WildFly 中 security-realm 和 security-domain 的区别 [英] Difference between security-realm and security-domain in WildFly
问题描述
WildFly 中 security-domain 和 security-realm 的主要区别是什么?
What is the main difference between security-domain and security-realm in WildFly?
standalone.xml
<security-domain name="foo">
<authentication>
<login-module code="..." flag="...">
</login-module>
</authentication>
</security-domain>
和
<security-realm name="foo">
<authentication>
<local default-user="..." allowed-users="..."
skip-group-loading="..."/>
<properties path="..." relative-to="..."/>
</authentication>
<authorization>
<properties path="..." relative-to="..."/>
</authorization>
</security-realm>
推荐答案
已更新答案 (2018-06-08) 以反映 WildFly Elytron 命名.WildFly Elytron 是 WildFly 11(和 JBoss EAP 7.1)中引入的新安全子系统.两个安全子系统 - 遗留子系统和 Elytron - 都有安全域和安全领域的概念,但含义不同.
安全域主要用于定义已部署应用程序的安全性.安全域中的标准身份验证基于 JAAS javax.security.auth.spi.LoginModule 实现.应用程序可以提供自定义登录模块.
The Security Domains are used mainly for defining security of deployed applications.
The standard authentication in security domains is based on JAAS javax.security.auth.spi.LoginModule implementations. Application can come up with custom login module(s).
安全领域主要用于服务器管理接口和远程处理的配置安全.领域身份验证基于提供的 javax.security.auth.callback.CallbackHandler 实现.AFAIK 无法提供自己的 CallbackHandler 实现.
The Security Realms are used mainly for configuration security of server management interfaces and remoting.
The realm authentication is based on provided implementations of javax.security.auth.callback.CallbackHandler. AFAIK it's not possible to provide own CallbackHandler implementation.
安全域可以使用RealmDirect"登录模块将身份验证委托给安全领域.
A security domain can delegate authentication to a security realm by using the "RealmDirect" login module.
安全领域可以通过使用jaas"身份验证配置将身份验证委托给安全域
A security realm can delegate authentication to a security domain by using "jaas" authentication configuration
另请参阅 JBoss 安全开发人员 Darran Lofthouse 的此回复.
See also this response by JBoss security developer Darran Lofthouse.
安全领域封装了对用户存储库的访问(DB - jdbc-realm、LDAP - ldap-realm、属性文件 - properties-realm,...).与传统安全相比,它与 JAAS 登录模块处于相似的级别.提供了一个 API,因此可以实现自定义领域.
The Security Realms encapsulate access to user repositories (DB - jdbc-realm, LDAP - ldap-realm, property file - properties-realm, ...). Compared to legacy security it's on a similar level as JAAS Login Modules. An API is provided so custom realms can be implemented.
安全域表示使用安全领域进行身份验证的安全策略.安全域可用于管理安全以及应用程序安全.针对安全域的成功身份验证会生成一个 SecurityIdentity 代表当前用户.
The Security Domain represents a security policy which uses Security Realms for authentication. Security domains can be used in management security as well as in the application security. A successful authentication against a security domain produces a SecurityIdentity which represents the current user.
阅读Elytron 子系统一章在 JBoss EAP 文档中获取 Elytron 组件的更详细概述.
Read Elytron subsystem chapter in JBoss EAP documentation to get a more detailed overview of Elytron components.
要了解有关控制 Elytron 安全域中的身份验证流程的更多信息,请阅读 这篇文章来自 Darran Lofthouse.
To learn more about controlling authentication flow in Elytron security domains read this article from Darran Lofthouse.
如果您要从旧版安全迁移到 Elytron 安全性,您可以将旧版安全域公开为 Elytron 安全领域.在 Elytron 子系统中阅读有关此场景的更多信息 迁移指南
If you are migrating from Legacy to Elytron security, you can expose a Legacy Security Domain as an Elytron Security Realm. Read more about this scenario in the Elytron Subsystem Migration guide
这篇关于WildFly 中 security-realm 和 security-domain 的区别的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
