Wednesday, September 14, 2016

Introduction to Credential Store SPI in WildFly Elytron

WildFly Elytron is also new home for Credential Store API/SPI originally introduced in PicketBox (known as Vault API) and has been part of JBoss AS7/WildFly for some time now.
Things are moving the way that PicketBox will not be used anymore in WildFly and Vault got some more requirements, so we are starting another life of Vault under WildfFly Elytron project with new name and API/SPI called Credentail Store.
Initial introduction blog post about WildFly Elytron could be found here.

Introduction to Credential Store

Elytron's approach to Credential Store is to enable users to create their own implementations of SPI and easily integrate them to WildFly and provide some out of the box implementations which will cover the most requirements from our users.

Elytron provides SPI called under package org.wildfly.security.credential.store.
One can find abstract CredentialStoreSpi class there which is intended to be used as base class for any Credentlial Store provider.
Check abstract methods in case you are looking for creating your own implementations.

Out of the box implementations are located in package org.wildfly.security.credential.store.impl. If one is familiar with options in PicketBox Vault there credential stores that can be used to supply the same features for the Elytron.
  • CmdPasswordStore - credential store which is able to get credential from output of executed program. It uses comma as parameter delimiter to be able to handle more complicated use cases.
  • ExecPasswordStore - credential store which is able to get credential from output of executed program.
  • MaskedPasswordStore - credential store which is able to get credential from masked password string by PBE algorithm.
  • KeystorePasswordStore - Keystore based ClearPassword password storage used in as default implementation of Credential Store SPI in Elytron security provider.

Basics of Credential Store SPI

The idea behind credential store is that it can be used for any kind of credential type implementing org.wildfly.security.credential.Credential under certain alias. Alias can mark more different credential types.
It has initialize method which can supply configuration parameters into the credential store. There is method to check if the initialize method has been already called (isInitialized). Credential  stores can be marked as modifiable which can will help when populating the credential store in WildFly subsystem (using CLI).
There is set of methods to work with credential/alias association (exists, store, retrieve, remove).
For better integration with tooling there is a method getAliases which returns all aliases stored in the credential store. This is not mandatory to implement but it can help tooling (and user) to work with such store.
If once decides to create his own credential store provider it will be useful to take a look at resolveMasterCredential method to add support to use master credential from the new credential store.   

Finally credential stores are going to be managed through WildFly CLI, so after Elytron subsystem become part of WildFly Core you can give it a try.