JBoss / WildFly
Red Hat / WildFlymiddleware3 credentials
Management User Password
jboss / management-user-password
JBoss/WildFly management interfaces use security realms or Elytron security domains for authentication. WildFly documentation describes management and application authentication mechanisms backed by users, passwords, and roles.
Looks like
pattern^[^#:\r\n]+=[0-9a-fA-F]{32,}$Location
mgmt-users.properties, application-users.properties, standalone.xml, domain.xmlmanagement/application user stores and security realm configuration
management console, management APIJBoss/WildFly management interfaces
deployment vaults, credential stores, Kubernetes Secrets, and configuration management secrets
committed standalone.xml/domain.xml, container images, and test configs
add-user output, startup logs, and authentication troubleshooting traces
Notes
Management passwords are created during setup with add-user tooling or provisioning and are not universal static defaults.
Application Realm User Password
jboss / application-user-password
JBoss security realms can authenticate inbound application connections using mechanisms such as BASIC, DIGEST, PLAIN, or client certificate. Realm-backed users and roles are often stored in application user files or Elytron stores.
Location
application-users.properties, application-roles.properties, standalone.xml, domain.xmlapplication realm users, role mappings, and Elytron security domain config
AuthorizationBASIC/DIGEST credentials for secured JBoss applications
credential stores, vaults, and orchestration secrets
app server configs, tests, and committed deployment descriptors
authentication traces and failed login logs
Notes
Application credentials can protect deployed applications, EJB remoting, JNDI, and management-adjacent services depending on configuration.
Elytron Credential Store / Keystore Secret
jboss / keystore-credential
WildFly Elytron supports credential storage, keystores, and passwords for TLS and authentication material. Elytron documentation covers credential stores, masked passwords, key stores, and security domains.
Looks like
pattern(?:credential-reference|keystore-password|key-store-password|password)\s*=\s*[^\r\n]+Location
standalone.xml, domain.xml, credential stores, keystoresElytron credential-store and key-store configuration
Elytron credential stores, Java keystores, Kubernetes Secrets, and deployment vaults
committed server configs and container build contexts
application server images containing credential stores or keystores
Notes
Credential store secrets may unlock stored database passwords, TLS private keys, LDAP bind credentials, or outbound connector credentials.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.