From rahul.mahindrakar at gmail.com Wed Jun 4 17:53:24 2014 From: rahul.mahindrakar at gmail.com (Rahul Mahindrakar) Date: Wed, 4 Jun 2014 23:53:24 +0200 Subject: [security-dev] Not able to get picketlink-authorization-acl sample working Message-ID: Hi I find that I am not able to get picketlink-authorization-acl sample compiling. It fails in the class Article.java and Comment.java as it fails to resolve the following annotation @AllowedPermissions({ @AllowedPermission(operation = "update", mask = 1), @AllowedPermission(operation = "delete", mask = 2) }) Any ideas Thanks Rahul -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/security-dev/attachments/20140604/057f1a56/attachment.html From rahul.mahindrakar at gmail.com Wed Jun 4 19:13:39 2014 From: rahul.mahindrakar at gmail.com (Rahul Mahindrakar) Date: Thu, 5 Jun 2014 01:13:39 +0200 Subject: [security-dev] Permission and Role Message-ID: Hi I have not been able to have a grasp of the difference between the usage of Role and permissions. Can someone guide me in this direction Thanks Rahul -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/security-dev/attachments/20140605/ac162be4/attachment.html From sbryzak at redhat.com Wed Jun 4 19:21:40 2014 From: sbryzak at redhat.com (Shane Bryzak) Date: Thu, 05 Jun 2014 09:21:40 +1000 Subject: [security-dev] Not able to get picketlink-authorization-acl sample working In-Reply-To: References: Message-ID: <538FAA04.1070704@redhat.com> Hi Rahul, I'll take a look at this today, there have been a few changes and we likely need to update the quickstart. Shane On 06/05/2014 07:53 AM, Rahul Mahindrakar wrote: > Hi > > I find that I am not able to get picketlink-authorization-acl sample > compiling. > > It fails in the class Article.java and Comment.java as it fails to > resolve the following annotation > > @AllowedPermissions({ @AllowedPermission(operation = "update", mask = 1), > @AllowedPermission(operation = "delete", mask = 2) }) > > Any ideas > > Thanks > Rahul > > > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/security-dev/attachments/20140605/5d984a3f/attachment.html From rahul.mahindrakar at gmail.com Wed Jun 4 19:24:17 2014 From: rahul.mahindrakar at gmail.com (Rahul Mahindrakar) Date: Thu, 5 Jun 2014 01:24:17 +0200 Subject: [security-dev] Not able to get picketlink-authorization-acl sample working In-Reply-To: <538FAA04.1070704@redhat.com> References: <538FAA04.1070704@redhat.com> Message-ID: Hi Thanks a lot for the prompt reply. Rahul On 5 June 2014 01:21, Shane Bryzak wrote: > Hi Rahul, > > I'll take a look at this today, there have been a few changes and we > likely need to update the quickstart. > > Shane > > > On 06/05/2014 07:53 AM, Rahul Mahindrakar wrote: > > Hi > > I find that I am not able to get picketlink-authorization-acl sample > compiling. > > It fails in the class Article.java and Comment.java as it fails to > resolve the following annotation > > @AllowedPermissions({ @AllowedPermission(operation = "update", mask = 1), > @AllowedPermission(operation = "delete", mask = 2) }) > > Any ideas > > Thanks > Rahul > > > _______________________________________________ > security-dev mailing listsecurity-dev at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/security-dev > > > > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/security-dev/attachments/20140605/3de676ad/attachment-0001.html From sbryzak at redhat.com Wed Jun 4 19:29:46 2014 From: sbryzak at redhat.com (Shane Bryzak) Date: Thu, 05 Jun 2014 09:29:46 +1000 Subject: [security-dev] Permission and Role In-Reply-To: References: Message-ID: <538FABEA.5020806@redhat.com> Hi Rahul, They are fundamentally two very different things. A role is typically used to define a set of users for which specific privileges are to be assigned, while a permission is used to control access to application resources or services. A permission check can actually use the user's roles to determine whether the user has the necessary privilege to perform an action. Here's a couple of pseudo-code examples to make this a little clearer: 1. Restricting access to a method based on the user's role: @RolesAllowed("admin") public void doProtectedOperation() { ... } 2. Restricting access to a method to users with permission to cancel a specific "order": public void cancelOrder(@HasPermission("cancel") Order order) { ... } Hope that helps! Shane On 06/05/2014 09:13 AM, Rahul Mahindrakar wrote: > Hi > > I have not been able to have a grasp of the difference between the > usage of Role and permissions. > > Can someone guide me in this direction > > Thanks > Rahul > > > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/security-dev/attachments/20140605/42c9efa8/attachment.html From rahul.mahindrakar at gmail.com Wed Jun 4 19:40:45 2014 From: rahul.mahindrakar at gmail.com (Rahul Mahindrakar) Date: Thu, 5 Jun 2014 01:40:45 +0200 Subject: [security-dev] Permission and Role Message-ID: <538fae91.eb2c700a.63f7.4147@mx.google.com> Is it possible To aggregate permissions under roles. This makes it easier To grant roles To A user and thereby A large set OF permissions. -----Original Message----- From: "Shane Bryzak" Sent: ?2014-?06-?05 01:29 To: "security-dev at lists.jboss.org" Subject: Re: [security-dev] Permission and Role Hi Rahul, They are fundamentally two very different things. A role is typically used to define a set of users for which specific privileges are to be assigned, while a permission is used to control access to application resources or services. A permission check can actually use the user's roles to determine whether the user has the necessary privilege to perform an action. Here's a couple of pseudo-code examples to make this a little clearer: 1. Restricting access to a method based on the user's role: @RolesAllowed("admin") public void doProtectedOperation() { ... } 2. Restricting access to a method to users with permission to cancel a specific "order": public void cancelOrder(@HasPermission("cancel") Order order) { ... } Hope that helps! Shane On 06/05/2014 09:13 AM, Rahul Mahindrakar wrote: Hi I have not been able to have a grasp of the difference between the usage of Role and permissions. Can someone guide me in this direction Thanks Rahul _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/security-dev/attachments/20140605/5a8279f2/attachment.html From sbryzak at redhat.com Wed Jun 4 19:46:13 2014 From: sbryzak at redhat.com (Shane Bryzak) Date: Thu, 05 Jun 2014 09:46:13 +1000 Subject: [security-dev] Permission and Role In-Reply-To: <538fae91.eb2c700a.63f7.4147@mx.google.com> References: <538fae91.eb2c700a.63f7.4147@mx.google.com> Message-ID: <538FAFC5.8000003@redhat.com> Of course, that's totally up to you. The permission check SPI [1] is easily extensible and allows you to apply whichever business logic you like to determine whether the permission is granted or not. [1] public interface PermissionVoter { public enum VotingResult {ALLOW, DENY, NOT_APPLICABLE } VotingResult hasPermission(IdentityType recipient, Object resource, String operation); VotingResult hasPermission(IdentityType recipient, Class resourceClass, Serializable identifier, String operation); } On 06/05/2014 09:40 AM, Rahul Mahindrakar wrote: > Is it possible To aggregate permissions under roles. > > This makes it easier To grant roles To A user and thereby A large set > OF permissions. > ------------------------------------------------------------------------ > From: Shane Bryzak > Sent: ?2014-?06-?05 01:29 > To: security-dev at lists.jboss.org > Subject: Re: [security-dev] Permission and Role > > Hi Rahul, > > They are fundamentally two very different things. A role is typically > used to define a set of users for which specific privileges are to be > assigned, while a permission is used to control access to application > resources or services. A permission check can actually use the user's > roles to determine whether the user has the necessary privilege to > perform an action. Here's a couple of pseudo-code examples to make > this a little clearer: > > > 1. Restricting access to a method based on the user's role: > > @RolesAllowed("admin") > public void doProtectedOperation() { > ... > } > > 2. Restricting access to a method to users with permission to cancel a > specific "order": > > public void cancelOrder(@HasPermission("cancel") Order order) { > ... > } > > Hope that helps! > > Shane > > On 06/05/2014 09:13 AM, Rahul Mahindrakar wrote: >> Hi >> >> I have not been able to have a grasp of the difference between the >> usage of Role and permissions. >> >> Can someone guide me in this direction >> >> Thanks >> Rahul >> >> >> _______________________________________________ >> security-dev mailing list >> security-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/security-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/security-dev/attachments/20140605/1ba10c13/attachment.html From rahul.mahindrakar at gmail.com Thu Jun 5 11:41:08 2014 From: rahul.mahindrakar at gmail.com (Rahul Mahindrakar) Date: Thu, 5 Jun 2014 17:41:08 +0200 Subject: [security-dev] Source in Eclipse Message-ID: Hi I have downloaded the source in eclipse and when I import the pom from the root folder as a maven project I get the following problem Could not get configured mojo for org.apache.maven.plugins:maven-checkstyle-plugin:2.12.1:checkstyle {execution: check-style} Plugin org.apache.maven.plugins:maven-checkstyle-plugin:2.12.1 or one of its dependencies could not be resolved: Failed to collect dependencies for org.apache.maven.plugins:maven-checkstyle-plugin:jar:2.12.1 () Any ideas?+ Rahul -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/security-dev/attachments/20140605/7148a283/attachment.html From psilva at redhat.com Thu Jun 5 13:22:09 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 5 Jun 2014 13:22:09 -0400 (EDT) Subject: [security-dev] Source in Eclipse In-Reply-To: References: Message-ID: <212161166.17588139.1401988929606.JavaMail.zimbra@redhat.com> Hi, Is this a PicketLink project ? if so, not sure what can be. Maybe you can pastebin your pom.xml ? Regards. ----- Original Message ----- From: "Rahul Mahindrakar" To: security-dev at lists.jboss.org Sent: Thursday, June 5, 2014 12:41:08 PM Subject: [security-dev] Source in Eclipse Hi I have downloaded the source in eclipse and when I import the pom from the root folder as a maven project I get the following problem Could not get configured mojo for org.apache.maven.plugins:maven-checkstyle-plugin:2.12.1:checkstyle {execution: check-style} Plugin org.apache.maven.plugins:maven-checkstyle-plugin:2.12.1 or one of its dependencies could not be resolved: Failed to collect dependencies for org.apache.maven.plugins:maven-checkstyle-plugin:jar:2.12.1 () Any ideas?+ Rahul _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From sbryzak at redhat.com Thu Jun 5 19:26:14 2014 From: sbryzak at redhat.com (Shane Bryzak) Date: Fri, 06 Jun 2014 09:26:14 +1000 Subject: [security-dev] Source in Eclipse In-Reply-To: References: Message-ID: <5390FC96.3090100@redhat.com> Right click on the problem in eclipse, then click on quick fix. There should be an experimental option there to modify the Eclipse builders (or something like that) which should fix the problem. On 06/06/2014 01:41 AM, Rahul Mahindrakar wrote: > Hi > > I have downloaded the source in eclipse and when I import the pom from > the root folder as a maven project I get the following problem > > Could not get configured mojo for > org.apache.maven.plugins:maven-checkstyle-plugin:2.12.1:checkstyle > {execution: check-style} > Plugin org.apache.maven.plugins:maven-checkstyle-plugin:2.12.1 or one > of its dependencies could not be resolved: Failed to collect > dependencies for > org.apache.maven.plugins:maven-checkstyle-plugin:jar:2.12.1 () > > Any ideas?+ > > Rahul > > > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/security-dev/attachments/20140606/1baa6a17/attachment-0001.html From rahul.mahindrakar at gmail.com Fri Jun 6 15:13:19 2014 From: rahul.mahindrakar at gmail.com (Rahul Mahindrakar) Date: Fri, 6 Jun 2014 21:13:19 +0200 Subject: [security-dev] (no subject) Message-ID: Hi I am not able to find the RelationshipIdentity class as per documentation -- The next step is to define which identities participate in the relationship. Once we create our identity property methods, we also need to annotate them with the org.picketlink.idm.model.annotation.RelationshipIdentity annotation. This is done by creating a property for each identity type. -- Any Ideas on how to create custom relationships? Rahul -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/security-dev/attachments/20140606/02d54308/attachment.html From rahul.mahindrakar at gmail.com Fri Jun 6 15:15:46 2014 From: rahul.mahindrakar at gmail.com (Rahul Mahindrakar) Date: Fri, 6 Jun 2014 21:15:46 +0200 Subject: [security-dev] (no subject) In-Reply-To: References: Message-ID: Oops Got it in the test cases CustomRelationshipTestCase Thanks Rahul On 6 June 2014 21:13, Rahul Mahindrakar wrote: > Hi > > I am not able to find the RelationshipIdentity class as per documentation > -- > > The next step is to define which identities participate in the > relationship. Once we create our identity property methods, we also need to > annotate them with the > org.picketlink.idm.model.annotation.RelationshipIdentity annotation. This > is done by creating a property for each identity type. > > -- > > Any Ideas on how to create custom relationships? > > Rahul > > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/security-dev/attachments/20140606/fb243a53/attachment.html From psilva at redhat.com Fri Jun 6 17:11:35 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 6 Jun 2014 17:11:35 -0400 (EDT) Subject: [security-dev] (no subject) In-Reply-To: References:

Message-ID: <48429639.18245069.1402089095062.JavaMail.zimbra@redhat.com> Hi Rahul, The test suite is an useful source for some basic and also advanced usages of PL IDM. Nest week, we're going to focus on docs and quickstart. Specially regarding custom IDM types. Thanks. ----- Original Message ----- From: "Rahul Mahindrakar" To: security-dev at lists.jboss.org Sent: Friday, June 6, 2014 4:15:46 PM Subject: Re: [security-dev] (no subject) Oops Got it in the test cases CustomRelationshipTestCase Thanks Rahul On 6 June 2014 21:13, Rahul Mahindrakar < rahul.mahindrakar at gmail.com > wrote: Hi I am not able to find the RelationshipIdentity class as per documentation -- The next step is to define which identities participate in the relationship. Once we create our identity property methods, we also need to annotate them with the org.picketlink.idm.model.annotation.RelationshipIdentity annotation. This is done by creating a property for each identity type. -- Any Ideas on how to create custom relationships? Rahul _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From rahul.mahindrakar at gmail.com Wed Jun 11 07:22:15 2014 From: rahul.mahindrakar at gmail.com (Rahul Mahindrakar) Date: Wed, 11 Jun 2014 13:22:15 +0200 Subject: [security-dev] Version to use Message-ID: Hi My collegues over here seem to see PicketLink 3.0 for example over here http://in.relation.to/Bloggers/PicketLink30Alpha1Released and are a bit confused which how the releases are being planned in the future I would like to get some idea of future releases and which release is to be used now Thanks Rahul -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/security-dev/attachments/20140611/932881cc/attachment.html From psilva at redhat.com Wed Jun 11 09:26:06 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 11 Jun 2014 09:26:06 -0400 (EDT) Subject: [security-dev] Version to use In-Reply-To: References: Message-ID: <275168211.20054063.1402493166013.JavaMail.zimbra@redhat.com> Hi Rahul, Here is a thread about why we renamed 3.x to 2.x, a long time ago. https://community.jboss.org/message/818956#818956 The latest version is 2.6.0.CR4. Please follow the updates in our site. http://picketlink.org/news/ Thanks. ----- Original Message ----- From: "Rahul Mahindrakar" To: security-dev at lists.jboss.org Sent: Wednesday, June 11, 2014 8:22:15 AM Subject: [security-dev] Version to use Hi My collegues over here seem to see PicketLink 3.0 for example over here http://in.relation.to/Bloggers/PicketLink30Alpha1Released and are a bit confused which how the releases are being planned in the future I would like to get some idea of future releases and which release is to be used now Thanks Rahul _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From Anil.Saldhana at redhat.com Thu Jun 12 11:48:53 2014 From: Anil.Saldhana at redhat.com (Anil Saldhana) Date: Thu, 12 Jun 2014 10:48:53 -0500 Subject: [security-dev] Version to use In-Reply-To: <275168211.20054063.1402493166013.JavaMail.zimbra@redhat.com> References: <275168211.20054063.1402493166013.JavaMail.zimbra@redhat.com> Message-ID: <5399CBE5.5060401@redhat.com> Hi Rahul, we do announce the latest news on the following *additional* channels: * PicketLink user forums on jboss.org https://community.jboss.org/thread/241823 * Twitter via @Picketlink * Google Plus (PicketLink community) Regards, Anil On 06/11/2014 08:26 AM, Pedro Igor Silva wrote: > Hi Rahul, > > Here is a thread about why we renamed 3.x to 2.x, a long time ago. > > https://community.jboss.org/message/818956#818956 > > The latest version is 2.6.0.CR4. Please follow the updates in our site. > > http://picketlink.org/news/ > > Thanks. > > ----- Original Message ----- > From: "Rahul Mahindrakar" > To: security-dev at lists.jboss.org > Sent: Wednesday, June 11, 2014 8:22:15 AM > Subject: [security-dev] Version to use > > Hi > > My collegues over here seem to see PicketLink 3.0 for example over here > > http://in.relation.to/Bloggers/PicketLink30Alpha1Released > > and are a bit confused which how the releases are being planned in the future > > I would like to get some idea of future releases and which release is to be used now > > Thanks > Rahul > From eric.wittmann at redhat.com Tue Jun 17 14:58:05 2014 From: eric.wittmann at redhat.com (Eric Wittmann) Date: Tue, 17 Jun 2014 14:58:05 -0400 Subject: [security-dev] Problem with IDPFilter on Tomcat Message-ID: <53A08FBD.20609@redhat.com> Hey everyone. We've run into the following issue when using the IDPFilter in Tomcat 7: https://issues.jboss.org/browse/SRAMP-445 I added a comment with more information discovered after doing some debugging. Not sure what I'm going to do about this yet, but if anyone has any ideas I'd be thrilled to hear them. :) -Eric From Anil.Saldhana at redhat.com Tue Jun 17 15:09:01 2014 From: Anil.Saldhana at redhat.com (Anil Saldhana) Date: Tue, 17 Jun 2014 14:09:01 -0500 Subject: [security-dev] Problem with IDPFilter on Tomcat In-Reply-To: <53A08FBD.20609@redhat.com> References: <53A08FBD.20609@redhat.com> Message-ID: <53A0924D.204@redhat.com> Eric, best is to check a standard FORM based authentication driven web app to reproduce this issue. Then the Tomcat folks can fix the bug. Have you tried TC6 and TC8? So can pinpoint this issue to TC7. Regards, Anil On 06/17/2014 01:58 PM, Eric Wittmann wrote: > Hey everyone. > > We've run into the following issue when using the IDPFilter in Tomcat 7: > > https://issues.jboss.org/browse/SRAMP-445 > > I added a comment with more information discovered after doing some > debugging. > > Not sure what I'm going to do about this yet, but if anyone has any > ideas I'd be thrilled to hear them. :) > > -Eric From Anil.Saldhana at redhat.com Wed Jun 18 12:31:21 2014 From: Anil.Saldhana at redhat.com (Anil Saldhana) Date: Wed, 18 Jun 2014 11:31:21 -0500 Subject: [security-dev] Apache Deltaspike is v1.0.0 now! Message-ID: <53A1BED9.8010003@redhat.com> http://deltaspike.apache.org/news.html#8th-release-100-14062014 Congrats to Pete Muir, Jason Porter, Shane Bryzak, Rafael Benevides and others. From psilva at redhat.com Wed Jun 18 13:09:13 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 18 Jun 2014 13:09:13 -0400 (EDT) Subject: [security-dev] Apache Deltaspike is v1.0.0 now! In-Reply-To: <53A1BED9.8010003@redhat.com> References: <53A1BED9.8010003@redhat.com> Message-ID: <1176492868.437694.1403111353665.JavaMail.zimbra@redhat.com> Awesome ! ----- Original Message ----- From: "Anil Saldhana" To: security-dev at lists.jboss.org Sent: Wednesday, June 18, 2014 1:31:21 PM Subject: [security-dev] Apache Deltaspike is v1.0.0 now! http://deltaspike.apache.org/news.html#8th-release-100-14062014 Congrats to Pete Muir, Jason Porter, Shane Bryzak, Rafael Benevides and others. _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From psilva at redhat.com Wed Jun 18 14:28:40 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 18 Jun 2014 14:28:40 -0400 (EDT) Subject: [security-dev] PicketLink and Certificate Management API In-Reply-To: <621448559.467340.1403114921408.JavaMail.zimbra@redhat.com> Message-ID: <1665472278.480908.1403116120916.JavaMail.zimbra@redhat.com> Hi, We're looking to provide a API to easily enable Key and Certificate Management to PicketLink-based applications. The idea is turn a partition into a Certification Authority, responsible for issue, validate, revoke and renew certificates for the identity types (eg.: users, devices, etc) associated with it. In the future, we also want to provide: - RESTful Endpoints to perform not only certificate operations, but also manage keys. Specially public keys. Probably using JSON Web Keys (JWK). - Better support for html5 and mobile applications that require some kind of support for certificates, assymetric keys, signature and encryption. Specially when using JWT and JOSE. - Support Java KeyStores to load and store keys. So far we did something like: CertificateConfig config = new DefaultCertificateConfig(); // set config with signature algo, cert sign algo, default validity, bit length, etc // create a CA based on a existing partition CertificateAuthority authority = new DefaultCertificateAuthority(partition, config); User user = // get user CertificateRequest certRequest = new DefaultCertificateRequest(user, config) X509Certificate userCert = ca.issue(certRequest); // issue a cert for user and sign it with the CA key We're still working on it. But would like to check your feedback or opinions about requirements and use cases. Regards. Pedro Igor From mcirioli at redhat.com Wed Jun 18 14:32:25 2014 From: mcirioli at redhat.com (Mike Cirioli) Date: Wed, 18 Jun 2014 14:32:25 -0400 Subject: [security-dev] PicketLink and Certificate Management API In-Reply-To: <1665472278.480908.1403116120916.JavaMail.zimbra@redhat.com> References: <1665472278.480908.1403116120916.JavaMail.zimbra@redhat.com> Message-ID: <53A1DB39.7050708@redhat.com> I could see this being useful to create a keystore management UI for picketlink IdP's and SP's, possibly providing a path to self-service in some SP use cases? -mike On 06/18/2014 02:28 PM, Pedro Igor Silva wrote: > Hi, > > We're looking to provide a API to easily enable Key and Certificate Management to PicketLink-based applications. > > The idea is turn a partition into a Certification Authority, responsible for issue, validate, revoke and renew certificates for the identity types (eg.: users, devices, etc) associated with it. > > In the future, we also want to provide: > > - RESTful Endpoints to perform not only certificate operations, but also manage keys. Specially public keys. Probably using JSON Web Keys (JWK). > - Better support for html5 and mobile applications that require some kind of support for certificates, assymetric keys, signature and encryption. Specially when using JWT and JOSE. > - Support Java KeyStores to load and store keys. > > So far we did something like: > > CertificateConfig config = new DefaultCertificateConfig(); > > // set config with signature algo, cert sign algo, default validity, bit length, etc > > // create a CA based on a existing partition > CertificateAuthority authority = new DefaultCertificateAuthority(partition, config); > > User user = // get user > > CertificateRequest certRequest = new DefaultCertificateRequest(user, config) > > X509Certificate userCert = ca.issue(certRequest); // issue a cert for user and sign it with the CA key > > We're still working on it. But would like to check your feedback or opinions about requirements and use cases. > > Regards. > Pedro Igor > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev From psilva at redhat.com Wed Jun 18 14:32:30 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 18 Jun 2014 14:32:30 -0400 (EDT) Subject: [security-dev] PicketLink and Certificate Management API In-Reply-To: <1665472278.480908.1403116120916.JavaMail.zimbra@redhat.com> References: <1665472278.480908.1403116120916.JavaMail.zimbra@redhat.com> Message-ID: <978682432.485880.1403116350549.JavaMail.zimbra@redhat.com> Sorry, the there was a error on the example. This is the correct code: X509Certificate userCert = authority.issue(certRequest); // issue a cert for user and sign it with the CA key ----- Original Message ----- From: "Pedro Igor Silva" To: "security-dev >> \"security-dev" Sent: Wednesday, June 18, 2014 3:28:40 PM Subject: [security-dev] PicketLink and Certificate Management API Hi, We're looking to provide a API to easily enable Key and Certificate Management to PicketLink-based applications. The idea is turn a partition into a Certification Authority, responsible for issue, validate, revoke and renew certificates for the identity types (eg.: users, devices, etc) associated with it. In the future, we also want to provide: - RESTful Endpoints to perform not only certificate operations, but also manage keys. Specially public keys. Probably using JSON Web Keys (JWK). - Better support for html5 and mobile applications that require some kind of support for certificates, assymetric keys, signature and encryption. Specially when using JWT and JOSE. - Support Java KeyStores to load and store keys. So far we did something like: CertificateConfig config = new DefaultCertificateConfig(); // set config with signature algo, cert sign algo, default validity, bit length, etc // create a CA based on a existing partition CertificateAuthority authority = new DefaultCertificateAuthority(partition, config); User user = // get user CertificateRequest certRequest = new DefaultCertificateRequest(user, config) X509Certificate userCert = ca.issue(certRequest); // issue a cert for user and sign it with the CA key We're still working on it. But would like to check your feedback or opinions about requirements and use cases. Regards. Pedro Igor _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From psilva at redhat.com Wed Jun 18 14:35:09 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 18 Jun 2014 14:35:09 -0400 (EDT) Subject: [security-dev] PicketLink and Certificate Management API In-Reply-To: <978682432.485880.1403116350549.JavaMail.zimbra@redhat.com> References: <1665472278.480908.1403116120916.JavaMail.zimbra@redhat.com> <978682432.485880.1403116350549.JavaMail.zimbra@redhat.com> Message-ID: <1267728837.493752.1403116509381.JavaMail.zimbra@redhat.com> Yeah, that is the idea too. Giriraj Sharma wants to help us in the future to provide an UI based on that. ----- Original Message ----- From: "Pedro Igor Silva" To: "security-dev >> \"security-dev" Sent: Wednesday, June 18, 2014 3:32:30 PM Subject: Re: [security-dev] PicketLink and Certificate Management API Sorry, the there was a error on the example. This is the correct code: X509Certificate userCert = authority.issue(certRequest); // issue a cert for user and sign it with the CA key ----- Original Message ----- From: "Pedro Igor Silva" To: "security-dev >> \"security-dev" Sent: Wednesday, June 18, 2014 3:28:40 PM Subject: [security-dev] PicketLink and Certificate Management API Hi, We're looking to provide a API to easily enable Key and Certificate Management to PicketLink-based applications. The idea is turn a partition into a Certification Authority, responsible for issue, validate, revoke and renew certificates for the identity types (eg.: users, devices, etc) associated with it. In the future, we also want to provide: - RESTful Endpoints to perform not only certificate operations, but also manage keys. Specially public keys. Probably using JSON Web Keys (JWK). - Better support for html5 and mobile applications that require some kind of support for certificates, assymetric keys, signature and encryption. Specially when using JWT and JOSE. - Support Java KeyStores to load and store keys. So far we did something like: CertificateConfig config = new DefaultCertificateConfig(); // set config with signature algo, cert sign algo, default validity, bit length, etc // create a CA based on a existing partition CertificateAuthority authority = new DefaultCertificateAuthority(partition, config); User user = // get user CertificateRequest certRequest = new DefaultCertificateRequest(user, config) X509Certificate userCert = ca.issue(certRequest); // issue a cert for user and sign it with the CA key We're still working on it. But would like to check your feedback or opinions about requirements and use cases. Regards. Pedro Igor _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From Anil.Saldhana at redhat.com Tue Jun 24 10:33:44 2014 From: Anil.Saldhana at redhat.com (Anil Saldhana) Date: Tue, 24 Jun 2014 09:33:44 -0500 Subject: [security-dev] [Ann] PicketLink v2.6.0.Final has been released In-Reply-To: <53A9166C.4050600@redhat.com> References: <53A9166C.4050600@redhat.com> Message-ID: <53A98C48.2000904@redhat.com> Hi All, the PicketLink team (http://picketlink.org/about/) is very pleased to announce the release of v2.6.0.Final The announcement is at: http://picketlink.org/news/2014/06/23/Release-2/ Getting Started Guide: http://picketlink.org/gettingstarted/ This release had a lot of input from our community members. This release now uses the recently released Apache Deltaspike v1.0.0 (Thanks Pete Muir and gang) - PicketLink Security Annotations for Authorization uses Deltaspike annotations. http://docs.jboss.org/picketlink/2/latest/reference/html/chap-Authorization.html Regards, Anil From eric.wittmann at redhat.com Tue Jun 24 14:52:25 2014 From: eric.wittmann at redhat.com (Eric Wittmann) Date: Tue, 24 Jun 2014 14:52:25 -0400 Subject: [security-dev] SAML SSO with signatures error Message-ID: <53A9C8E9.50502@redhat.com> Hi guys. I'm using the EAP IDP Valve with the SPFilter servlet filter running on EAP 6.3.0 to implement web SSO. It works fine without signatures, but now I'm trying to enable signatures on the IDP (meaning I want the IDP to sign the saml response and I want the SPFilter to verify the sig). I'm using picketlink 2.5.3.SP1 packaged into the SP WAR. I'm using whatever picketlink version comes with EAP 6.3 (2.5.3.SP5 I think). I currently have two problems. The first is that the SPFilter does this in the verifySignature() method: URL issuerURL; try { issuerURL = new URL(issuerID); } catch (MalformedURLException e1) { throw new IssuerNotTrustedException(e1); } This code fails for me because the issuerID in the saml response is "/overlord-idp/". I haven't dug into this yet, but I imagine I need to tweak something on the IDP to get it to put in a full issuer into the saml response. I can get past that with the debugger (by modifying the issuerID value) but when I do I hit the following stack trace: https://gist.github.com/EricWittmann/f05b65689367ba321fc8 The Signature in the saml response seems ok when I eyeball it. That stack trace is pretty opaque to me - does anyone have any insight into it? -Eric From psilva at redhat.com Tue Jun 24 16:41:43 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 24 Jun 2014 16:41:43 -0400 (EDT) Subject: [security-dev] SAML SSO with signatures error In-Reply-To: <53A9C8E9.50502@redhat.com> References: <53A9C8E9.50502@redhat.com> Message-ID: <105298937.2884360.1403642503839.JavaMail.zimbra@redhat.com> Did you have the same behavior when using the SP Valve ? ----- Original Message ----- From: "Eric Wittmann" To: security-dev at lists.jboss.org Sent: Tuesday, June 24, 2014 3:52:25 PM Subject: [security-dev] SAML SSO with signatures error Hi guys. I'm using the EAP IDP Valve with the SPFilter servlet filter running on EAP 6.3.0 to implement web SSO. It works fine without signatures, but now I'm trying to enable signatures on the IDP (meaning I want the IDP to sign the saml response and I want the SPFilter to verify the sig). I'm using picketlink 2.5.3.SP1 packaged into the SP WAR. I'm using whatever picketlink version comes with EAP 6.3 (2.5.3.SP5 I think). I currently have two problems. The first is that the SPFilter does this in the verifySignature() method: URL issuerURL; try { issuerURL = new URL(issuerID); } catch (MalformedURLException e1) { throw new IssuerNotTrustedException(e1); } This code fails for me because the issuerID in the saml response is "/overlord-idp/". I haven't dug into this yet, but I imagine I need to tweak something on the IDP to get it to put in a full issuer into the saml response. I can get past that with the debugger (by modifying the issuerID value) but when I do I hit the following stack trace: https://gist.github.com/EricWittmann/f05b65689367ba321fc8 The Signature in the saml response seems ok when I eyeball it. That stack trace is pretty opaque to me - does anyone have any insight into it? -Eric _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From eric.wittmann at redhat.com Tue Jun 24 17:57:08 2014 From: eric.wittmann at redhat.com (Eric Wittmann) Date: Tue, 24 Jun 2014 17:57:08 -0400 Subject: [security-dev] SAML SSO with signatures error In-Reply-To: <105298937.2884360.1403642503839.JavaMail.zimbra@redhat.com> References: <53A9C8E9.50502@redhat.com> <105298937.2884360.1403642503839.JavaMail.zimbra@redhat.com> Message-ID: <53A9F434.4090500@redhat.com> We never enabled signatures when we were using the SP valve. If it's useful I could try switching from the SPFilter to the SP valve and giving that a try... -Eric On 6/24/2014 4:41 PM, Pedro Igor Silva wrote: > Did you have the same behavior when using the SP Valve ? > > ----- Original Message ----- > From: "Eric Wittmann" > To: security-dev at lists.jboss.org > Sent: Tuesday, June 24, 2014 3:52:25 PM > Subject: [security-dev] SAML SSO with signatures error > > Hi guys. > > I'm using the EAP IDP Valve with the SPFilter servlet filter running on > EAP 6.3.0 to implement web SSO. It works fine without signatures, but > now I'm trying to enable signatures on the IDP (meaning I want the IDP > to sign the saml response and I want the SPFilter to verify the sig). > I'm using picketlink 2.5.3.SP1 packaged into the SP WAR. I'm using > whatever picketlink version comes with EAP 6.3 (2.5.3.SP5 I think). > > I currently have two problems. The first is that the SPFilter does this > in the verifySignature() method: > > URL issuerURL; > try { > issuerURL = new URL(issuerID); > } catch (MalformedURLException e1) { > throw new IssuerNotTrustedException(e1); > } > > This code fails for me because the issuerID in the saml response is > "/overlord-idp/". I haven't dug into this yet, but I imagine I need to > tweak something on the IDP to get it to put in a full issuer into the > saml response. > > I can get past that with the debugger (by modifying the issuerID value) > but when I do I hit the following stack trace: > > https://gist.github.com/EricWittmann/f05b65689367ba321fc8 > > The Signature in the saml response seems ok when I eyeball it. That > stack trace is pretty opaque to me - does anyone have any insight into it? > > -Eric > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev > From Anil.Saldhana at redhat.com Tue Jun 24 17:59:47 2014 From: Anil.Saldhana at redhat.com (Anil Saldhana) Date: Tue, 24 Jun 2014 16:59:47 -0500 Subject: [security-dev] SAML SSO with signatures error In-Reply-To: <53A9F434.4090500@redhat.com> References: <53A9C8E9.50502@redhat.com> <105298937.2884360.1403642503839.JavaMail.zimbra@redhat.com> <53A9F434.4090500@redhat.com> Message-ID: <53A9F4D3.4090905@redhat.com> Eric, if you are on EAP/WildFly, it is better to use the deeper bindings on the SP side such as the valves or the authentication mechanisms. I don't think we have spent a lot of time on keeping the SPFilter updated and tested well. Pedro and I have been planning to take a look at it for sometime now. :( Regards, Anil On 06/24/2014 04:57 PM, Eric Wittmann wrote: > We never enabled signatures when we were using the SP valve. If it's > useful I could try switching from the SPFilter to the SP valve and > giving that a try... > > -Eric > > On 6/24/2014 4:41 PM, Pedro Igor Silva wrote: >> Did you have the same behavior when using the SP Valve ? >> >> ----- Original Message ----- >> From: "Eric Wittmann" >> To: security-dev at lists.jboss.org >> Sent: Tuesday, June 24, 2014 3:52:25 PM >> Subject: [security-dev] SAML SSO with signatures error >> >> Hi guys. >> >> I'm using the EAP IDP Valve with the SPFilter servlet filter running on >> EAP 6.3.0 to implement web SSO. It works fine without signatures, but >> now I'm trying to enable signatures on the IDP (meaning I want the IDP >> to sign the saml response and I want the SPFilter to verify the sig). >> I'm using picketlink 2.5.3.SP1 packaged into the SP WAR. I'm using >> whatever picketlink version comes with EAP 6.3 (2.5.3.SP5 I think). >> >> I currently have two problems. The first is that the SPFilter does this >> in the verifySignature() method: >> >> URL issuerURL; >> try { >> issuerURL = new URL(issuerID); >> } catch (MalformedURLException e1) { >> throw new IssuerNotTrustedException(e1); >> } >> >> This code fails for me because the issuerID in the saml response is >> "/overlord-idp/". I haven't dug into this yet, but I imagine I need to >> tweak something on the IDP to get it to put in a full issuer into the >> saml response. >> >> I can get past that with the debugger (by modifying the issuerID value) >> but when I do I hit the following stack trace: >> >> https://gist.github.com/EricWittmann/f05b65689367ba321fc8 >> >> The Signature in the saml response seems ok when I eyeball it. That >> stack trace is pretty opaque to me - does anyone have any insight into it? >> >> -Eric From eric.wittmann at redhat.com Wed Jun 25 09:27:53 2014 From: eric.wittmann at redhat.com (Eric Wittmann) Date: Wed, 25 Jun 2014 09:27:53 -0400 Subject: [security-dev] SAML SSO with signatures error In-Reply-To: <53A9F4D3.4090905@redhat.com> References: <53A9C8E9.50502@redhat.com> <105298937.2884360.1403642503839.JavaMail.zimbra@redhat.com> <53A9F434.4090500@redhat.com> <53A9F4D3.4090905@redhat.com> Message-ID: <53AACE59.3080106@redhat.com> Well, we are trying to support a variety of containers: EAP,Tomcat,Jetty,Fuse I switched to the SPFilter in an attempt to make the configuration of our various container-specific WARs as similar as possible. In any case - I have some updated information on this issue. First of all, I got it working in EAP by reverting back to the sp valve instead of the sp filter. The SPFilter is failing here: https://github.com/picketlink/picketlink/blob/master/modules/federation/src/main/java/org/picketlink/identity/federation/web/filters/SPFilter.java#L594 It seems that you are right, Anil, and this code simply hasn't been tested/updated in awhile. The problem is the "IDness" of the ID attribute (whatever that means). :) This was fixed in the SAML2SignatureValidationHandler with this commit: https://github.com/picketlink/picketlink/commit/1b4f88c6f86fcc4a313618c270ce6737980e19d1 So I think the SPFilter would need to use a SAML2Signature to validate the signature rather than calling XMLSignatureUtil.validate directly. That said, I don't really understand why SPFilter is validating the signature at all, since there is a handler to do that. Perhaps that's just an artifact of an old impl. Bottom line I think is that SPFilter may need some love. For us, I need something that will work in non-EAP containers like jetty and fuse. So I need to use the SPFilter I think. Which means I may need to make a local copy of it and fix the signature problem. Finally (on an unrelated note) the picketlink.xml file allows the URLs to be configured via property interpolation (with a default) like so: ${overlord-idp.url::http://localhost:8080/overlord-idp/} Is "overlord-idp.url" assumed to be a system property? Or is there some other place where that property should be defined? -Eric On 6/24/2014 5:59 PM, Anil Saldhana wrote: > Eric, > if you are on EAP/WildFly, it is better to use the deeper bindings on > the SP side such > as the valves or the authentication mechanisms. > > I don't think we have spent a lot of time on keeping the SPFilter > updated and tested well. > Pedro and I have been planning to take a look at it for sometime now. :( > > Regards, > Anil > > On 06/24/2014 04:57 PM, Eric Wittmann wrote: >> We never enabled signatures when we were using the SP valve. If it's >> useful I could try switching from the SPFilter to the SP valve and >> giving that a try... >> >> -Eric >> >> On 6/24/2014 4:41 PM, Pedro Igor Silva wrote: >>> Did you have the same behavior when using the SP Valve ? >>> >>> ----- Original Message ----- >>> From: "Eric Wittmann" >>> To: security-dev at lists.jboss.org >>> Sent: Tuesday, June 24, 2014 3:52:25 PM >>> Subject: [security-dev] SAML SSO with signatures error >>> >>> Hi guys. >>> >>> I'm using the EAP IDP Valve with the SPFilter servlet filter running on >>> EAP 6.3.0 to implement web SSO. It works fine without signatures, but >>> now I'm trying to enable signatures on the IDP (meaning I want the IDP >>> to sign the saml response and I want the SPFilter to verify the sig). >>> I'm using picketlink 2.5.3.SP1 packaged into the SP WAR. I'm using >>> whatever picketlink version comes with EAP 6.3 (2.5.3.SP5 I think). >>> >>> I currently have two problems. The first is that the SPFilter does this >>> in the verifySignature() method: >>> >>> URL issuerURL; >>> try { >>> issuerURL = new URL(issuerID); >>> } catch (MalformedURLException e1) { >>> throw new IssuerNotTrustedException(e1); >>> } >>> >>> This code fails for me because the issuerID in the saml response is >>> "/overlord-idp/". I haven't dug into this yet, but I imagine I need to >>> tweak something on the IDP to get it to put in a full issuer into the >>> saml response. >>> >>> I can get past that with the debugger (by modifying the issuerID value) >>> but when I do I hit the following stack trace: >>> >>> https://gist.github.com/EricWittmann/f05b65689367ba321fc8 >>> >>> The Signature in the saml response seems ok when I eyeball it. That >>> stack trace is pretty opaque to me - does anyone have any insight into it? >>> >>> -Eric > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev > From psilva at redhat.com Wed Jun 25 09:33:48 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 25 Jun 2014 09:33:48 -0400 (EDT) Subject: [security-dev] SAML SSO with signatures error In-Reply-To: <53AACE59.3080106@redhat.com> References: <53A9C8E9.50502@redhat.com> <105298937.2884360.1403642503839.JavaMail.zimbra@redhat.com> <53A9F434.4090500@redhat.com> <53A9F4D3.4090905@redhat.com> <53AACE59.3080106@redhat.com> Message-ID: <1697286899.3124515.1403703228495.JavaMail.zimbra@redhat.com> You'r right Eric. Both SP and IdP filters need some love. We've discussed about that before Final and the idea is work on that for the next releases. Regarding the property, it is a system property. ----- Original Message ----- From: "Eric Wittmann" To: "Anil Saldhana" , security-dev at lists.jboss.org Sent: Wednesday, June 25, 2014 10:27:53 AM Subject: Re: [security-dev] SAML SSO with signatures error Well, we are trying to support a variety of containers: EAP,Tomcat,Jetty,Fuse I switched to the SPFilter in an attempt to make the configuration of our various container-specific WARs as similar as possible. In any case - I have some updated information on this issue. First of all, I got it working in EAP by reverting back to the sp valve instead of the sp filter. The SPFilter is failing here: https://github.com/picketlink/picketlink/blob/master/modules/federation/src/main/java/org/picketlink/identity/federation/web/filters/SPFilter.java#L594 It seems that you are right, Anil, and this code simply hasn't been tested/updated in awhile. The problem is the "IDness" of the ID attribute (whatever that means). :) This was fixed in the SAML2SignatureValidationHandler with this commit: https://github.com/picketlink/picketlink/commit/1b4f88c6f86fcc4a313618c270ce6737980e19d1 So I think the SPFilter would need to use a SAML2Signature to validate the signature rather than calling XMLSignatureUtil.validate directly. That said, I don't really understand why SPFilter is validating the signature at all, since there is a handler to do that. Perhaps that's just an artifact of an old impl. Bottom line I think is that SPFilter may need some love. For us, I need something that will work in non-EAP containers like jetty and fuse. So I need to use the SPFilter I think. Which means I may need to make a local copy of it and fix the signature problem. Finally (on an unrelated note) the picketlink.xml file allows the URLs to be configured via property interpolation (with a default) like so: ${overlord-idp.url::http://localhost:8080/overlord-idp/} Is "overlord-idp.url" assumed to be a system property? Or is there some other place where that property should be defined? -Eric On 6/24/2014 5:59 PM, Anil Saldhana wrote: > Eric, > if you are on EAP/WildFly, it is better to use the deeper bindings on > the SP side such > as the valves or the authentication mechanisms. > > I don't think we have spent a lot of time on keeping the SPFilter > updated and tested well. > Pedro and I have been planning to take a look at it for sometime now. :( > > Regards, > Anil > > On 06/24/2014 04:57 PM, Eric Wittmann wrote: >> We never enabled signatures when we were using the SP valve. If it's >> useful I could try switching from the SPFilter to the SP valve and >> giving that a try... >> >> -Eric >> >> On 6/24/2014 4:41 PM, Pedro Igor Silva wrote: >>> Did you have the same behavior when using the SP Valve ? >>> >>> ----- Original Message ----- >>> From: "Eric Wittmann" >>> To: security-dev at lists.jboss.org >>> Sent: Tuesday, June 24, 2014 3:52:25 PM >>> Subject: [security-dev] SAML SSO with signatures error >>> >>> Hi guys. >>> >>> I'm using the EAP IDP Valve with the SPFilter servlet filter running on >>> EAP 6.3.0 to implement web SSO. It works fine without signatures, but >>> now I'm trying to enable signatures on the IDP (meaning I want the IDP >>> to sign the saml response and I want the SPFilter to verify the sig). >>> I'm using picketlink 2.5.3.SP1 packaged into the SP WAR. I'm using >>> whatever picketlink version comes with EAP 6.3 (2.5.3.SP5 I think). >>> >>> I currently have two problems. The first is that the SPFilter does this >>> in the verifySignature() method: >>> >>> URL issuerURL; >>> try { >>> issuerURL = new URL(issuerID); >>> } catch (MalformedURLException e1) { >>> throw new IssuerNotTrustedException(e1); >>> } >>> >>> This code fails for me because the issuerID in the saml response is >>> "/overlord-idp/". I haven't dug into this yet, but I imagine I need to >>> tweak something on the IDP to get it to put in a full issuer into the >>> saml response. >>> >>> I can get past that with the debugger (by modifying the issuerID value) >>> but when I do I hit the following stack trace: >>> >>> https://gist.github.com/EricWittmann/f05b65689367ba321fc8 >>> >>> The Signature in the saml response seems ok when I eyeball it. That >>> stack trace is pretty opaque to me - does anyone have any insight into it? >>> >>> -Eric > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev > _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From psilva at redhat.com Fri Jun 27 17:07:46 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 27 Jun 2014 17:07:46 -0400 (EDT) Subject: [security-dev] PicketLink and Certificate Management API In-Reply-To: <1267728837.493752.1403116509381.JavaMail.zimbra@redhat.com> References: <1665472278.480908.1403116120916.JavaMail.zimbra@redhat.com> <978682432.485880.1403116350549.JavaMail.zimbra@redhat.com> <1267728837.493752.1403116509381.JavaMail.zimbra@redhat.com> Message-ID: <1812130519.4548483.1403903266641.JavaMail.zimbra@redhat.com> After some initial work, I think we have an initial design. Still have some things to think about, specially regarding the configuration and storage. Basically, what we have so far are two main components: CertificateAuthority and KeyAuthority. The first is about managing keys (eg.: RSA keys) for partition and identity types. The first one is about managing certificates using the keys for a particular type. The first thing you should do is create a keypair for a specific type as follows: @Inject private KeyAuthority keyAuthority; public void createUser() { User user = // create user this.keyAuthority.generateKeys(user); } PicketLink will generate some random keys by default. We're trying to find the best way to support keystores or let users provide them manually. One you have the keys you can issue certificates like that @Inject private CertificateAuthority certificateAuthority; public void issueCertificate(User user) { Certificate certificate = this.certificateAuthority.issue(user); // do something } There is also some other methods like: Certificate certificate = this.certificateAuthority.retrieve("CN=john,O=JBoss"); this.certificateAuthority.validate(certificate); this.certificateAuthority.revoke(certificate); this.certificateAuthority.isRevoked(certificate); For keys, you can use the KeyAuthority to: KeyPair keyPair = this.keyAuthority.generateKeys(user); KeyPair keyPair = this.keyAuthority.getKeyPair(user); If you want, you can use only key management. Useful if you just need to sign and encrypt things only. ----- Original Message ----- From: "Pedro Igor Silva" To: "security-dev >> \"security-dev" Sent: Wednesday, June 18, 2014 3:35:09 PM Subject: Re: [security-dev] PicketLink and Certificate Management API Yeah, that is the idea too. Giriraj Sharma wants to help us in the future to provide an UI based on that. ----- Original Message ----- From: "Pedro Igor Silva" To: "security-dev >> \"security-dev" Sent: Wednesday, June 18, 2014 3:32:30 PM Subject: Re: [security-dev] PicketLink and Certificate Management API Sorry, the there was a error on the example. This is the correct code: X509Certificate userCert = authority.issue(certRequest); // issue a cert for user and sign it with the CA key ----- Original Message ----- From: "Pedro Igor Silva" To: "security-dev >> \"security-dev" Sent: Wednesday, June 18, 2014 3:28:40 PM Subject: [security-dev] PicketLink and Certificate Management API Hi, We're looking to provide a API to easily enable Key and Certificate Management to PicketLink-based applications. The idea is turn a partition into a Certification Authority, responsible for issue, validate, revoke and renew certificates for the identity types (eg.: users, devices, etc) associated with it. In the future, we also want to provide: - RESTful Endpoints to perform not only certificate operations, but also manage keys. Specially public keys. Probably using JSON Web Keys (JWK). - Better support for html5 and mobile applications that require some kind of support for certificates, assymetric keys, signature and encryption. Specially when using JWT and JOSE. - Support Java KeyStores to load and store keys. So far we did something like: CertificateConfig config = new DefaultCertificateConfig(); // set config with signature algo, cert sign algo, default validity, bit length, etc // create a CA based on a existing partition CertificateAuthority authority = new DefaultCertificateAuthority(partition, config); User user = // get user CertificateRequest certRequest = new DefaultCertificateRequest(user, config) X509Certificate userCert = ca.issue(certRequest); // issue a cert for user and sign it with the CA key We're still working on it. But would like to check your feedback or opinions about requirements and use cases. Regards. Pedro Igor _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From psilva at redhat.com Fri Jun 27 17:10:43 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 27 Jun 2014 17:10:43 -0400 (EDT) Subject: [security-dev] PicketLink and Certificate Management API In-Reply-To: <1812130519.4548483.1403903266641.JavaMail.zimbra@redhat.com> References: <1665472278.480908.1403116120916.JavaMail.zimbra@redhat.com> <978682432.485880.1403116350549.JavaMail.zimbra@redhat.com> <1267728837.493752.1403116509381.JavaMail.zimbra@redhat.com> <1812130519.4548483.1403903266641.JavaMail.zimbra@redhat.com> Message-ID: <1428791405.4549544.1403903443919.JavaMail.zimbra@redhat.com> Consider this one, please. ----- Original Message ----- From: "Pedro Igor Silva" To: "security-dev >> \"security-dev" Sent: Friday, June 27, 2014 6:07:46 PM Subject: Re: [security-dev] PicketLink and Certificate Management API After some initial work, I think we have an initial design. Still have some things to think about, specially regarding the configuration and storage. Basically, what we have so far are two main components: KeyAuthority and CertificateAuthority. The first one is about managing keys (eg.: RSA keys) for partition and identity types. The second one is about managing certificates using the keys for a particular type. The first thing you should do is create a keypair for a specific type as follows: @Inject private KeyAuthority keyAuthority; public void createUser() { User user = // create user this.keyAuthority.generateKeys(user); } PicketLink will generate some random keys by default. We're trying to find the best way to support keystores or let users provide them manually. One you have the keys you can issue certificates like that @Inject private CertificateAuthority certificateAuthority; public void issueCertificate(User user) { Certificate certificate = this.certificateAuthority.issue(user); // do something } There is also some other methods like: Certificate certificate = this.certificateAuthority.retrieve("CN=john,O=JBoss"); this.certificateAuthority.validate(certificate); this.certificateAuthority.revoke(certificate); this.certificateAuthority.isRevoked(certificate); For keys, you can use the KeyAuthority to: KeyPair keyPair = this.keyAuthority.generateKeys(user); KeyPair keyPair = this.keyAuthority.getKeyPair(user); If you want, you can use only key management. Useful if you just need to sign and encrypt things only. ----- Original Message ----- From: "Pedro Igor Silva" To: "security-dev >> \"security-dev" Sent: Wednesday, June 18, 2014 3:35:09 PM Subject: Re: [security-dev] PicketLink and Certificate Management API Yeah, that is the idea too. Giriraj Sharma wants to help us in the future to provide an UI based on that. ----- Original Message ----- From: "Pedro Igor Silva" To: "security-dev >> \"security-dev" Sent: Wednesday, June 18, 2014 3:32:30 PM Subject: Re: [security-dev] PicketLink and Certificate Management API Sorry, the there was a error on the example. This is the correct code: X509Certificate userCert = authority.issue(certRequest); // issue a cert for user and sign it with the CA key ----- Original Message ----- From: "Pedro Igor Silva" To: "security-dev >> \"security-dev" Sent: Wednesday, June 18, 2014 3:28:40 PM Subject: [security-dev] PicketLink and Certificate Management API Hi, We're looking to provide a API to easily enable Key and Certificate Management to PicketLink-based applications. The idea is turn a partition into a Certification Authority, responsible for issue, validate, revoke and renew certificates for the identity types (eg.: users, devices, etc) associated with it. In the future, we also want to provide: - RESTful Endpoints to perform not only certificate operations, but also manage keys. Specially public keys. Probably using JSON Web Keys (JWK). - Better support for html5 and mobile applications that require some kind of support for certificates, assymetric keys, signature and encryption. Specially when using JWT and JOSE. - Support Java KeyStores to load and store keys. So far we did something like: CertificateConfig config = new DefaultCertificateConfig(); // set config with signature algo, cert sign algo, default validity, bit length, etc // create a CA based on a existing partition CertificateAuthority authority = new DefaultCertificateAuthority(partition, config); User user = // get user CertificateRequest certRequest = new DefaultCertificateRequest(user, config) X509Certificate userCert = ca.issue(certRequest); // issue a cert for user and sign it with the CA key We're still working on it. But would like to check your feedback or opinions about requirements and use cases. Regards. Pedro Igor _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev