WildFly Elytron

New Security Features in WildFly 23

This blog post highlights the new security features that are in WildFly 23 and also gives an update on the new security features that the Elytron team has been working on.

New Features in WildFly 23

Encrypted Expression Support

WildFly 23 now adds support for encrypted expressions within the management model. For details on how to quickly get started with this new feature, check out this blog post.

Principal Propagation

In certain cases, the principal associated with an unsecured EJB can differ depending on whether Elytron or legacy security is in use. WildFly 23 makes it possible for users to decide which behaviour they would like to use. More information can be found in this blog post.

Support for MicroProfile JWT 1.2

The version of MicroProfile JWT supported by WildFly has been upgraded to version 1.2. More information about what’s new in MicroProfile JWT 1.2 can be found here.

In Progress Features

The Elytron team has also been working on many other new features during the WildFly 23 development phase. Although these features weren’t quite ready to be included in WildFly 23, we hope to include them in a future WildFly release. Here’s a quick update on these features.

SSL/TLS enhancements

ELY-1996 SSLContext to support delegation to alternate instances based on peer information

  • This feature looks at making use of the host and port information of the peer that we are connecting to in order to dynamically select which SSL context to use. More information about how this new feature will be configured can be found in this blog post.

WFCORE-5120 Automatic registration of a client side / JVM wide default SSLContext

  • This feature will make it possible to register a JVM wide default SSL context for libraries that make use of Elytron client configuration. Additional information on the plans for this feature can be found here.

WFCORE-5170 Support for multiple certificate revocation lists

  • This feature will make it possible to configure multiple certificate revocation lists (e.g., for the case where more than one certificate authority is being used). An introduction to this feature can be found in this blog post.

WFCORE-5145 Elytron server-ssl-context allowed protocols

  • This enhancement allows an additional legacy protocol to be configured for SSL contexts to provide feature parity with legacy security. More information can be found in this blog post.

Security Realm Enhancements

WFCORE-5027 Security Realms should support specifying the charset and encoding for credentials

  • This feature will make it possible for security realms to store hashed passwords in hex format, in addition to Base64 format. It will also make it possible to configure the character set to use when processing a user’s password. An introduction to this new feature can be found in this blog post.

OpenID Connect

WFLY-14017 Native support for OpenID Connect

  • WildFly currently provides the ability to secure deployments using OpenID Connect (OIDC) by installing a Keycloak client adapter. By adding native support for OpenID Connect to Elytron, the Keycloak client adapter will no longer be needed to secure applications deployed to WildFly using OIDC. More details can be found here.

Where to Find More Information

This blog post has given an overview of the new security features that are included in WildFly 23 and has also given an update on the new security features that are currently in progress. Be sure to check out our blog posts page, where we have all our blog posts on Elytron features. If there is an Elytron topic you’d like to see a blog post on, feel free to let us know on WildFly’s user forums.

To learn more about Elytron, check out our site.