somewhere Out of the server configuration and the server configuration will hold only the reference to to the credential store the other part which It's which is expected is the single configuration of excess SSL context which Which is as I said currently Configure for example in security domain security realms or under tau and there will be a need for Integration in other subsystems as remoting or JMS but Thanks to new feature in bulk flight and which is called capabilities and requirements this is not so big deal and the subsystem don't need to have dependency on Elytron project They just will need to say yeah, I want to new SSL context for example with the disname and They don't need to know that behind is Elytron or other provider and backward compatibility Once the Elytron is merged in wildfire, I think user will start to ask How will I transfer my configuration from legacy subsystem into about into Elytron? How will I move from vault to credential stores and so on and This is our only guess is how it will continue I've told with better and The plan was to to have the old system and Elytron sometime in parallel and then cut most of the jazz jazz security and Only keep log in modules which which are used for example as third-party modules Customers have their own implementation so only this part will be will survive and Also some migration tool for for the awards should be introduced Yeah, and now the demo time I Want to show you how to simply secure web application in wildfire and At first I will show you how to do it in the legacy subsystem and then how to do it with new Elytron For legacy subsystem, I will use users and trolls stored in property files and In Elytron, I will store them in file system realm Yeah, let's let's try it. This is my window and price the wildfire it's clean installation of of the version where is Elytron integrated Hopefully we will start it and how the test application looks like it's single jsp jsp file application and It also includes two deployment descriptors one is When those specific our jbus web XML, which is used to reference security domain and the second is the standard Deployment descriptor from server at specification web XML if we look into them This is the jbus web XML. Yeah, we just reference web tests as name of security domain standard Deployment descriptor says that all application will be protected and only Users with role admin will have access and the application will be protected with basic authentication and realm name Presented to user will be secured kingdom and the third file is The jsp which only prints the name of authenticated user So principle name the next step before we deploy this application We will set up the legacy security domain because we reference the security domain name from From the application. So we want to have it prepared before deployment. So I Prepared two property files Which contains users and throws if we look into users file, yeah, it's only mapping username password and property file and throws file is Mapping from username to list of roles how to configure the legacy security domain Usually you don't need for example security ram to configure But because I don't have the property files on class path I use the way through security realm. So the authentication Comes from security realm and security domain is only used to reference security day realm through realm direct login module. So this is the management Operations which we will need to to do So let's run it. Let's deploy the application. We can check it It's deployed and we can test it I will use the command line based HTTP client coroll and It will be in verbose mode. So we will see the HTTP headers and Yeah, I didn't provide any authentication information and the server responses with 401 unauthorized. So we are not authenticated If we provide authentication information, so username admin and his password the response from server is with status okay, and we see that the We are authenticated into the JSP with with username admin So this is authentication in legacy subsystem security subsystem now in the In the electron we will need to do some more steps This is These are management operations which we will need to do to complete the configuration So first register a return subsystem in wildfire configuration then configure file system realm Which will be stored somewhere under the server configuration And as you can see We will use directly management operations to add users Set their password and also set their attributes. I use Setting attributes to configure roles once we have security realm we can Use it in new security domain which name test domain and then we will configure HTTP server authentication, which will reference the new security domain and Final step is to say to under our subsystem that If if the application requires authentication to web tests domain, we will map it to the HTTP server authentication which we configured in in the preview step So it will be authenticated through electron let's run the script and Check the server log file if it contains Yeah, it should contain some message from electron that it is ready and Now we can gain Check the authentication So first without username password Yeah, and again, we are not authorized but now the realm name in Authenticated header from server. It's not the the name we used in deployment descriptor But it's the name we configured in electron. So secured by electron if we provide username password We have an authorized because for electron we have a little bit different password. So I Will provide On the end of the password and it Authenticates correctly So we switch from legacy authentication to electron authentication Hopefully some steps will not be necessary once the electron is ready in bulk fly and I expect some reasonable default for example for the HTTP server authentication But yeah, we will see as I said Erythron itself registers its functionality or its services as standard Java security services in Security provider I have Second short demo which shows how to add additional additional functionality by Adding new security provider through electron. So let's continue in this and I have simple Simple single JSP which Just lists names of security providers registers registered in the JVN And or it also lists key stores registered by the security providers Let's deploy the application Check if it is deployed with the providers There is a set of standard Do you see it? Not so much standard security providers registered by security Java security configuration file in your Java runtime environment and The key store types the last The last security provider listed here is the bulk fly electron Which is the one registered by extension Also the password file in the key store types comes from from the electron So it's what what is in electron by default and when we want to add the pkcs11 security provider This is the management operation for it which says in electron add new provider loader with Given provider class load it from given by fly module and We can also provide some properties for for the newly initiated provider and We will say register it on the server startup Let's run it test application and you can see Some pkcs11 security provider is registered and in key store types. We have new type pkcs11 This key store type can be used for example to to access Smart cards or keys pro key store on smart cards or USB tokens or In this demo it was used to access network security services key store so once more the conclusion electron is set of APIs and SPIs and It should provide unified security configuration across the whole application server and Maybe it will completely replace jazz and picket box So it's a done. It's the next big thing in wildfire and You should give it a try Currently you need to build the components yourself, but the integration is It's expected that now after racing by 510 some parts will be Integrated into the main Main branches so into the wildfire core and wildfire if you find any issue, there's a Li project in jbos issue director so you can report report it or If you have any food or ideas or comments you can talk with developers on hipchat and It's all do have questions Kiko is mainly single sign-on yes, so it will be I Think it could be used as security realm also there there should be There should be integration in the future but the base security layer layer in wildfire should be electron I think the Kiko tries to solve another area of problems. Yeah If you know current solution security We have picket link and picket box in wildfire and picket box is the core of the security and picket link Is mainly single sign-on summer base? so in the future Elytron will be the core and Kiko will provide single sign-on. I don't know The Kiko very much so I Can answer better any other questions? if not thanks as As far as I know it's not possible now But I don't know what are the plans with this provider provider Loaders under the Elytron, but I do have some information remove and reorder so The future is bright any other questions if not thank your for your attention and Have a nice evening Macky much