[security-dev] PicketLink IDM subsystem

Stian Thorgersen stian at redhat.com
Thu Mar 28 09:23:10 EDT 2013 

As part of our project we need a basic JBoss AS subsystem for PicketLink IDM. We hope to either contribute this to PicketLink, or to be able to replace it with an official subsystem once it's available. If there is any interest in what we've done so far, we would welcome feedback and/or help to complete it.

I thought this would be a good time to send this mail as we have something very basic working. It's available on github (https://github.com/stianst/eventjuggler-services/tree/idm). It's the Identity subsystem (identity/impl) that provides the PL IDM subsystem equivalent.

To enable the Identity subsystem a deployment adds a dependency on "org.eventjuggler.services.identity", this causes the deployment processors in the Identity subsystem to:

* Add a dependency on our PL 3 module
* Install CDI extensions that provides the beans from PL jars + a producer for EntityManager that uses an EntityManagerFactory created by the Identity service

This in return means that the deployment doesn't have to include PL jars or any PL configuration for the identity store.

We have an example application that uses this service. It uses only PL 3 api's for authentication/authorization. That's also available on github (https://github.com/stianst/eventjuggler/tree/idm/).

To try it out, first download JBoss EAP 6.1.0.Alpha, then run the following:

    git clone https://github.com/stianst/eventjuggler-services.git
    cd eventjuggler-services
    git checkout origin/idm -b idm
    mvn -Djboss.zip=<location of jboss-eap-6.1.0.Alpha.zip> install
    build/target/jboss-eap-6.1/bin/standalone.sh

If you also want to try the example application run the following:

    git clone https://github.com/stianst/eventjuggler.git
    cd eventjuggler
    git checkout origin/idm -b idm
    mvn clean install
    mvn -pl ear jboss-as:deploy

Now you should be able to open http://localhost:8080/eventjuggler-client and select register and login to check that authentication works.

We haven't put to much effort into exactly what we're doing as we wanted some feedback first. A few things that we've been thinking about includes:

* Split idm and core into separate subsystems + modules
* Allow configuring the identity store (jpa, ldap or file) through JBoss AS management
* Support multiple identity store configurations and a mechanism to select which to use for a specific deployment

More information about the security-dev mailing list