What is the simplest way to add application users in a Thorntail WildFly server?

Question

As said in the title, is there a way to add application users in Thorntail WilFly server, much like you would do with \"add-user.sh -a\" script in the full server distribution?

Answer 1

It depends on for what you need the users? Thorntail creates standalone Microservices, which are different to hosted applications in a wildfly-server.

Is there are a management console in thorntail?

Yes there is, but I have never used it.

https://docs.thorntail.io/2.2.0.Final/#_management

https://docs.thorntail.io/2.2.0.Final/#_management_console

The users you maybe able to create there shouldn't be persistent, because there is no wildfly-server installation as you are used to with a standalone wildfly-server installation, it is all packaged in the jar. A Microservice shouldn't need to be configured after its deployment anymore, at least not like this.

How to secure my application?

I would recommend to use an external user management via keycloak, which is integrated in thorntail via the keycloak fraction. With the keycloak fraction you can define security constraints to your endpoints similar in a web.xml.

https://docs.thorntail.io/2.2.0.Final/#_keycloak

Another way is to use the security fraction which provides you JAAS support for your microservice.

https://docs.thorntail.io/2.2.0.Final/#_security

The configuration is done via the thorntail specific project-defaults.yml configuration file, where you can configure the fractions via YAML.

What is a thorntail fraction?

A thorntail fraction is similar to a spring boot start dependency with spring, whereby the fraction provides the API for the developement and bundles the implementation and integration into thorntail. The fraction actually is a jboss module which is packaged into the standalone Microservice during re-packaging phase.

Where can I find examples?

See the following links for examples how to use security in thorntail. You should take a look at them.

https://github.com/thorntail/thorntail-examples/tree/master/security

Take a look at the src/main/resources/projects-defaults.yml which contains the configuration for thorntail fractions and the pom.xml which defines the used fractions.

Answer 2

The answer by Thomas Herzog is very good from a conceptual point of view -- I'd especially agree with securing the application using an external Keycloak, potentially with the help of MicroProfile JWT. I'm just gonna provide a few points in case you decide not to.

You can define users directly in project-defaults.yml, like this:

thorntail:
  management:
    security-realms:
      ApplicationRealm:
        in-memory-authentication:
          users:
            bob:
              password: tacos!
        in-memory-authorization:
          users:
            bob:
              roles:
              - admin

The project-defaults.yml file doesn't have to be external to the app, you can build it directly into it. Typically, in your source code, the file will be located in src/main/resources, and after building, it will be embedded inside the -thorntail.jar. It can be external, of course, and if this is something else than a throwaway prototype or test, sensitive data like this should be external.

You can also use the .properties files from WildFly:

thorntail:
  management:
    security-realms:
      ApplicationRealm:
        properties-authentication:
          path: .../path/to/application-users.properties
        properties-authorization:
          path: .../path/to/application-roles.properties