[security-dev] PicketLink AS Subsystem
darran.lofthouse at jboss.com
Sat Feb 23 08:46:10 EST 2013
I would actually suggest getting some of the integration started for AS8
is something that may want to be looking at sooner rather than later -
we have a number of items that still need to be addressed in AS and it
makes more sense to be addressing them with the long term solution based
on PicketLink IDM rather than some intermediate solution.
We are close to looking at if we can switch from the forked HTTP server
to Undertow for domain management, I am just currently working on
integrating this with the existing realms used for domain management.
After that starting to look at switching to PicketLink for IDM would
make a lot of sense. That would then allow us to start taking the SASL
libraries to the next step with better integration.
One thing we need to remember however is that it is more than just a
subsystem, with the migration to PicketLink IDM we need to avoid the
situation where we have different security solutions in different
locations. This means that we need PicketLink IDM to also be integrated
for domain management. We do have some options for standalone mode
regarding if we use the subsystem but within domain mode this needs to
be configurable on the hosts where it will be running in a non-AS process.
I will speak with Brian next week regarding some of this as this is a
special case where we will want to maximise consistency of configuration
between something defined in a subsystem and something defined within
the core configuration.
When defining the configuration for PicketLink I think we also need to
remember that the way this is going to be used is really with two
different target audiences. We are all already familiar with developers
using our projects but this also needs to be usable by administrators
who have an in-depth knowledge of their own infrastructure and
environment but limited knowledge of the internals of the application
I will start another thread for this but fairly closely related we need
an overall solution for SSL configuration, in some cases SSL is used
just to encrypt the traffic and in others it is used for authentication
- we need a unified solution across the application server and this will
also tie in with the IDM capabilities of PicketLink.
On 02/19/2013 11:13 AM, Bolesław Dawidowicz wrote:
> We are doing some prototyping with PicketBox and PicketLink 3. As part
> of this it makes sense for use to put it in separate subystem in AS7.
> There is existing PicketLink 2.x one here:
> From what I learned from Anil while it is on the roadmap PicketLink 3.x
> subsystem won't happens soon. I would like to discus requirements for it
> as we may be able to contribute something - at least some initial work.
> I would also like to discuss how independent PicketLink service should
> be exposed and consumed in applications. Most natural way would be to
> provide both CDI integration and REST interface. Any thoughts on that?
> As part of our prototyping we would like to avoid investing time into
> something that would duplicate existing functionality or go against
> already agreed design.
> security-dev mailing list
> security-dev at lists.jboss.org
More information about the security-dev