WildFly Elytron

Planned Security Features for WildFly

Since the feature development phase for WildFly 21 has now started, we wanted to highlight the new security features that we will be working on.

Planned Features

Security Realm Enhancements

WFCORE-4485 Support for multiple security realms - Distributed Identities

  • This new feature will make it possible to use multiple security realms by sequentially invoking the each of the configured realms until a realm that contains the identity is found. More details can be found here.

WFCORE-4486 Support for multiple security realms - Failover

  • If a security realm becomes unavailable for some reason, it will be possible to failover to an alternate realm. More details can be found here.

Client Integration

ELY-1891 Revisit Rest integration with WildFly Elytron - AuthenticationClient for Authentication / SSL

  • This feature looks at security integration for RESTEasy clients. More information about this feature can be found here.

Expression Resolution

WFC0RE-4360 Support expression resolution backed by a credential store

  • Currently, credential store references can be used anywhere in the model where a credential needs to be specified. This feature will make it possible to encrypt other attribute values stored in the management model. More details can be found here.

Additional Authentication Mechanisms

WFC0RE-4484 Support SSH authentication for Git persistence

  • It will be possible to use SSH authentication via Elytron when using Git to manage and persist your WildFly configuration file. More details are available here.

WFC0RE-4853 Support for HTTP External authentication mechanism

  • This feature adds support for the HTTP External authentication mechanism with Elytron, making it possible to authenticate a user based on credentials established externally. More details can be found here.

WEJBHTTP-43 Ability to use BEARER/JWT authentication when using EJB over HTTP

  • This feature looks at adding support for BEARER/JWT authentication for EJB invocations over HTTP. More details can be found here.

SSL/TLS Enhancements

WFCORE-4842 Add support for TLSv1.3 using the OpenSSL TLS provider

  • We recently added support for TLS 1.3 for WildFly when using the JSSE TLS provider with Elytron. This feature will also add support for TLS 1.3 when using the OpenSSL TLS provider with Elytron. More information can be found here.

ELY-1996 SSLContext to support delegation to alternate instances based on peer information

  • As an SSLEngine is created, the host and port information is available at the time the engine is requested. This feature looks at making use of this information to dynamically select alternative configurations.

Summary

As usual, please keep in mind that this blog post is a summary of our general plans and not a guarantee that each of these features will be merged for WildFly 21. However, this blog post does give an indication of our team’s current priorities. If any of these features are a priority for you, please let us know. Please also let us know if there are any security features that are missing that you would like to see prioritized as we can take this kind of feedback into account for future releases.