lolcreds

Public credential defaults and exposure patterns for authorized security testing.

JBoss / WildFly

Red Hat / WildFlymiddleware3 credentials

Credentials3 documented
01

Management User Password

jboss / management-user-password

JBoss/WildFly management interfaces use security realms or Elytron security domains for authentication. WildFly documentation describes management and application authentication mechanisms backed by users, passwords, and roles.

user definedsecretusername/password

Looks like

pattern
pattern

WildFly/JBoss properties-realm user password hash entry in mgmt-users.properties or application-users.properties

^[^#:\r\n]+=[0-9a-fA-F]{32,}$

Location

config file
mgmt-users.properties, application-users.properties, standalone.xml, domain.xml

management/application user stores and security realm configuration

public interface
management console, management API

JBoss/WildFly management interfaces

secret store

deployment vaults, credential stores, Kubernetes Secrets, and configuration management secrets

source code

committed standalone.xml/domain.xml, container images, and test configs

logs

add-user output, startup logs, and authentication troubleshooting traces

Notes

Management passwords are created during setup with add-user tooling or provisioning and are not universal static defaults.

02

Application Realm User Password

jboss / application-user-password

JBoss security realms can authenticate inbound application connections using mechanisms such as BASIC, DIGEST, PLAIN, or client certificate. Realm-backed users and roles are often stored in application user files or Elytron stores.

user definedsecretusername/password

Location

config file
application-users.properties, application-roles.properties, standalone.xml, domain.xml

application realm users, role mappings, and Elytron security domain config

http header
Authorization

BASIC/DIGEST credentials for secured JBoss applications

secret store

credential stores, vaults, and orchestration secrets

source code

app server configs, tests, and committed deployment descriptors

logs

authentication traces and failed login logs

Notes

Application credentials can protect deployed applications, EJB remoting, JNDI, and management-adjacent services depending on configuration.

03

Elytron Credential Store / Keystore Secret

jboss / keystore-credential

WildFly Elytron supports credential storage, keystores, and passwords for TLS and authentication material. Elytron documentation covers credential stores, masked passwords, key stores, and security domains.

user definedsecretsecret value

Looks like

pattern
pattern

JBoss/WildFly XML or CLI configuration containing credential references or keystore passwords

(?:credential-reference|keystore-password|key-store-password|password)\s*=\s*[^\r\n]+

Location

config file
standalone.xml, domain.xml, credential stores, keystores

Elytron credential-store and key-store configuration

secret store

Elytron credential stores, Java keystores, Kubernetes Secrets, and deployment vaults

source code

committed server configs and container build contexts

image

application server images containing credential stores or keystores

Notes

Credential store secrets may unlock stored database passwords, TLS private keys, LDAP bind credentials, or outbound connector credentials.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.