[security-dev] PicketLink Usecase: SAML/GWT/REST Authentication

Bill Burke bburke at redhat.com
Wed Jun 26 16:42:45 EDT 2013

Resteasy has already implemented something like this, but not SAML based:


On 6/26/2013 2:45 PM, Eric Wittmann wrote:
> Everyone,
> I'll just add a few more details to (hopefully) help add context.
> We have multiple UI applications in the Overlord world, and we wanted
> them all to be secured using SSO.  PicketLink/SAML worked very well to
> accomplish this, and it was trivial to get all of the UI WARs protected.
> Once the GWT apps themselves are protected, the browser can make RPC
> calls to the originating context for free, and the servlets being
> invoked will have a JAAS authenticated user.
> The last piece is then making REST calls to some *other* web context on
> behalf of the JAAS user.  The REST services might be hosted in some
> other context on the same server or even on some other server.
> So the approach is to issue a SAML token that contains the principal and
> all its roles, then pass that in an HTTP header when invoking the remote
> REST services.  The REST services are protected by two login modules - a
> standard BASIC auth login module and another one that can consume a SAML
> token.
> There is a vital piece still missing, which is to actually sign the SAML
> token when sending, and verifying the signature when consuming.  If
> anyone would like to help with that it'd be super helpful!  :)
> Lastly - I'm certainly not a security expert, and am happy to be shown a
> better way to solve this use case going forward (note: we needed to use
> the version of picketlink that comes with EAP 6.1 - fwiw).
> -Eric
> On 06/26/2013 02:18 PM, Anil Saldhana wrote:
>> Hi All,
>>      this is a use case solved by Eric Wittman of Project Overlord using
>> PicketLink.
>> Final Solution in Eric's words:
>> Use-case is:  GWT UI app is protected by SAML SSO.  The UI makes GWT RPC
>> calls back to itself.  The UI RPC servlets (server-side) then make REST
>> calls to a set of REST services hosted in another web application, using
>> SAML tokens for authentication.
>> JIRA: https://issues.jboss.org/browse/DTGOV-11
>> Background:
>> Eric had gotten his GWT UI App to use SAML SSO using PicketLink. He was
>> looking for ways to now make calls from the GWT app to REST services on
>> RESTEasy without re-authentication.He needed to get this usecase working
>> with PicketLink and RESTEasy bundled in EAP6. During discussions and
>> future plan, it was decided to use OAuth for REST services and look at
>> SAML Bearer Token Profile for guidance.
>> Solution:
>> Since RESTEasy authentication can use JAAS authentication,  Eric wrote a
>> login module for SAML bearer tokens.
>> https://github.com/Governance/overlord-commons/blob/master/overlord-commons-auth/src/main/java/org/overlord/commons/auth/jboss7/SAMLBearerTokenLoginModule.java
>> I created a JIRA issue in PicketLink to migrate this login module:
>> https://issues.jboss.org/browse/PLINK-165
>> This login module will be available in PicketLink v2.5.0
>> https://github.com/anilsaldhana/picketlink-bindings/blob/0808a9916093af6095430447e6899172fe19e86a/picketlink-jbas-common/src/main/java/org/picketlink/trust/jbossws/jaas/SAMLBearerTokenLoginModule.java
>> I wanted to open a thread for discussion on this. I am unsure if other
>> projects have similar needs but this use case is pretty awesome to share
>> here.
>> Regards,
>> Anil
>> _______________________________________________
>> security-dev mailing list
>> security-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/security-dev
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev

Bill Burke
JBoss, a division of Red Hat

More information about the security-dev mailing list