[security-dev] My OAuth2, Central Authz, and Distributed SSO work

Bill Burke bburke at redhat.com
Mon Jan 7 18:14:02 EST 2013

A week or two so before Christmas, I decided to refocus my OAuth work so 
that I could support *existing* JBoss web applications.  I'm about a 
week or two away from releasing something.  I just need to do some final 
minor feature work, test it a little bit more, and write some documentation.

*NOTE* All this works with existing JBoss web applications and security 
domain infrastructure.


You can take any existing web app and turn it into an OAuth2 provider. 
Currently, it must be using servlet FORM authentication and a jboss 
security domain.  ALl that is required additionally is adding a valve to 
jboss-web.xml, generating a realm key pain in a keystore, and putting a 
small json configuration file in your WAR's classpath.  Once you've done 
this, your existing web app can generate access tokens and 
*additionally* do bearer token auth.  Client apps, just need to follow 
the OAuth2 client protocol to obtain their access tokens.  And do 
client-side OAuth2 bearer token authentication to access the web app.

* Turn any existing user/password/roles JBoss Security Domain into a 
remote, centralized, authentication and authorization server.  It is as 
simple as creating a small WAR that is FORM auth enabled, setting a 
particular jboss-web valve, and defining a simple json configuration file.
* Next, you can take any existing web app that uses FORM auth, and point 
it to this central server.  The plugin will do the correct browser 
redirects via OAuth2 protocol to the central server.  Identity and role 
mappings are transferred via the access token.
* This is authentication and authorization!  user auth and role mappings!
* It supports Distributed SSO.  Once you've logged into the central 
authentication server, you are logged into any application configured to 
accept authentication/authorization from the central server.
* It supports Distributed Log Out.  So, you can log out of all web 
* Central server has a small admin interface that allows admins to 
logout a specific user (or all users) on all secured web applications. 
You can also set up bearer token policies like: don't accept tokens 
created before a certain date.
* Bearer tokens are generated for each browser login.
* Tokens are propagated and can be access in business logic via a 
request attribute, or in JAX-RS land, the @Context annotation.  You can 
then use this token to access other HTTP-based services on your network. 
  This allows your web application to talk securely with a network of 
web services.

This all works by defining a simple OAuth2 Bearer token format and using 
OAuth2 protocols to obtain and distribute these tokens.  My format is a 
small extension to JSON Web Token that has role-mapping information.  It 
is signed and verified using PKI.

I have plans to extend this to work with BASIC and CLIENT_CERT servlet 
Bill Burke
JBoss, a division of Red Hat

More information about the security-dev mailing list