WildFly standalone installation
| created on | July 12, 2022 |
| last modified on | May 1, 2023 |
basic preparations
- Download WildFly tgz or zip archive.
- unzip/untar into suitable directory
- cd into , which is the directory that has just been created by unpacking the wildfly tgz/zip archive.
- in , user and group ownership are set to for user and to for group. You might want to change the ownership to other values.
basic configuration
The standalone configuration file is
setting the ports
The ports for AJP, HTTP and HTTPS are initially set to the eight thousands range, resp. 8009, 8080 and 8443. I usally set those to the nine thousands range, resp. 6009, 6080, 6443. Same for the managements ports.
The ports are defined at the end of in the tag :
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="ajp" port="${jboss.ajp.port:6009}"/>
<socket-binding name="http" port="${jboss.http.port:9080}"/>
<socket-binding name="https" port="${jboss.https.port:9443}"/>
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="${jboss.mail.server.host:localhost}" port="${jboss.mail.server.port:25}"/>
</outbound-socket-binding>
</socket-binding-group>
starting the server
- run to start the WildFly server. After successful
startup, the last two lines of the output read:
19:13:09,118 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://127.0.0.1:9990/management 19:13:09,118 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.0.0.1:9990
- run , choose the preselected default Management User, enter username and password, confirm password. Leave the group list empty; answer the question if the user is used for AS process with no.
- you can now enter the HAL Management Console with that user, address is 127.0.0.1:9990.
switching from the simple security provider to RBAC
If you click on the Access Control tab in the HAL Management Console, you’ll see a notice that the WildFly is configured with a simple access control provided by the simple access provider:
The simple access provider grant any authenticated user full access. To have a more fine grained control, we are going to switch to RBAC. For a short intro about security providers and RBAC in WildFly, click here.
Fire up the WildFly CLI (command line interface) with and log in with as the user you created above.
Run the following four commands in the CLI to switch to RBAC:
- add a Role Administrator:
- add the user you just created to the role Administrator:
- add the user to the role SuperUser (the SuperUser role exists already in the simple security provider):
- reload the WildFly server:
The CLI session for the four commands looks like this:
rudolf@idoru:/opt/devel/srv/wildfly-26.1.3$ bin/jboss-cli.sh
You are disconnected at the moment. Type 'connect' to connect to the server or 'help' for the list of supported commands.
[disconnected /] connect
[standalone@localhost:9990 /] /core-service=management/access=authorization/role-mapping=Administrator:add
{"outcome" => "success"}
[standalone@localhost:9990 /] /core-service=management/access=authorization/role-mapping=Administrator/include=user-rudolf:add(name=rudolf,type=USER)
{"outcome" => "success"}
[standalone@localhost:9990 /] /core-service=management/access=authorization/role-mapping=SuperUser/include=user-rudolf:add(name=rudolf,type=USER)
{"outcome" => "success"}
[standalone@localhost:9990 /] /core-service=management/access=authorization:write-attribute(name=provider,value=rbac)
{
"outcome" => "success",
"response-headers" => {
"operation-requires-reload" => true,
"process-state" => "reload-required"
}
}
[standalone@localhost:9990 /] :reload
{
"outcome" => "success",
"result" => undefined
}
[standalone@localhost:9990 /]
The reload could have also been triggered in the HAL Management Console:
After the reload, you’ll see a notice explaining RBAC in short, followed by a warning about what has to be done in order to activate RBAC. That warning is irrelevant, as we already activated RBAC and can be safely ignored:
In the tab Access Control, click on Roles and SuperUser. You should be listed under the role SuperUser:
You can add yourself to other roles, i.e. the role Auditor. The SuperUser role alreasy includes all permissions for the role Auditor, but just for purpose of demonstration:
cleaning up the bin directory
On Linux, you can delete all and files (Windows batch and Powershell files) in