Chapter 4. Using Elytron client default SSLcontext security provider in JBoss EAP clients
To make a Java Virtual Machine (JVM) use the Elytron client configuration to provide a default SSLcontext
, you can use the WildFlyElytronClientDefaultSSLContextProvider
. Use this provider to make your client libraries automatically use the Elytron client configuration when requesting the default SSLContext
.
4.1. Elytron client default SSL context security provider
Elytron client provides a Java security provider, org.wildfly.security.auth.client.WildFlyElytronClientDefaultSSLContextProvider
, that you can use to register a Java virtual machine (JVM)-wide default SSL context.
The WildFlyElytronClientDefaultSSLContextProvider
provider works as follows:
The provider instantiates the
SSLContext
when theSSLContext.getDefault()
method is called. TheSSLContext
is initiated from the authentication context obtained from one of the following places:- Elytron client configuration file passed as an argument to the provider.
Automatically discovered
wildfly-config.xml
file on the filesystem. For more information, see The Default Configuration Approach.A client configuration file passed as an argument to the provider has the precedence.
When the
SSLContext.getDefault()
method is called, the JVM returns theSSLContext
instantiated by the provider.As the Elytron client can have multiple SSL contexts configured, rules are used to choose a single SSL context for the connection. The default SSL Context is the one that matches all rules. The provider returns this default SSL context.
If no default SSLContext
is configured or no configuration is present, the provider will be ignored.
When you register the WildFlyElytronClientDefaultSSLContextProvider
provider, all client libraries that use SSLContext.getDefault()
method use the Elytron client configuration without having to use Elytron client APIs in their code.
To register the provider, you must add runtime dependency on the following artifacts:
-
wildfly-elytron-client
-
wildfly-client-config
You can register the provider either programmatically, in your client code, or statically in the java.security
file. Use programmatic registration when you want to decide dynamically what providers to register and use.
Registering the provider programmatically
You can register the provider programmatically in your client code as shown below:
Security.insertProviderAt(new WildFlyElytronClientDefaultSSLContextProvider(CONFIG_FILE_PATH), 1);
Registering the provider statically
You can register the provider in the java.security
file as shown below:
security.provider.1=org.wildfly.security.auth.client.WildFlyElytronClientDefaultSSLContextProvider <CONFIG_FILE_PATH>
Additional resources
4.2. Example of creating a client that loads the default SSL context
The following example demonstrates registering of the WildFlyElytronClientDefaultSSLContextProvider
provider programmatically and using the SSLContext.getDefault()
method to obtain the SSLContext initialized by an Elytron client. The example uses static client configuration supplied as an argument to the provider.
4.2.1. Creating a Maven project for JBoss EAP client
To create a client for applications deployed to JBoss EAP, create a Maven project with the required dependencies and the directory structure.
Prerequisites
- You have installed Maven. For more information, see Downloading Apache Maven.
Procedure
Set up a Maven project by using the
mvn
command. The command creates the directory structure for the project and thepom.xml
configuration file.$ mvn archetype:generate \ -DgroupId=com.example.client \ -DartifactId=client-ssl-context \ -DarchetypeGroupId=org.apache.maven.archetypes \ -DarchetypeArtifactId=maven-archetype-quickstart \ -DinteractiveMode=false
Navigate to the application root directory.
$ cd client-ssl-context
Replace the content of the generated
pom.xml
file with the following text:<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>com.example.client</groupId> <artifactId>client-ssl-context</artifactId> <version>1.0-SNAPSHOT</version> <name>client-ssl-context</name> <properties> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <maven.compiler.source>11</maven.compiler.source> <maven.compiler.target>11</maven.compiler.target> </properties> <repositories> <repository> <id>jboss-public-maven-repository</id> <name>JBoss Public Maven Repository</name> <url>https://repository.jboss.org/nexus/content/groups/public/</url> <releases> <enabled>true</enabled> <updatePolicy>never</updatePolicy> </releases> <snapshots> <enabled>true</enabled> <updatePolicy>never</updatePolicy> </snapshots> <layout>default</layout> </repository> <repository> <id>redhat-ga-maven-repository</id> <name>Red Hat GA Maven Repository</name> <url>https://maven.repository.redhat.com/ga/</url> <releases> <enabled>true</enabled> <updatePolicy>never</updatePolicy> </releases> <snapshots> <enabled>true</enabled> <updatePolicy>never</updatePolicy> </snapshots> <layout>default</layout> </repository> </repositories> <dependencies> <dependency> 1 <groupId>org.wildfly.security</groupId> <artifactId>wildfly-elytron-client</artifactId> <version>2.0.0.Final-redhat-00001</version> </dependency> <dependency> 2 <groupId>org.wildfly.client</groupId> <artifactId>wildfly-client-config</artifactId> <version>1.0.1.Final-redhat-00001</version> </dependency> </dependencies> <build> <plugins> <plugin> <groupId>org.codehaus.mojo</groupId> <artifactId>exec-maven-plugin</artifactId> <version>1.4.0</version> <configuration> <mainClass>com.example.client.App</mainClass> </configuration> </plugin> </plugins> </build> </project>
Delete the
src/test
directory.$ rm -rf src/test/
Verification
In the application root directory, enter the following command:
$ mvn install
You get an output similar to the following:
... [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 1.682 s [INFO] Finished at: 2023-10-31T01:32:17+05:30 [INFO] ------------------------------------------------------------------------
4.2.2. Creating a client that loads the default SSLContext
Create a client for applications deployed to JBoss EAP that loads the SSLContext
by using the SSLContext.getDefault()
method.
In this procedure, <application_home> refers to the directory that contains the pom.xml
configuration file for the application.
Prerequisites
You have secured the applications deployed to JBoss EAP with two-way TLS.
To do this, follow these procedures:
You have created a Maven project.
For more information, see Creating a Maven project for JBoss EAP client.
- JBoss EAP is running.
Procedure
Create a directory to store the Java files.
$ mkdir -p <application_home>/src/main/java/com/example/client
Navigate to the new directory.
$ cd <application_home>/src/main/java/com/example/client
Create the Java file
App.java
with the following content:package com.example.client; import java.io.IOException; import java.net.URI; import java.net.http.HttpClient; import java.net.http.HttpRequest; import java.net.http.HttpResponse; import java.net.http.HttpResponse.BodyHandlers; import java.security.NoSuchAlgorithmException; import java.security.Security; import java.util.Properties; import javax.net.ssl.SSLContext; import org.wildfly.security.auth.client.WildFlyElytronClientDefaultSSLContextProvider; public class App { public static void main( String[] args ) { String url = "https://localhost:8443/"; 1 try { Security.insertProviderAt(new WildFlyElytronClientDefaultSSLContextProvider("src/wildfly-config-two-way-tls.xml"), 1); 2 HttpClient httpClient = HttpClient.newBuilder().sslContext(SSLContext.getDefault()).build(); HttpRequest request = HttpRequest.newBuilder() .uri(URI.create(url)) .GET() .build(); HttpResponse<Void> httpRresponse = httpClient.send(request, BodyHandlers.discarding()); String sslContext = SSLContext.getDefault().getProvider().getName(); 3 System.out.println ("\nSSL Default SSLContext is: " + sslContext); } catch (NoSuchAlgorithmException | IOException | InterruptedException e) { e.printStackTrace(); } System.exit(0); } }
- 1
- Defines the JBoss EAP home page URL.
- 2
- Register the security provider.
1
defines the priority for this provider. To statically register the provider, you can instead add the provider in thejava.security
file as:security.provider.1=org.wildfly.security.auth.client.WildFlyElytronClientDefaultSSLContextProvider <PATH>/<TO>/wildfly-config-two-way-tls.xml
- 3
- Obtain the default SSL context.
Create the client configuration file called "wildfly-config-two-way-tls.xml" in the
<application_home>/src
directory.<?xml version="1.0" encoding="UTF-8"?> <configuration> <authentication-client xmlns="urn:elytron:client:1.7"> <key-stores> <key-store name="truststore" type="PKCS12"> <file name="${path_to_client_truststore}/client.truststore.p12"/> <key-store-clear-password password="secret"/> </key-store> <key-store name="keystore" type="PKCS12"> <file name="${path_to_client_keystore}/exampleclient.keystore.pkcs12"/> <key-store-clear-password password="secret"/> </key-store> </key-stores> <ssl-contexts> <ssl-context name="client-context"> <trust-store key-store-name="truststore"/> <key-store-ssl-certificate key-store-name="keystore" alias="exampleclientkeystore"> <key-store-clear-password password="secret"/> </key-store-ssl-certificate> </ssl-context> </ssl-contexts> <ssl-context-rules> <rule use-ssl-context="client-context"/> </ssl-context-rules> </authentication-client> </configuration>
Replace the following place holder values with actual paths:
- ${path_to_client_truststore}
- ${path_to_client_keystore}
Verification
- Navigate to the <application_home> directory.
Run the application.
$ mvn compile exec:java
Example output
INFO: ELY00001: WildFly Elytron version 2.0.0.Final-redhat-00001 SSL Default SSLContext is: WildFlyElytronClientDefaultSSLContextProvider