Merge pull request #14584 from darranl/WFLY-15001_II

[WFLY-15001] Second stage of security realm removal from WildFly.

connector/pom.xml

@@ -57,6 +57,11 @@
             <groupId>${project.groupId}</groupId>
             <artifactId>wildfly-naming</artifactId>
         </dependency>
+        <dependency>
+            <groupId>${project.groupId}</groupId>
+            <artifactId>wildfly-security-plugins</artifactId>
+            <scope>provided</scope>
+        </dependency>
         <dependency>
             <groupId>${project.groupId}</groupId>
             <artifactId>wildfly-transactions</artifactId>

docs/src/main/asciidoc/_galleon/Galleon_layers.adoc

@@ -484,10 +484,10 @@ Use link:#gal.web-server[web-server] for a servlet container with EE integration
 link:#gal.base-server[base-server] +
 link:#gal.io[io] +
 
-|[[gal.undertow-legacy-https]]undertow-legacy-https
-|Support for the Undertow HTTPS server secured using the legacy security ApplicationRealm.
+|[[gal.undertow-https]]undertow-https
+|Support for the Undertow HTTPS server secured using the applicationSSC SSLContext.
 |
-link:#gal.core-security-realms[core-security-realms] +
+link:#gal.elytron[elytron] +
 link:#gal.undertow[undertow] +
 
 |[[gal.undertow-load-balancer]]undertow-load-balancer

docs/src/main/asciidoc/_galleon/Galleon_provisioning.adoc

@@ -139,11 +139,11 @@ In order to exclude an optional layer prefix its name with '-', for example: '-j
 galleon.sh install wildfly:current --dir=my-wildfly-server --layers=cloud-server
 ----
 
-==== Installation of a cloud-server with support for https (using legacy core ApplicationRealm)
+==== Installation of a cloud-server with support for https 
 
 [source,options="nowrap"]
 ----
-galleon.sh install wildfly:current --dir=my-wildfly-server --layers=cloud-server,undertow-legacy-https
+galleon.sh install wildfly:current --dir=my-wildfly-server --layers=cloud-server,undertow-https
 ----
 
 ==== Installation of a cloud-server and Jakarta Enterprise Beans with ejb-dist-cache as an alternative to ejb-local-cache
@@ -177,11 +177,11 @@ galleon.sh install wildfly:current --dir=my-wildfly-server --layers=jaxrs,cdi,el
 galleon.sh install wildfly:current --dir=my-wildfly-server --layers=web-server,core-server
 ----
 
-==== Installation of a servlet container with support for https (using legacy core ApplicationRealm)
+==== Installation of a servlet container with support for https
 
 [source,options="nowrap"]
 ----
-galleon.sh install wildfly:current --dir=my-wildfly-server --layers=web-server,undertow-legacy-https
+galleon.sh install wildfly:current --dir=my-wildfly-server --layers=web-server,undertowhttps
 ----
 
 ==== Installation of a core server

ee-9/feature-pack/src/main/resources/configs/standalone/standalone-load-balancer.xml/config.xml

@@ -6,6 +6,4 @@
         <include name="logging"/>
         <include name="undertow-load-balancer"/>
     </layers>
-    <feature-group name="standalone-security-realms"/>
-    <feature-group name="management-legacy-security"/>
 </config>

ee-9/feature-pack/src/main/resources/configs/standalone/standalone-microprofile-ha.xml/config.xml

@@ -8,10 +8,10 @@
         <include name="microprofile-jwt"/>
         <include name="microprofile-openapi"/>
         <include name="microprofile-opentracing"/>
-        <include name="undertow-legacy-https"/>
-        <exclude name="management-security-realm"/>
         <exclude name="jpa"/>
         <include name="jpa-distributed"/>
         <include name="web-clustering"/>
     </layers>
+    <!-- TODO WFLY-15021 Add an undertow-https layer -->
+    <feature-group name="undertow-https"/>
 </config>

ee-9/feature-pack/src/main/resources/configs/standalone/standalone-microprofile.xml/config.xml

@@ -8,9 +8,9 @@
         <include name="microprofile-jwt"/>
         <include name="microprofile-openapi"/>
         <include name="microprofile-opentracing"/>
-        <include name="undertow-legacy-https"/>
-        <exclude name="management-security-realm"/>
     </layers>
+    <!-- TODO WFLY-15021 Add an undertow-https layer -->
+    <feature-group name="undertow-https"/>
     <!-- TODO WFLY-13150 encapsulate these in a layer -->
     <feature-group name="distributable-web-local"/>
     <feature-group name="infinispan-local-web"/>

ee-9/feature-pack/src/main/resources/feature_groups/basic-ha-profile.xml

@@ -3,7 +3,12 @@
 
     <feature-group name="unsecured-basic-ha-profile"/>
     <feature-group name="ejb3-elytron-security"/>
-    <feature-group name="undertow-legacy-security"/>
+
+    <feature-group name="application-http-basic"/>
+    <feature-group name="undertow-http-invoker"/>
+
+    <feature-group name="undertow-https"/>
+
     <feature-group name="undertow-elytron-security"/>
     <feature-group name="distributable-web"/>
 

ee-9/feature-pack/src/main/resources/feature_groups/basic-profile.xml

@@ -3,7 +3,12 @@
 
     <feature-group name="unsecured-basic-profile"/>
     <feature-group name="ejb3-elytron-security"/>
-    <feature-group name="undertow-legacy-security"/>
+
+    <feature-group name="application-http-basic"/>
+    <feature-group name="undertow-http-invoker"/>
+
+    <feature-group name="undertow-https"/>
+
     <feature-group name="undertow-elytron-security"/>
     <feature-group name="distributable-web-local"/>
 

ee-9/feature-pack/src/main/resources/feature_groups/management-interfaces.xml

@@ -1,5 +1,14 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <feature-group-spec name="management-interfaces" xmlns="urn:jboss:galleon:feature-group:1.0">
+    <!-- TODO Temporarily override to switch security.  -->
     <feature-group name="management-unsecure-interfaces"/>
-    <feature-group name="management-legacy-security"/>
+
+    <feature spec="core-service.management.management-interface.http-interface">
+        <param name="socket-binding" value="management-http"/>
+        <param name="http-authentication-factory" value="management-http-authentication"/>
+        <feature spec="core-service.management.management-interface.http-interface.http-upgrade">
+            <param name="sasl-authentication-factory" value="management-sasl-authentication"/>
+        </feature>
+    </feature>
+
 </feature-group-spec>

ee-9/feature-pack/src/main/resources/feature_groups/standalone-ha.xml

@@ -17,7 +17,6 @@
         <feature-group name="ha-sockets"/>
     </feature>
 
-    <feature-group name="servlet-security-realms"/>
     <feature-group name="management-audit"/>
     <feature-group name="management-interfaces"/>
     <feature-group name="access-control"/>

ee-9/feature-pack/src/main/resources/feature_groups/standalone-minimalistic.xml

@@ -18,14 +18,11 @@
         </feature>
     </feature>
 
-    <feature-group name="servlet-security-realms">
-        <exclude feature-id="core-service.management.security-realm:security-realm=ApplicationRealm"/>
-        <exclude spec="core-service.management.security-realm.authorization.properties" />
-        <include feature-id="core-service.management.security-realm:core-service=management,security-realm=ManagementRealm">
-            <unset param="map-groups-to-roles"/>
-        </include>
-    </feature-group>
-
+    <!-- TODO like standalone-loadbalancer this will need the absolute minimum -->
+    <feature spec="subsystem.elytron" />
+    <feature-group name="elytron-common"/>
+    <feature-group name="standalone-elytron"/>
+    <feature spec="core-service.management" />
     <feature-group name="management-interfaces">
         <feature spec="core-service.management.management-interface.http-interface">
             <param name="console-enabled" value="false"/>

ee-9/feature-pack/src/main/resources/feature_groups/standalone.xml

@@ -14,7 +14,6 @@
         <feature-group name="standalone-sockets"/>
     </feature>
 
-    <feature-group name="servlet-security-realms"/>
     <feature-group name="management-audit"/>
     <feature-group name="management-interfaces"/>
     <feature-group name="access-control"/>

ee-feature-pack/common/src/main/resources/modules/system/layers/base/org/jboss/as/connector/main/module.xml

@@ -53,6 +53,7 @@
         <module name="org.jboss.as.controller"/>
         <module name="org.jboss.as.naming"/>
         <module name="org.jboss.as.server" />
+        <module name="org.jboss.as.security-plugins" />
         <module name="org.wildfly.security.elytron-private"/>
         <module name="org.jboss.as.core-security"/>
         <module name="org.jboss.as.ee" />

ee-feature-pack/common/src/main/resources/modules/system/layers/base/org/jboss/as/weld/main/module.xml

@@ -41,6 +41,7 @@
         <module name="org.jboss.weld.core" />
         <module name="org.jboss.weld.spi" />
         <module name="org.jboss.as.weld.spi" />
+        <module name="org.jboss.as.security-plugins" />
         <!-- Only needed if capability 'org.wildfly.legacy-security.server-security-manager' is present -->
         <module name="org.picketbox" optional="true"/>
         <module name="org.jboss.as.weld.common" />

ee-feature-pack/galleon-common/src/main/resources/feature_groups/remoting.xml

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<feature-group-spec name="remoting" xmlns="urn:jboss:galleon:feature-group:1.0">
+    <!-- TODO Temporary fork to override use of security-realms. -->
+    <feature spec="subsystem.remoting">
+        <feature spec="subsystem.remoting.configuration.endpoint"/>
+        <feature spec="subsystem.remoting.http-connector">
+            <param name="http-connector" value="http-remoting-connector"/>
+            <param name="connector-ref" value="default"/>
+            <param name="sasl-authentication-factory" value="application-sasl-authentication"/>
+        </feature>
+    </feature>
+</feature-group-spec>

ee-feature-pack/galleon-content/src/main/resources/configs/standalone/standalone-load-balancer.xml/config.xml

@@ -2,9 +2,8 @@
 
 <config xmlns="urn:jboss:galleon:config:1.0" name="standalone-load-balancer.xml" model="standalone">
     <layers>
-        <include name="legacy-management"/>
+        <include name="management"/>
         <include name="logging"/>
         <include name="undertow-load-balancer"/>
     </layers>
-    <feature-group name="standalone-security-realms"/>
 </config>

ee-feature-pack/galleon-content/src/main/resources/feature_groups/basic-ha-profile.xml

@@ -2,7 +2,12 @@
 <feature-group-spec name="basic-ha-profile" xmlns="urn:jboss:galleon:feature-group:1.0">
 
     <feature-group name="unsecured-basic-ha-profile"/>
-    <feature-group name="undertow-legacy-security"/>
+
+    <feature-group name="application-http-basic"/>
+    <feature-group name="undertow-https"/>
+
+    <feature-group name="undertow-http-invoker"/>
+
     <feature-group name="picketbox-security"/>
     <feature-group name="distributable-web"/>
 

ee-feature-pack/galleon-content/src/main/resources/feature_groups/basic-profile.xml

@@ -2,7 +2,12 @@
 <feature-group-spec name="basic-profile" xmlns="urn:jboss:galleon:feature-group:1.0">
 
     <feature-group name="unsecured-basic-profile"/>
-    <feature-group name="undertow-legacy-security"/>
+
+    <feature-group name="application-http-basic"/>
+    <feature-group name="undertow-https"/>
+
+    <feature-group name="undertow-http-invoker"/>
+
     <feature-group name="picketbox-security"/>
     <feature-group name="distributable-web-local"/>
 

ee-feature-pack/galleon-content/src/main/resources/feature_groups/management-interfaces.xml

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<feature-group-spec name="management-interfaces" xmlns="urn:jboss:galleon:feature-group:1.0">
+    <!-- TODO Temporarily override to switch security.  -->
+    <feature-group name="management-unsecure-interfaces"/>
+
+    <feature spec="core-service.management.management-interface.http-interface">
+        <param name="socket-binding" value="management-http"/>
+        <param name="http-authentication-factory" value="management-http-authentication"/>
+        <feature spec="core-service.management.management-interface.http-interface.http-upgrade">
+            <param name="sasl-authentication-factory" value="management-sasl-authentication"/>
+        </feature>
+    </feature>
+
+</feature-group-spec>

ee-feature-pack/galleon-content/src/main/resources/feature_groups/standalone-azure-ha.xml

@@ -18,8 +18,6 @@
         <feature-group name="ha-sockets"/>
     </feature>
 
-    <feature-group name="servlet-security-realms"/>
-
     <feature-group name="management-audit"/>
     <feature-group name="management-interfaces"/>
     <feature-group name="access-control"/>

ee-feature-pack/galleon-content/src/main/resources/feature_groups/standalone-ec2-ha.xml

@@ -18,7 +18,6 @@
         <feature-group name="ha-sockets"/>
     </feature>
 
-    <feature-group name="servlet-security-realms"/>
     <feature-group name="management-audit"/>
     <feature-group name="management-interfaces"/>
     <feature-group name="access-control"/>

ee-feature-pack/galleon-content/src/main/resources/feature_groups/standalone-ha.xml

@@ -17,7 +17,6 @@
         <feature-group name="ha-sockets"/>
     </feature>
 
-    <feature-group name="servlet-security-realms"/>
     <feature-group name="management-audit"/>
     <feature-group name="management-interfaces"/>
     <feature-group name="access-control"/>

ee-feature-pack/galleon-content/src/main/resources/feature_groups/standalone-minimalistic.xml

@@ -18,14 +18,11 @@
         </feature>
     </feature>
 
-    <feature-group name="servlet-security-realms">
-        <exclude feature-id="core-service.management.security-realm:security-realm=ApplicationRealm"/>
-        <exclude spec="core-service.management.security-realm.authorization.properties" />
-        <include feature-id="core-service.management.security-realm:core-service=management,security-realm=ManagementRealm">
-            <unset param="map-groups-to-roles"/>
-        </include>
-    </feature-group>
-
+    <!-- TODO like standalone-loadbalancer this will need the absolute minimum -->
+    <feature spec="subsystem.elytron" />
+    <feature-group name="elytron-common"/>
+    <feature-group name="standalone-elytron"/>
+    <feature spec="core-service.management" />
     <feature-group name="management-interfaces">
         <feature spec="core-service.management.management-interface.http-interface">
             <param name="console-enabled" value="false"/>

ee-feature-pack/galleon-content/src/main/resources/feature_groups/standalone.xml

@@ -14,7 +14,6 @@
         <feature-group name="standalone-sockets"/>
     </feature>
 
-    <feature-group name="servlet-security-realms"/>
     <feature-group name="management-audit"/>
     <feature-group name="management-interfaces"/>
     <feature-group name="access-control"/>

ee-feature-pack/galleon-feature-pack/pom.xml

@@ -98,11 +98,6 @@
                                     <artifactId>wildfly-core-feature-pack-galleon-common</artifactId>
                                     <type>zip</type>
                                 </artifactItem>
-                                <artifactItem>
-                                    <groupId>org.wildfly.core</groupId>
-                                    <artifactId>wildfly-core-feature-pack-galleon-pruned</artifactId>
-                                    <type>zip</type>
-                                </artifactItem>
                             </artifactItems>
                             <outputDirectory>${basedir}/target/resources</outputDirectory>
                         </configuration>
@@ -353,13 +348,6 @@
             <type>pom</type>
             <scope>provided</scope>
         </dependency>
-
-        <dependency>
-            <groupId>org.wildfly.core</groupId>
-            <artifactId>wildfly-core-feature-pack-galleon-pruned</artifactId>
-            <type>pom</type>
-            <scope>provided</scope>
-        </dependency>
 
         <dependency>
             <groupId>${ee.maven.groupId}</groupId>

ee/src/main/java/org/jboss/as/ee/logging/EeLogger.java

@@ -1204,4 +1204,7 @@ public interface EeLogger extends BasicLogger {
     @LogMessage(level = INFO)
     @Message(id = 130, value = "%s hung task %s not cancelled")
     void hungTaskNotCancelled(String executorName, String taskName);
+
+    @Message(id = 131, value = "The attribute %s is no longer supported.")
+    XMLStreamException attributeNoLongerSupported(final String attribute);
 }