org.wildfly.security.auth.server.SecurityRealm Java Examples

private void testAbstractPropertyRealm(SecurityRealm securityRealm) throws Exception {
    Assert.assertNotNull(securityRealm);

    RealmIdentity identity1 = securityRealm.getRealmIdentity(fromName("user1"));
    Assert.assertTrue(identity1.exists());
    Assert.assertTrue(identity1.verifyEvidence(new PasswordGuessEvidence("password1".toCharArray())));
    Assert.assertFalse(identity1.verifyEvidence(new PasswordGuessEvidence("password2".toCharArray())));
    identity1.dispose();

    RealmIdentity identity2 = securityRealm.getRealmIdentity(fromName("user2"));
    Assert.assertTrue(identity2.exists());
    Assert.assertTrue(identity2.verifyEvidence(new PasswordGuessEvidence("password2".toCharArray())));
    identity2.dispose();

    RealmIdentity identity9 = securityRealm.getRealmIdentity(fromName("user9"));
    Assert.assertFalse(identity9.exists());
    Assert.assertFalse(identity9.verifyEvidence(new PasswordGuessEvidence("password9".toCharArray())));
    identity9.dispose();
}
 

private TrivialService<SecurityRealm> createService(String realmName, int maxEntries, long maxAge, InjectedValue<SecurityRealm> injector) {
    return new TrivialService<>((TrivialService.ValueSupplier<SecurityRealm>) () -> {
        SecurityRealm securityRealm = injector.getValue();

        if (securityRealm instanceof CacheableSecurityRealm) {
            RealmIdentityCache cache = createRealmIdentityCache(maxEntries, maxAge);
            CacheableSecurityRealm cacheableRealm = CacheableSecurityRealm.class.cast(securityRealm);

            if (securityRealm instanceof ModifiableSecurityRealm) {
                return new CachingModifiableSecurityRealm(cacheableRealm, cache);
            }

            return new CachingSecurityRealm(cacheableRealm, cache);
        }

        throw ElytronSubsystemMessages.ROOT_LOGGER.realmDoesNotSupportCache(realmName);
    });
}
 

@Override
public SecurityRealm get() throws StartException {
    try {
        HostnameVerifier verifier = null;
        if (hostNameVerificationPolicy != null) {
            verifier = HostnameVerificationPolicy.valueOf(hostNameVerificationPolicy).getVerifier();
        }
        OAuth2IntrospectValidator.Builder builder = OAuth2IntrospectValidator.builder().clientId(clientId).clientSecret(clientSecret)
                .tokenIntrospectionUrl(new URL(introspectionUrl))
                .useSslContext(sslContextInjector.getOptionalValue())
                .useSslHostnameVerifier(verifier);
        return TokenSecurityRealm.builder().principalClaimName(principalClaimNode.asString())
                .validator(builder.build())
                .build();
    } catch (MalformedURLException e) {
        throw new RuntimeException("Failed to parse token introspection URL.", e);
    }
}
 

@Override
protected void performRuntime(OperationContext context, ModelNode operation, ModelNode model)
        throws OperationFailedException {
    ServiceTarget serviceTarget = context.getServiceTarget();
    RuntimeCapability<Void> runtimeCapability = SECURITY_REALM_RUNTIME_CAPABILITY.fromBaseCapability(context.getCurrentAddressValue());
    ServiceName realmName = runtimeCapability.getCapabilityServiceName(SecurityRealm.class);

    final InjectedValue<KeyStore> keyStore = new InjectedValue<KeyStore>();
    TrivialService<SecurityRealm> keyStoreRealmService = new TrivialService<SecurityRealm>(() -> new KeyStoreBackedSecurityRealm(keyStore.getValue()));

    ServiceBuilder<SecurityRealm> serviceBuilder = serviceTarget.addService(realmName, keyStoreRealmService);

    String keyStoreCapabilityName = RuntimeCapability.buildDynamicCapabilityName(KEY_STORE_CAPABILITY, KEYSTORE.resolveModelAttribute(context, model).asString());
    ServiceName keyStoreServiceName = context.getCapabilityServiceName(keyStoreCapabilityName, KeyStore.class);
    KEY_STORE_UTIL.addInjection(serviceBuilder, keyStore, keyStoreServiceName);
    commonDependencies(serviceBuilder)
        .setInitialMode(Mode.ACTIVE)
        .install();
}
 

/**
 * Create a runtime value for a {@linkplain LdapSecurityRealm}
 *
 * @param config - the realm config
 * @return - runtime value wrapper for the SecurityRealm
 */
public RuntimeValue<SecurityRealm> createRealm(LdapSecurityRealmConfig config) {
    LdapSecurityRealmBuilder builder = LdapSecurityRealmBuilder.builder()
            .setDirContextSupplier(createDirContextSupplier(config.dirContext))
            .identityMapping()
            .map(createAttributeMappings(config.identityMapping))
            .setRdnIdentifier(config.identityMapping.rdnIdentifier)
            .setSearchDn(config.identityMapping.searchBaseDn)
            .build();

    if (config.directVerification) {
        builder.addDirectEvidenceVerification(false);
    }

    return new RuntimeValue<>(builder.build());
}
 

@Override
protected void performRuntime(OperationContext context, ModelNode operation, ModelNode model) throws OperationFailedException {
    ServiceTarget serviceTarget = context.getServiceTarget();

    String address = context.getCurrentAddressValue();
    ServiceName mainServiceName = MODIFIABLE_SECURITY_REALM_RUNTIME_CAPABILITY.fromBaseCapability(address).getCapabilityServiceName();
    ServiceName aliasServiceName = SECURITY_REALM_RUNTIME_CAPABILITY.fromBaseCapability(address).getCapabilityServiceName();

    final LdapSecurityRealmBuilder builder = LdapSecurityRealmBuilder.builder();

    if (DIRECT_VERIFICATION.resolveModelAttribute(context, model).asBoolean()) {
        boolean allowBlankPassword = ALLOW_BLANK_PASSWORD.resolveModelAttribute(context, model).asBoolean();
        builder.addDirectEvidenceVerification(allowBlankPassword);
    }

    TrivialService<SecurityRealm> ldapRealmService = new TrivialService<>(builder::build);
    ServiceBuilder<SecurityRealm> serviceBuilder = serviceTarget.addService(mainServiceName, ldapRealmService)
            .addAliases(aliasServiceName);

    commonDependencies(serviceBuilder);

    configureIdentityMapping(context, model, builder);
    configureDirContext(context, model, builder, serviceBuilder);

    serviceBuilder.setInitialMode(ServiceController.Mode.ACTIVE).install();
}
 

@Test
public void testPropertyRealm() throws Exception {
    KernelServices services = super.createKernelServicesBuilder(new TestEnvironment()).setSubsystemXmlResource("realms-test.xml").build();
    if (!services.isSuccessfulBoot()) {
        Assert.fail(services.getBootError().toString());
    }

    ServiceName serviceName = Capabilities.SECURITY_REALM_RUNTIME_CAPABILITY.getCapabilityServiceName("HashedPropertyRealm");
    SecurityRealm securityRealm = (SecurityRealm) services.getContainer().getService(serviceName).getValue();
    testAbstractPropertyRealm(securityRealm);

    ServiceName serviceName2 = Capabilities.SECURITY_REALM_RUNTIME_CAPABILITY.getCapabilityServiceName("ClearPropertyRealm");
    SecurityRealm securityRealm2 = (SecurityRealm) services.getContainer().getService(serviceName2).getValue();
    testAbstractPropertyRealm(securityRealm2);

    RealmIdentity identity1 = securityRealm2.getRealmIdentity(fromName("user1"));
    Object[] groups = identity1.getAuthorizationIdentity().getAttributes().get("groupAttr").toArray();
    Assert.assertArrayEquals(new Object[]{"firstGroup","secondGroup"}, groups);
}
 

/**
 * Create a runtime value for a {@linkplain LegacyPropertiesSecurityRealm}
 *
 * @param config - the realm config
 * @return - runtime value wrapper for the SecurityRealm
 * @throws Exception
 */
public RuntimeValue<SecurityRealm> createRealm(PropertiesRealmConfig config) throws Exception {
    log.debugf("createRealm, config=%s", config);

    SecurityRealm realm = LegacyPropertiesSecurityRealm.builder()
            .setDefaultRealm(config.realmName)
            .setProviders(new Supplier<Provider[]>() {
                @Override
                public Provider[] get() {
                    return PROVIDERS;
                }
            })
            .setPlainText(config.plainText)
            .build();
    return new RuntimeValue<>(realm);
}
 

@Test
public void testAggregateRealm() throws Exception {
    KernelServices services = super.createKernelServicesBuilder(new TestEnvironment()).setSubsystemXmlResource("realms-test.xml").build();
    if (!services.isSuccessfulBoot()) {
        Assert.fail(services.getBootError().toString());
    }

    ServiceName serviceName = Capabilities.SECURITY_REALM_RUNTIME_CAPABILITY.getCapabilityServiceName("AggregateRealmOne");
    SecurityRealm securityRealm = (SecurityRealm) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(securityRealm);

    RealmIdentity identity1 = securityRealm.getRealmIdentity(fromName("firstUser"));
    Assert.assertTrue(identity1.exists());

    Assert.assertEquals(3, identity1.getAuthorizationIdentity().getAttributes().size());
    Assert.assertEquals("[Jane]", identity1.getAuthorizationIdentity().getAttributes().get("firstName").toString());
    Assert.assertEquals("[Doe]", identity1.getAuthorizationIdentity().getAttributes().get("lastName").toString());
    Assert.assertEquals("[Employee, Manager, Admin]", identity1.getAuthorizationIdentity().getAttributes().get("roles").toString());

    identity1.dispose();
}
 

/**
 * Check to see if a PropertiesRealmConfig was specified and enabled and create a
 * {@linkplain org.wildfly.security.auth.realm.LegacyPropertiesSecurityRealm}
 * runtime value to process the user/roles properties files. This also registers the names of the user/roles properties
 * files
 * to include the build artifact.
 *
 * @param recorder - runtime security recorder
 * @param securityRealm - the producer factory for the SecurityRealmBuildItem
 * @return the AuthConfigBuildItem for the realm authentication mechanism if there was an enabled PropertiesRealmConfig,
 *         null otherwise
 * @throws Exception - on any failure
 */
@BuildStep
@Record(ExecutionTime.RUNTIME_INIT)
void configureFileRealmAuthConfig(ElytronPropertiesFileRecorder recorder,
        BuildProducer<NativeImageResourceBuildItem> resources,
        BuildProducer<SecurityRealmBuildItem> securityRealm) throws Exception {
    if (propertiesConfig.file.enabled) {
        PropertiesRealmConfig realmConfig = propertiesConfig.file;
        log.debugf("Configuring from PropertiesRealmConfig, users=%s, roles=%s", realmConfig.users,
                realmConfig.roles);
        // Have the runtime recorder create the LegacyPropertiesSecurityRealm and create the build item
        RuntimeValue<SecurityRealm> realm = recorder.createRealm(realmConfig);
        securityRealm
                .produce(new SecurityRealmBuildItem(realm, realmConfig.realmName, recorder.loadRealm(realm, realmConfig)));
        // Return the realm authentication mechanism build item
    }
}
 

@Test
public void testAggregateRealmWithPrincipalTransformer() throws Exception {
    KernelServices services = super.createKernelServicesBuilder(new TestEnvironment()).setSubsystemXmlResource("realms-test.xml").build();
    if (!services.isSuccessfulBoot()) {
        Assert.fail(services.getBootError().toString());
    }

    ServiceName serviceName = Capabilities.SECURITY_REALM_RUNTIME_CAPABILITY.getCapabilityServiceName("AggregateRealmTwo");
    SecurityRealm securityRealm = (SecurityRealm) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(securityRealm);

    RealmIdentity identity1 = securityRealm.getRealmIdentity(fromName("firstUser"));
    Assert.assertTrue(identity1.exists());
    //Assert that transformation was successful and the correct identity and attributes were loaded from filesystem-realm-2
    Assert.assertEquals(3, identity1.getAuthorizationIdentity().getAttributes().size());
    Assert.assertEquals("[Jane2]", identity1.getAuthorizationIdentity().getAttributes().get("firstName").toString());
    Assert.assertEquals("[Doe2]", identity1.getAuthorizationIdentity().getAttributes().get("lastName").toString());
    Assert.assertEquals("[Employee2, Manager2, Admin2]", identity1.getAuthorizationIdentity().getAttributes().get("roles").toString());

    identity1.dispose();
}
 

public RemotingHttpUpgradeService(final Consumer<RemotingHttpUpgradeService> serviceConsumer,
                                  final Supplier<ChannelUpgradeHandler> upgradeRegistrySupplier,
                                  final Supplier<ListenerRegistry> listenerRegistrySupplier,
                                  final Supplier<Endpoint> endpointSupplier,
                                  final Supplier<org.jboss.as.domain.management.SecurityRealm> securityRealmSupplier,
                                  final Supplier<SaslAuthenticationFactory> saslAuthenticationFactorySupplier,
                                  final String httpConnectorName, final String endpointName, final OptionMap connectorPropertiesOptionMap) {
    this.serviceConsumer = serviceConsumer;
    this.upgradeRegistrySupplier = upgradeRegistrySupplier;
    this.listenerRegistrySupplier = listenerRegistrySupplier;
    this.endpointSupplier = endpointSupplier;
    this.securityRealmSupplier = securityRealmSupplier;
    this.saslAuthenticationFactorySupplier = saslAuthenticationFactorySupplier;
    this.httpConnectorName = httpConnectorName;
    this.endpointName = endpointName;
    this.connectorPropertiesOptionMap = connectorPropertiesOptionMap;
}
 

/**
 * Create the deployment SecurityDomain using the SecurityRealm build items that have been created.
 *
 * @param recorder - the runtime recorder class used to access runtime behaviors
 * @param realms - the previously created SecurityRealm runtime values
 * @return the SecurityDomain runtime value build item
 * @throws Exception
 */
@BuildStep
@Record(ExecutionTime.RUNTIME_INIT)
SecurityDomainBuildItem build(ElytronRecorder recorder, List<SecurityRealmBuildItem> realms)
        throws Exception {
    if (realms.size() > 0) {
        // Configure the SecurityDomain.Builder from the main realm
        SecurityRealmBuildItem realmBuildItem = realms.get(0);
        RuntimeValue<SecurityDomain.Builder> securityDomainBuilder = recorder
                .configureDomainBuilder(realmBuildItem.getName(), realmBuildItem.getRealm());
        // Add any additional SecurityRealms
        for (int n = 1; n < realms.size(); n++) {
            realmBuildItem = realms.get(n);
            RuntimeValue<SecurityRealm> realm = realmBuildItem.getRealm();
            recorder.addRealm(securityDomainBuilder, realmBuildItem.getName(), realm);
        }
        // Actually build the runtime value for the SecurityDomain
        RuntimeValue<SecurityDomain> securityDomain = recorder.buildDomain(securityDomainBuilder);

        // Return the build item for the SecurityDomain runtime value
        return new SecurityDomainBuildItem(securityDomain);
    }
    return null;
}
 

public static void installServices(final OperationContext context, final String remotingConnectorName,
                                   final String httpConnectorName, final ServiceName endpointName,
                                   final OptionMap connectorPropertiesOptionMap, final String securityRealm,
                                   final String saslAuthenticationFactory) {
    final ServiceTarget serviceTarget = context.getServiceTarget();
    final ServiceName serviceName = UPGRADE_SERVICE_NAME.append(remotingConnectorName);
    final ServiceBuilder<?> sb = serviceTarget.addService(serviceName);
    final Consumer<RemotingHttpUpgradeService> serviceConsumer = sb.provides(serviceName);
    final Supplier<ChannelUpgradeHandler> urSupplier = sb.requires(HTTP_UPGRADE_REGISTRY.append(httpConnectorName));
    final Supplier<ListenerRegistry> lrSupplier = sb.requires(RemotingServices.HTTP_LISTENER_REGISTRY);
    final Supplier<Endpoint> eSupplier = sb.requires(endpointName);
    final Supplier<org.jboss.as.domain.management.SecurityRealm> srSupplier = securityRealm != null ? sb.requires(org.jboss.as.domain.management.SecurityRealm.ServiceUtil.createServiceName(securityRealm)) : null;
    final Supplier<SaslAuthenticationFactory> safSupplier = saslAuthenticationFactory != null ? sb.requires(context.getCapabilityServiceName(SASL_AUTHENTICATION_FACTORY_CAPABILITY, saslAuthenticationFactory, SaslAuthenticationFactory.class)) : null;
    sb.setInstance(new RemotingHttpUpgradeService(serviceConsumer, urSupplier, lrSupplier, eSupplier, srSupplier, safSupplier, httpConnectorName, endpointName.getSimpleName(), connectorPropertiesOptionMap));
    sb.setInitialMode(ServiceController.Mode.PASSIVE);
    sb.install();
}
 

@Test
public void testOAuth2Realm() throws Exception {
    KernelServices services = super.createKernelServicesBuilder(new TestEnvironment()).setSubsystemXmlResource("realms-test.xml").build();
    if (!services.isSuccessfulBoot()) {
        Assert.fail(services.getBootError().toString());
    }

    ServiceName serviceName = Capabilities.SECURITY_REALM_RUNTIME_CAPABILITY.getCapabilityServiceName("OAuth2Realm");
    SecurityRealm securityRealm = (SecurityRealm) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(securityRealm);
}
 

static ResourceDefinition getIdentityRealmDefinition() {
    AbstractAddStepHandler add = new TrivialAddHandler<SecurityRealm>(SecurityRealm.class, IDENTITY_REALM_ATTRIBUTES, SECURITY_REALM_RUNTIME_CAPABILITY) {

        @Override
        protected ValueSupplier<SecurityRealm> getValueSupplier(ServiceBuilder<SecurityRealm> serviceBuilder,
                OperationContext context, ModelNode model) throws OperationFailedException {

            final String identity = IDENTITY.resolveModelAttribute(context, model).asString();
            final String attributeName = ATTRIBUTE_NAME.resolveModelAttribute(context, model).asStringOrNull();
            final List<String> attributeValues = ATTRIBUTE_VALUES.unwrap(context, model);

            return () -> {
                final Map<String, ? extends Collection<String>> attributesMap;
                if (attributeName != null) {
                    attributesMap = Collections.singletonMap(attributeName, Collections.unmodifiableList(attributeValues));
                } else {
                    attributesMap = Collections.emptyMap();
                }
                final Map<String, SimpleRealmEntry> realmMap = Collections.singletonMap(identity, new SimpleRealmEntry(Collections.emptyList(), new MapAttributes(attributesMap)));
                SimpleMapBackedSecurityRealm securityRealm = new SimpleMapBackedSecurityRealm();
                securityRealm.setPasswordMap(realmMap);

                return securityRealm;
            };
        }
    };

    return new TrivialResourceDefinition(ElytronDescriptionConstants.IDENTITY_REALM, add, IDENTITY_REALM_ATTRIBUTES, SECURITY_REALM_RUNTIME_CAPABILITY);
}
 

@Override
protected void performRuntime(OperationContext context, ModelNode operation, ModelNode model)
        throws OperationFailedException {
    ServiceTarget serviceTarget = context.getServiceTarget();
    RuntimeCapability<Void> runtimeCapability = SECURITY_REALM_RUNTIME_CAPABILITY.fromBaseCapability(context.getCurrentAddressValue());
    ServiceName realmName = runtimeCapability.getCapabilityServiceName(SecurityRealm.class);
    ModelNode principalQueries = PrincipalQueryAttributes.PRINCIPAL_QUERIES_7_0.resolveModelAttribute(context, operation);
    final JdbcSecurityRealmBuilder builder = JdbcSecurityRealm.builder();

    TrivialService<SecurityRealm> service = new TrivialService<SecurityRealm>(builder::build);
    ServiceBuilder<SecurityRealm> serviceBuilder = serviceTarget.addService(realmName, service);

    for (ModelNode query : principalQueries.asList()) {
        String authenticationQuerySql = PrincipalQueryAttributes.SQL.resolveModelAttribute(context, query).asString();
        QueryBuilder queryBuilder = builder.principalQuery(authenticationQuerySql)
                .withMapper(resolveAttributeMappers(context, query))
                .withMapper(resolveKeyMappers(context, query));

        String dataSourceName = PrincipalQueryAttributes.DATA_SOURCE.resolveModelAttribute(context, query).asString();
        String capabilityName = Capabilities.DATA_SOURCE_CAPABILITY_NAME + "." + dataSourceName;
        ServiceName dataSourceServiceName = context.getCapabilityServiceName(capabilityName, DataSource.class);

        serviceBuilder.addDependency(dataSourceServiceName, DataSource.class, new Injector<DataSource>() {

            @Override
            public void inject(DataSource value) throws InjectionException {
                queryBuilder.from(value);
            }

            @Override
            public void uninject() {
                // no-op
            }
        });
    }

    commonDependencies(serviceBuilder)
            .setInitialMode(context.getRunningMode() == RunningMode.ADMIN_ONLY ? ServiceController.Mode.LAZY : ServiceController.Mode.ACTIVE)
            .install();
}
 

private void configureDirContext(OperationContext context, ModelNode model, LdapSecurityRealmBuilder realmBuilder, ServiceBuilder<SecurityRealm> serviceBuilder) throws OperationFailedException {
    String dirContextName = DIR_CONTEXT.resolveModelAttribute(context, model).asStringOrNull();

    String runtimeCapability = RuntimeCapability.buildDynamicCapabilityName(DIR_CONTEXT_CAPABILITY, dirContextName);
    ServiceName dirContextServiceName = context.getCapabilityServiceName(runtimeCapability, DirContextSupplier.class);

    final InjectedValue<DirContextSupplier> dirContextInjector = new InjectedValue<>();
    serviceBuilder.addDependency(dirContextServiceName, DirContextSupplier.class, dirContextInjector);

    realmBuilder.setDirContextSupplier(() -> {
        ExceptionSupplier<DirContext, NamingException> supplier = dirContextInjector.getValue();
        return supplier.get();
    });
}
 

@Override
protected void executeRuntimeStep(final OperationContext context, final ModelNode operation) throws OperationFailedException {
    ServiceRegistry serviceRegistry = context.getServiceRegistry(true);
    PathAddress currentAddress = context.getCurrentAddress();
    RuntimeCapability<Void> runtimeCapability = SECURITY_REALM_RUNTIME_CAPABILITY.fromBaseCapability(currentAddress.getLastElement().getValue());
    ServiceName realmName = runtimeCapability.getCapabilityServiceName();
    ServiceController<SecurityRealm> serviceController = getRequiredService(serviceRegistry, realmName, SecurityRealm.class);
    CachingSecurityRealm securityRealm = CachingSecurityRealm.class.cast(serviceController.getValue());
    securityRealm.removeAllFromCache();
}
 

@Override
protected void performRuntime(OperationContext context, ModelNode operation, ModelNode model)
        throws OperationFailedException {
    ServiceTarget serviceTarget = context.getServiceTarget();
    RuntimeCapability<Void> runtimeCapability = SECURITY_REALM_RUNTIME_CAPABILITY.fromBaseCapability(context.getCurrentAddressValue());
    ServiceName realmName = runtimeCapability.getCapabilityServiceName(SecurityRealm.class);
    String cacheableRealm = REALM_NAME.resolveModelAttribute(context, model).asString();
    int maxEntries = MAXIMUM_ENTRIES.resolveModelAttribute(context, model).asInt();
    long maxAge = MAXIMUM_AGE.resolveModelAttribute(context, model).asInt();
    InjectedValue<SecurityRealm> cacheableRealmValue = new InjectedValue<>();
    ServiceBuilder<SecurityRealm> serviceBuilder = serviceTarget.addService(realmName, createService(cacheableRealm, maxEntries, maxAge, cacheableRealmValue));

    addRealmDependency(context, serviceBuilder, cacheableRealm, cacheableRealmValue);
    commonDependencies(serviceBuilder).setInitialMode(Mode.ACTIVE).install();
}
 

/**
 * Create a {@linkplain SecurityDomain.Builder} for the given default {@linkplain SecurityRealm}.
 *
 * @param realmName - the default realm name
 * @param realm - the default SecurityRealm
 * @return a runtime value for the SecurityDomain.Builder
 * @throws Exception on any error
 */
public RuntimeValue<SecurityDomain.Builder> configureDomainBuilder(String realmName, RuntimeValue<SecurityRealm> realm)
        throws Exception {
    log.debugf("buildDomain, realm=%s", realm.getValue());

    SecurityDomain.Builder domain = SecurityDomain.builder()

            .addRealm(realmName, realm.getValue())

            .setRoleDecoder(new RoleDecoder() {
                @Override
                public Roles decodeRoles(AuthorizationIdentity authorizationIdentity) {
                    return CDI.current().select(DefaultRoleDecoder.class).get().decodeRoles(authorizationIdentity);
                }
            })
            .build()
            .setDefaultRealmName(realmName)
            .setPermissionMapper(new PermissionMapper() {
                @Override
                public PermissionVerifier mapPermissions(PermissionMappable permissionMappable, Roles roles) {
                    return new PermissionVerifier() {
                        @Override
                        public boolean implies(Permission permission) {
                            return true;
                        }
                    };
                }
            });

    return new RuntimeValue<>(domain);
}
 

/**
 * Check to see if the a MPRealmConfig was specified and enabled and create a
 * {@linkplain org.wildfly.security.auth.realm.SimpleMapBackedSecurityRealm}
 * runtime value.
 *
 * @param recorder - runtime security recorder
 * @param securityRealm - the producer factory for the SecurityRealmBuildItem
 * @return the AuthConfigBuildItem for the realm authentication mechanism if there was an enabled MPRealmConfig,
 *         null otherwise
 * @throws Exception - on any failure
 */
@BuildStep
@Record(ExecutionTime.RUNTIME_INIT)
void configureMPRealmConfig(ElytronPropertiesFileRecorder recorder,
        BuildProducer<SecurityRealmBuildItem> securityRealm) throws Exception {
    if (propertiesConfig.embedded.enabled) {
        MPRealmConfig realmConfig = propertiesConfig.embedded;
        log.info("Configuring from MPRealmConfig");

        RuntimeValue<SecurityRealm> realm = recorder.createRealm(realmConfig);
        securityRealm
                .produce(new SecurityRealmBuildItem(realm, realmConfig.realmName,
                        recorder.loadRealm(realm, realmConfig, runtimeConfig)));
    }
}
 

/**
 * Create a runtime value for a {@linkplain SimpleMapBackedSecurityRealm}
 *
 * @param config - the realm config
 * @return - runtime value wrapper for the SecurityRealm
 * @throws Exception
 */
public RuntimeValue<SecurityRealm> createRealm(MPRealmConfig config) {
    log.debugf("createRealm, config=%s", config);

    Supplier<Provider[]> providers = new Supplier<Provider[]>() {
        @Override
        public Provider[] get() {
            return PROVIDERS;
        }
    };
    SecurityRealm realm = new SimpleMapBackedSecurityRealm(NameRewriter.IDENTITY_REWRITER, providers);
    return new RuntimeValue<>(realm);
}
 

/**
 * Check to see if a LdapRealmConfig was specified and enabled and create a
 * {@linkplain org.wildfly.security.auth.realm.ldap.LdapSecurityRealm}
 *
 * @param recorder - runtime security recorder
 * @param securityRealm - the producer factory for the SecurityRealmBuildItem
 * @throws Exception - on any failure
 */
@BuildStep
@Record(ExecutionTime.RUNTIME_INIT)
void configureLdapRealmAuthConfig(LdapRecorder recorder,
        BuildProducer<SecurityRealmBuildItem> securityRealm,
        BeanContainerBuildItem beanContainerBuildItem //we need this to make sure ArC is initialized
) throws Exception {
    if (ldap.enabled) {
        RuntimeValue<SecurityRealm> realm = recorder.createRealm(ldap);
        securityRealm.produce(new SecurityRealmBuildItem(realm, ldap.realmName, null));
    }
}
 

/**
 * Create a runtime value for a {@linkplain JdbcSecurityRealm}
 *
 * @param config - the realm config
 * @return - runtime value wrapper for the SecurityRealm
 */
public RuntimeValue<SecurityRealm> createRealm(JdbcSecurityRealmConfig config) {
    Supplier<Provider[]> providers = new Supplier<Provider[]>() {
        @Override
        public Provider[] get() {
            return PROVIDERS;
        }
    };
    JdbcSecurityRealmBuilder builder = JdbcSecurityRealm.builder().setProviders(providers);
    PrincipalQueriesConfig principalQueries = config.principalQueries;
    registerPrincipalQuery(principalQueries.defaultPrincipalQuery, builder);
    principalQueries.namedPrincipalQueries
            .forEach((name, principalQuery) -> registerPrincipalQuery(principalQuery, builder));
    return new RuntimeValue<>(builder.build());
}
 

/**
 * Configure a TokenSecurityRealm if enabled
 *
 * @param recorder - runtime OAuth2 security recorder
 * @param securityRealm - the producer factory for the SecurityRealmBuildItem
 * @return the AuthConfigBuildItem for the realm authentication mechanism if there was an enabled PropertiesRealmConfig,
 *         null otherwise
 * @throws Exception - on any failure
 */
@BuildStep
@Record(ExecutionTime.RUNTIME_INIT)
AdditionalBeanBuildItem configureOauth2RealmAuthConfig(OAuth2Recorder recorder,
        BuildProducer<SecurityRealmBuildItem> securityRealm) throws Exception {
    if (oauth2.enabled) {
        RuntimeValue<SecurityRealm> realm = recorder.createRealm(oauth2);
        securityRealm.produce(new SecurityRealmBuildItem(realm, REALM_NAME, null));
        return AdditionalBeanBuildItem.unremovableOf(OAuth2AuthMechanism.class);
    }
    return null;
}
 

public RuntimeValue<SecurityRealm> createRealm(OAuth2Config config)
        throws IOException, NoSuchAlgorithmException, CertificateException, KeyStoreException, KeyManagementException {
    if (!config.clientId.isPresent() || !config.clientSecret.isPresent() || !config.introspectionUrl.isPresent()) {
        throw new ConfigurationException(
                "client-id, client-secret and introspection-url must be configured when the oauth2 extension is enabled");
    }

    OAuth2IntrospectValidator.Builder validatorBuilder = OAuth2IntrospectValidator.builder()
            .clientId(config.clientId.get())
            .clientSecret(config.clientSecret.get())
            .tokenIntrospectionUrl(URI.create(config.introspectionUrl.get()).toURL());

    if (config.caCertFile.isPresent()) {
        validatorBuilder.useSslContext(createSSLContext(config));
    } else {
        validatorBuilder.useSslContext(SSLContext.getDefault());
    }

    OAuth2IntrospectValidator validator = validatorBuilder.build();

    TokenSecurityRealm tokenRealm = TokenSecurityRealm.builder()
            .validator(validator)
            .claimToPrincipal(claims -> new ElytronOAuth2CallerPrincipal(attributesToMap(claims)))
            .build();

    return new RuntimeValue<>(tokenRealm);
}
 

public RuntimeValue<SecurityRealm> getRealm() {
    return realm;
}
 

@Override
protected void performRuntime(OperationContext context, ModelNode operation, ModelNode model)
        throws OperationFailedException {
    ServiceTarget serviceTarget = context.getServiceTarget();

    String address = context.getCurrentAddressValue();
    ServiceName mainServiceName = MODIFIABLE_SECURITY_REALM_RUNTIME_CAPABILITY.fromBaseCapability(address).getCapabilityServiceName();
    ServiceName aliasServiceName = SECURITY_REALM_RUNTIME_CAPABILITY.fromBaseCapability(address).getCapabilityServiceName();

    final int levels = LEVELS.resolveModelAttribute(context, model).asInt();

    final boolean encoded = ENCODED.resolveModelAttribute(context, model).asBoolean();

    final String path = PATH.resolveModelAttribute(context, model).asString();
    final String relativeTo = RELATIVE_TO.resolveModelAttribute(context, model).asStringOrNull();

    final InjectedValue<PathManager> pathManagerInjector = new InjectedValue<>();
    final InjectedValue<NameRewriter> nameRewriterInjector = new InjectedValue<>();

    TrivialService<SecurityRealm> fileSystemRealmService = new TrivialService<>(
            new TrivialService.ValueSupplier<SecurityRealm>() {

                private PathResolver pathResolver;

                @Override
                public SecurityRealm get() throws StartException {
                    pathResolver = pathResolver();
                    Path rootPath = pathResolver.path(path).relativeTo(relativeTo, pathManagerInjector.getOptionalValue()).resolve().toPath();

                    NameRewriter nameRewriter = nameRewriterInjector.getOptionalValue();

                    return nameRewriter != null ?
                            new FileSystemSecurityRealm(rootPath, nameRewriter, levels, encoded) :
                            new FileSystemSecurityRealm(rootPath, NameRewriter.IDENTITY_REWRITER, levels, encoded);
                }

                @Override
                public void dispose() {
                    if (pathResolver != null) {
                        pathResolver.clear();
                        pathResolver = null;
                    }
                }

            });

    ServiceBuilder<SecurityRealm> serviceBuilder = serviceTarget.addService(mainServiceName, fileSystemRealmService)
            .addAliases(aliasServiceName);

    if (relativeTo != null) {
        serviceBuilder.addDependency(PathManagerService.SERVICE_NAME, PathManager.class, pathManagerInjector);
        serviceBuilder.requires(pathName(relativeTo));
    }
    serviceBuilder.install();
}
 

Injector<SecurityRealm> getSecurityRealmInjector() {
    return securityRealmInjector;
}