Wildflystandalone.xml - 將秘密從 elytron 憑證儲存傳遞到 KeyCloak SPI

Question 1

我發現了兩種可能性：

重寫 SPI 以直接從 Java 中的 Elytron 憑證儲存檢索機密
預先設定環境變數 ( export SECRET="$(secret-getter-script)") 並在中使用該變數standalone.xml：

<spi name="mySpi">
    <provider name="file" enabled="true">
        <properties>
            <property name="password" value="${env.SECRET}"/>
        </properties>
    </provider>
</spi>

Answer

我發現了兩種可能性：

重寫 SPI 以直接從 Java 中的 Elytron 憑證儲存檢索機密
預先設定環境變數 ( export SECRET="$(secret-getter-script)") 並在中使用該變數standalone.xml：

<spi name="mySpi">
    <provider name="file" enabled="true">
        <properties>
            <property name="password" value="${env.SECRET}"/>
        </properties>
    </provider>
</spi>

Question 2

我必須重寫我們的 SPI 來讀取 Elytron 憑證儲存內容：

import org.jboss.as.server.CurrentServiceContainer;
import org.jboss.msc.service.ServiceController;
import org.jboss.msc.service.ServiceName;
import org.jboss.msc.service.ServiceRegistry;
import org.wildfly.security.credential.PasswordCredential;
import org.wildfly.security.credential.store.CredentialStore;
import org.wildfly.security.credential.store.CredentialStoreException;
import org.wildfly.security.password.Password;
import org.wildfly.security.password.interfaces.ClearPassword;

  private static String getClientSecret(String credentialStore, String secretAlias) {
    final ServiceName SERVICE_NAME_CRED_STORE = ServiceName.of("org", "wildfly", "security", "credential-store");
    final ServiceName sn = ServiceName.of(SERVICE_NAME_CRED_STORE, credentialStore);
    final ServiceRegistry registry = CurrentServiceContainer.getServiceContainer();
    final ServiceController<?> credStoreService = registry.getService(sn);
    final CredentialStore cs = (CredentialStore) credStoreService.getValue();
//    if (!cs.exists(secretAlias, PasswordCredential.class)) {
//      throw new CredentialStoreException("Alias " + secretAlias + " not found in credential store.");
//    }
    final Password password;
    try {
      password = cs.retrieve(secretAlias, PasswordCredential.class).getPassword();
    } catch (CredentialStoreException e) {
      e.printStackTrace();
      return null;
    }
    if (!(password instanceof ClearPassword)) {
      throw new ClassCastException("Password is not of type ClearPassword");
    }
    return new String(((ClearPassword) password).getPassword());
  }

Answer

我必須重寫我們的 SPI 來讀取 Elytron 憑證儲存內容：

import org.jboss.as.server.CurrentServiceContainer;
import org.jboss.msc.service.ServiceController;
import org.jboss.msc.service.ServiceName;
import org.jboss.msc.service.ServiceRegistry;
import org.wildfly.security.credential.PasswordCredential;
import org.wildfly.security.credential.store.CredentialStore;
import org.wildfly.security.credential.store.CredentialStoreException;
import org.wildfly.security.password.Password;
import org.wildfly.security.password.interfaces.ClearPassword;

  private static String getClientSecret(String credentialStore, String secretAlias) {
    final ServiceName SERVICE_NAME_CRED_STORE = ServiceName.of("org", "wildfly", "security", "credential-store");
    final ServiceName sn = ServiceName.of(SERVICE_NAME_CRED_STORE, credentialStore);
    final ServiceRegistry registry = CurrentServiceContainer.getServiceContainer();
    final ServiceController<?> credStoreService = registry.getService(sn);
    final CredentialStore cs = (CredentialStore) credStoreService.getValue();
//    if (!cs.exists(secretAlias, PasswordCredential.class)) {
//      throw new CredentialStoreException("Alias " + secretAlias + " not found in credential store.");
//    }
    final Password password;
    try {
      password = cs.retrieve(secretAlias, PasswordCredential.class).getPassword();
    } catch (CredentialStoreException e) {
      e.printStackTrace();
      return null;
    }
    if (!(password instanceof ClearPassword)) {
      throw new ClassCastException("Password is not of type ClearPassword");
    }
    return new String(((ClearPassword) password).getPassword());
  }

Wildflystandalone.xml - 將秘密從 elytron 憑證儲存傳遞到 KeyCloak SPI

答案1

答案2

相關內容