Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 4. Using Elytron client default SSLcontext security provider in JBoss EAP clients

To make a Java Virtual Machine (JVM) use the Elytron client configuration to provide a default SSLcontext, you can use the WildFlyElytronClientDefaultSSLContextProvider. Use this provider to make your client libraries automatically use the Elytron client configuration when requesting the default SSLContext.

Elytron client provides a Java security provider, org.wildfly.security.auth.client.WildFlyElytronClientDefaultSSLContextProvider, that you can use to register a Java virtual machine (JVM)-wide default SSL context.

The WildFlyElytronClientDefaultSSLContextProvider provider works as follows:

  • The provider instantiates the SSLContext when the SSLContext.getDefault() method is called. The SSLContext is initiated from the authentication context obtained from one of the following places:

    • Elytron client configuration file passed as an argument to the provider.

    • Automatically discovered wildfly-config.xml file on the filesystem. For more information, see The Default Configuration Approach.

      A client configuration file passed as an argument to the provider has the precedence.

  • When the SSLContext.getDefault() method is called, the JVM returns the SSLContext instantiated by the provider.

    As the Elytron client can have multiple SSL contexts configured, rules are used to choose a single SSL context for the connection. The default SSL Context is the one that matches all rules. The provider returns this default SSL context.

Note

If no default SSLContext is configured or no configuration is present, the provider will be ignored.

When you register the WildFlyElytronClientDefaultSSLContextProvider provider, all client libraries that use SSLContext.getDefault() method use the Elytron client configuration without having to use Elytron client APIs in their code.

To register the provider, you must add runtime dependency on the following artifacts:

  • wildfly-elytron-client
  • wildfly-client-config

You can register the provider either programmatically, in your client code, or statically in the java.security file. Use programmatic registration when you want to decide dynamically what providers to register and use.

Registering the provider programmatically

You can register the provider programmatically in your client code as shown below: 

Security.insertProviderAt(new WildFlyElytronClientDefaultSSLContextProvider(CONFIG_FILE_PATH), 1);
Copy to Clipboard Toggle word wrap

Registering the provider statically

You can register the provider in the java.security file as shown below: 

security.provider.1=org.wildfly.security.auth.client.WildFlyElytronClientDefaultSSLContextProvider <CONFIG_FILE_PATH>
Copy to Clipboard Toggle word wrap

Additional resources

The following example demonstrates registering of the WildFlyElytronClientDefaultSSLContextProvider provider programmatically and using the SSLContext.getDefault() method to obtain the SSLContext initialized by an Elytron client. The example uses static client configuration supplied as an argument to the provider.

To create a client for applications deployed to JBoss EAP, create a Maven project with the required dependencies and the directory structure.

Prerequisites

Procedure

  1. Set up a Maven project by using the mvn command. The command creates the directory structure for the project and the pom.xml configuration file. 

    $ mvn archetype:generate \
-DgroupId=com.example.client \
-DartifactId=client-ssl-context \
-DarchetypeGroupId=org.apache.maven.archetypes \
-DarchetypeArtifactId=maven-archetype-quickstart \
-DinteractiveMode=false
    Copy to Clipboard Toggle word wrap

  2. Navigate to the application root directory. 

    $ cd client-ssl-context
    Copy to Clipboard Toggle word wrap

  3. Replace the content of the generated pom.xml file with the following text: 

    <?xml version="1.0" encoding="UTF-8"?>

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>

  <groupId>com.example.client</groupId>
  <artifactId>client-ssl-context</artifactId>
  <version>1.0-SNAPSHOT</version>

  <name>client-ssl-context</name>

  <properties>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    <maven.compiler.source>11</maven.compiler.source>
    <maven.compiler.target>11</maven.compiler.target>
  </properties>

  <repositories>
    <repository>
      <id>jboss-public-maven-repository</id>
      <name>JBoss Public Maven Repository</name>
      <url>https://repository.jboss.org/nexus/content/groups/public/</url>
      <releases>
        <enabled>true</enabled>
        <updatePolicy>never</updatePolicy>
      </releases>
      <snapshots>
        <enabled>true</enabled>
        <updatePolicy>never</updatePolicy>
      </snapshots>
      <layout>default</layout>
    </repository>
    <repository>
      <id>redhat-ga-maven-repository</id>
      <name>Red Hat GA Maven Repository</name>
      <url>https://maven.repository.redhat.com/ga/</url>
      <releases>
        <enabled>true</enabled>
        <updatePolicy>never</updatePolicy>
      </releases>
      <snapshots>
        <enabled>true</enabled>
        <updatePolicy>never</updatePolicy>
      </snapshots>
      <layout>default</layout>
    </repository>
  </repositories>

  <dependencies>
    <dependency>
    1 
    
      <groupId>org.wildfly.security</groupId>
      <artifactId>wildfly-elytron-client</artifactId>
      <version>2.0.0.Final-redhat-00001</version>
    </dependency>
    <dependency>
    2 
    
      <groupId>org.wildfly.client</groupId>
      <artifactId>wildfly-client-config</artifactId>
      <version>1.0.1.Final-redhat-00001</version>
    </dependency>
  </dependencies>

  <build>
    <plugins>
      <plugin>
        <groupId>org.codehaus.mojo</groupId>
        <artifactId>exec-maven-plugin</artifactId>
        <version>1.4.0</version>
        <configuration>
          <mainClass>com.example.client.App</mainClass>
        </configuration>
      </plugin>
    </plugins>
  </build>
</project>
    Copy to Clipboard Toggle word wrap
    1
    Dependency for wildfly-elytron-client.
    2
    Dependency for wildfly-client-config.

  4. Delete the src/test directory. 

    $ rm -rf src/test/
    Copy to Clipboard Toggle word wrap

Verification

  • In the application root directory, enter the following command: 

    $ mvn install
    Copy to Clipboard Toggle word wrap

    You get an output similar to the following: 

    ...
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  1.682 s
[INFO] Finished at: 2023-10-31T01:32:17+05:30
[INFO] ------------------------------------------------------------------------
    Copy to Clipboard Toggle word wrap

Create a client for applications deployed to JBoss EAP that loads the SSLContext by using the SSLContext.getDefault() method.

In this procedure, <application_home> refers to the directory that contains the pom.xml configuration file for the application.

Prerequisites

Procedure

  1. Create a directory to store the Java files. 

    $ mkdir -p <application_home>/src/main/java/com/example/client
    Copy to Clipboard Toggle word wrap

  2. Navigate to the new directory. 

    $ cd <application_home>/src/main/java/com/example/client
    Copy to Clipboard Toggle word wrap

  3. Create the Java file App.java with the following content: 

    package com.example.client;

import java.io.IOException;
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.net.http.HttpResponse.BodyHandlers;
import java.security.NoSuchAlgorithmException;
import java.security.Security;
import java.util.Properties;
import javax.net.ssl.SSLContext;
import org.wildfly.security.auth.client.WildFlyElytronClientDefaultSSLContextProvider;

public class App  {

  public static void main( String[] args )  {
  String url = "https://localhost:8443/";
    1 
    
  try {
    Security.insertProviderAt(new WildFlyElytronClientDefaultSSLContextProvider("src/wildfly-config-two-way-tls.xml"), 1);
    2 
    
    HttpClient httpClient = HttpClient.newBuilder().sslContext(SSLContext.getDefault()).build();
    HttpRequest request = HttpRequest.newBuilder()
                .uri(URI.create(url))
                .GET()
                .build();
    HttpResponse<Void> httpRresponse = httpClient.send(request, BodyHandlers.discarding());
    String sslContext = SSLContext.getDefault().getProvider().getName();
    3 
    
    System.out.println ("\nSSL Default SSLContext is: " + sslContext);

  } catch (NoSuchAlgorithmException | IOException | InterruptedException e) {
      e.printStackTrace();
    }

  System.exit(0);
  }
}
    Copy to Clipboard Toggle word wrap
    1
    Defines the JBoss EAP home page URL.
    2
    Register the security provider. 1 defines the priority for this provider. To statically register the provider, you can instead add the provider in the java.security file as: security.provider.1=org.wildfly.security.auth.client.WildFlyElytronClientDefaultSSLContextProvider <PATH>/<TO>/wildfly-config-two-way-tls.xml
    3
    Obtain the default SSL context.

  4. Create the client configuration file called "wildfly-config-two-way-tls.xml" in the <application_home>/src directory. 

    <?xml version="1.0" encoding="UTF-8"?>

<configuration>
    <authentication-client xmlns="urn:elytron:client:1.7">
        <key-stores>
            <key-store name="truststore" type="PKCS12">
                <file name="${path_to_client_truststore}/client.truststore.p12"/>
                <key-store-clear-password password="secret"/>
            </key-store>
            <key-store name="keystore" type="PKCS12">
                <file name="${path_to_client_keystore}/exampleclient.keystore.pkcs12"/>
                <key-store-clear-password password="secret"/>
            </key-store>
        </key-stores>
        <ssl-contexts>
            <ssl-context name="client-context">
                <trust-store key-store-name="truststore"/>
                <key-store-ssl-certificate key-store-name="keystore" alias="exampleclientkeystore">
                    <key-store-clear-password password="secret"/>
                </key-store-ssl-certificate>
            </ssl-context>
        </ssl-contexts>
        <ssl-context-rules>
            <rule use-ssl-context="client-context"/>
        </ssl-context-rules>
    </authentication-client>
</configuration>
    Copy to Clipboard Toggle word wrap

    Replace the following place holder values with actual paths:

    • ${path_to_client_truststore}
    • ${path_to_client_keystore}

Verification

  1. Navigate to the <application_home> directory.

  2. Run the application. 

    $ mvn compile exec:java
    Copy to Clipboard Toggle word wrap

    Example output

    INFO: ELY00001: WildFly Elytron version 2.0.0.Final-redhat-00001

SSL Default SSLContext is: WildFlyElytronClientDefaultSSLContextProvider
    Copy to Clipboard Toggle word wrap

Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top