WildFly中安全领域和安全域之间的区别 [英] Difference between security-realm and security-domain in WildFly

问题描述

WildFly中安全域和安全领域之间的主要区别是什么?

What is the main difference between security-domain and security-realm in WildFly?

standalone.xml

               <security-domain name="foo">             
                    <authentication>
                        <login-module code="..." flag="...">                           
                        </login-module>                                         
                    </authentication>
                </security-domain>

和

        <security-realm name="foo">
            <authentication>
                <local default-user="..." allowed-users="..." 
skip-group-loading="..."/>
                <properties path="..." relative-to="..."/>
            </authentication>
            <authorization>
                <properties path="..." relative-to="..."/>
            </authorization>
        </security-realm>

推荐答案

答案已更新(2018-06-08)以反映WildFly Elytron的命名. WildFly Elytron是WildFly 11(和JBoss EAP 7.1)中引入的新安全子系统.这两个安全子系统(传统的和Elytron的)都有安全域和安全领域的概念，但是含义不同.

安全域主要用于定义已部署应用程序的安全性. 安全域中的标准身份验证基于 JAAS javax.security.auth.spi.LoginModule实现.应用程序可以提供自定义登录模块.

The Security Domains are used mainly for defining security of deployed applications. The standard authentication in security domains is based on JAAS javax.security.auth.spi.LoginModule implementations. Application can come up with custom login module(s).

安全领域主要用于服务器管理接口和远程处理的配置安全性. 领域认证基于提供的javax.security.auth.callback.CallbackHandler实现. AFAIK无法提供自己的CallbackHandler实现.

The Security Realms are used mainly for configuration security of server management interfaces and remoting. The realm authentication is based on provided implementations of javax.security.auth.callback.CallbackHandler. AFAIK it's not possible to provide own CallbackHandler implementation.

安全域可以使用"RealmDirect" 登录模块将身份验证委派给安全领域.

A security domain can delegate authentication to a security realm by using the "RealmDirect" login module.

安全领域可以使用"jaas" 身份验证配置将身份验证委派给安全域

A security realm can delegate authentication to a security domain by using "jaas" authentication configuration

另请参阅JBoss安全开发人员Darran Lofthouse的此回复.

See also this response by JBoss security developer Darran Lofthouse.

安全领域封装了对用户存储库(数据库-jdbc-realm，LDAP-ldap-realm，属性文件-properties-realm等)的访问.与传统安全性相比，它与JAAS登录模块处于相似的级别.提供了API，因此可以实现自定义领域.

The Security Realms encapsulate access to user repositories (DB - jdbc-realm, LDAP - ldap-realm, property file - properties-realm, ...). Compared to legacy security it's on a similar level as JAAS Login Modules. An API is provided so custom realms can be implemented.

安全域表示使用安全领域进行身份验证的安全策略.安全域可以用于管理安全性以及应用程序安全性中.对安全域的成功身份验证会产生一个SecurityIdentity，它代表当前用户.

The Security Domain represents a security policy which uses Security Realms for authentication. Security domains can be used in management security as well as in the application security. A successful authentication against a security domain produces a SecurityIdentity which represents the current user.

阅读 Elytron子系统这一章在JBoss EAP文档中可以找到有关Elytron组件的更详细的概述.

Read Elytron subsystem chapter in JBoss EAP documentation to get a more detailed overview of Elytron components.

要了解有关在Elytron安全域中控制身份验证流的更多信息，请阅读 来自Darran Lofthouse.

To learn more about controlling authentication flow in Elytron security domains read this article from Darran Lofthouse.

如果您要从旧版安全性迁移到Elytron安全性，则可以将旧版安全性域公开为 Elytron安全领域.在Elytron子系统中阅读有关此场景的更多信息

If you are migrating from Legacy to Elytron security, you can expose a Legacy Security Domain as an Elytron Security Realm. Read more about this scenario in the Elytron Subsystem Migration guide

这篇关于WildFly中安全领域和安全域之间的区别的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！