-
Notifications
You must be signed in to change notification settings - Fork 0
/
configure-elytron.cli
26 lines (20 loc) · 2.15 KB
/
configure-elytron.cli
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# https://github.com/wildfly/quickstart/tree/main/jaxrs-jwt
# Add a keystore to elytron for loading signature public key
/subsystem=elytron/key-store=jwt-key-store:add(type="PKCS12", relative-to="jboss.server.config.dir", path="jwt.keystore", credential-reference={clear-text="mysuperpassword"})
#generate a new key pair which will be used later to extract the certificate. This is an RSA key of size 2048.
#keytool -genkey -alias alias -keyalg RSA -keysize 2048 -keystore jwt.keystore -storepass mysuperpassword -keypass mysuperpassword
/subsystem=elytron/key-store=jwt-key-store:generate-key-pair(alias=jwt-auth, algorithm=RSA, key-size=2048, validity=365, credential-reference={clear-text=mysuperpassword}, distinguished-name="CN=localhost")
#/subsystem=elytron/key-store=jwt-key-store:export-certificate(alias=jwt-auth, path="jwt.keystore", relative-to="jboss.server.config.dir", pem=true)
/subsystem=elytron/key-store=jwt-key-store:store
# Add a new token security realm to elytron for authentication using JWTs
/subsystem=elytron/token-realm=jwt-realm:add(jwt={issuer=["lab4-jwt-issuer"], audience=["jwt-audience"], key-store=jwt-key-store, certificate="jwt-auth"}, principal-claim="sub")
# Add a new security domain, which uses the jwt security realm
/subsystem=elytron/security-domain=jwt-domain:add(realms=[{realm=jwt-realm, role-decoder=groups-to-roles}], permission-mapper=default-permission-mapper, default-realm=jwt-realm)
# Create http authentication factory that uses BEARER_TOKEN authentication
/subsystem=elytron/http-authentication-factory=jwt-http-authentication:add(security-domain=jwt-domain, http-server-mechanism-factory=global, mechanism-configurations=[{mechanism-name="BEARER_TOKEN", mechanism-realm-configurations=[{realm-name="jwt-realm"}]}])
# These last two commands are mutually exclusive attributes and must be grouped in a batch command
batch
# Configure Undertow to use our http authentication factory for authentication
/subsystem=undertow/application-security-domain=other:undefine-attribute(name=security-domain)
/subsystem=undertow/application-security-domain=other:write-attribute(name=http-authentication-factory, value=jwt-http-authentication)
run-batch