Migrate to Wildfly 26.1.3.Final

[lbschanno]

Migrate Datawave to use Wildfly 26.1.3.Final. Additionally, migrate Datawave's security APIs to leverage Wildfly's Elytron security framework instead of Picketbox. Wildfly 26 was chosen due to being Java 17 compatible, but also compatible with Jakarta EE 8 to minimize migration concerns.

Structural Changes

• A number of commonly-used security classes were relocated to a new project: /commons/security (datawave-commons-security). This project is used by the Datawave webservices and microservices. An overview can be found in the datawave-commons-security README.

• The project /webservices/security was converted to a parent project and now has three sub-projects. An overview of the projects can be found in the datawave-ws-security-parent README.

  • datawave-ws-security
  • datawave-ws-security-elytron
  • datawave-ws-security-elytron-module

Migration from Picketbox to Elytron

Wildfly dropped support for Picketbox as of Wildfly 25. As a result, we are required to migrate our security solutions to leverage Elytron. The bulk of the new classes that replace the old Picketbox APIs live in webservices/security/datawave-ws-security-elytron-module, and the README there goes into detail about the custom Elytron components implemented there.

JBOSS/Wildfly Modules

Custom Elytron components are required to be deployed within separate Wildfly modules. This means they cannot be packaged with the Datawave EAR deployment. As a result, a number of libraries commonly used between the Datawave Elytron module and the Datawave EAR deployment also had to be moved to their own JBOSS modules to manage classloader conflicts. More details in the datawave-ws-deploy-application README.

Request Start and Login Time Headers

Wildfly does not expose methods in the HttpServerRequest for adding request headers like we previously could in the old DatawaveAuthenticationMechanism class. To add these headers now, a ServletExtension is now used to modify the incoming request before and after it hits the authentication handlers.

• datawave.security.servlet.HeaderEnrichmentServletExtension: This adds handlers to modify the incoming request.
• datawave.security.servlet.RequestStartTimeHeaderHandler: Adds the X-Internal-RequestStartTimeNanos header.
• datawave.security.servlet.RequestLoginTimeHeaderHandler: Adds the X-Internal-RequestLoginTimeMillis header.

DnUtils and ProxiedEntityUtils

The classes datawave.security.util.ProxiedEntityUtils, datawave.security.util.DnUtils, and datawave.microservice.security.util.DnUtils were combined into a single class: datawave.security.util.DnUtils in the datawave-commons-security project since they all referenced each other interchangeably.

Additionally, DnUtils was refactored to not require any external configuration. Instead, when loading a subject DN pattern and NPE OU list, it can be done with the class datawave.security.util.DnProperties, which can be created via a constructor, or a default instance can be loaded from a properties file/system properties, and supplied to the DNUtils methods as needed.

Additional changes of note:

The use of several classes needed to be replaced to be compatible with Jakarta EE 8:

Old Classes	Updated Classes
org.jboss.resteasy.util.Base64	org.apache.commons.net.util.Base64
org.jboss.resteasy.core.interception.PrematchContainerRequestContext	org.jboss.resteasy.core.interception.jaxrs.PrematchContainerRequestContext
org.jboss.resteasy.util.FindAnnotation	org.jboss.resteasy.spi.util.FindAnnotation
org.jboss.resteasy.core.interception.ContainerResponseContextImpl	org.jboss.resteasy.core.interception.jaxrs.ContainerResponseContextImpl
org.jboss.resteasy.core.interception.ResponseContainerRequestContext	org.jboss.resteasy.core.interception.jaxrs.ResponseContainerRequestContext

Several dependencies needed to be updated to be compatible with Jakarta EE 8 and Wildfly 26:

Old Dependencies	Updated Dependencies
org.jboss.resteasy:resteasy-jaxrs	org.jboss.resteasy:resteasy-core, org.jboss.resteasy:resteasy-core-spi
javax.enterprise:cdi-api	jakarta.enterprise:jakarta.enterprise-cdi
org.jboss.spec.javax.transaction:jboss-transaction-api_1.2_spec	org.jboss.spec.javax.transaction:jboss-transaction-api_1.3_spec
org.jboss.arquillian.container:arquillian-weld-ee-embedded-1.1	org.jboss.arquillian.container:arquillian-weld-embedded
org.jboss.weld:weld-core	Deleted, unnecessary for tests

CI Workflow Notes

Deployed the following RC versions of certain dependencies to allow the microservices CI workflows to pass:

• gov.nsa.datawave.datawave-parent-7.40.0-3508-RC1
• gov.nsa.datawave.commons.datawave-commons-parent-7.40.0-3508-RC1
• gov.nsa.datawave.commons.datawave-commons-security-7.40.0-3508-RC1
• gov.nsa.datawave.microservice.datawave-microservice-parent-4.0.11-3508-RC1
• gov.nsa.datawave.microservice.datawave-microservice-service-parent-5.0.12-3508-RC1
• gov.nsa.datawave.microservice.datawave-authorization-api-4.0.3-3508-RC1
• gov.nsa.datawave.microservice.spring-boot-starter-datawave-4.0.8-3508-RC1
• gov.nsa.datawave.microservice.query-metric-service-4.1.11-3508-RC1

Closes #2747