From pskopek at redhat.com  Wed Nov 11 03:39:53 2015
From: pskopek at redhat.com (Peter Skopek)
Date: Wed, 11 Nov 2015 09:39:53 +0100
Subject: [security-dev] Inquiry on vulnerability found in PicketLink VN:
 JVN#33791982 / TN: JPCERT# 90204487
In-Reply-To: <23ea8081aaef104a5cfd7c429006035d@jpcert.or.jp>
References: <23ea8081aaef104a5cfd7c429006035d@jpcert.or.jp>
Message-ID: <CAM01paY1x8VXdVkFphDVKAR8+iReHWmX01uqZ1kPVv_m3+PvKA@mail.gmail.com>

Dear Mr. Tomotaka Ito,

check this [1] page, please. You can find all necessary information
including GPG key.
I believe inquiry should be sent to: secalert at redhat.com

In  case of any other problem contact me and I will try to help.

Yours sincerely,
Peter Skopek
MW Security Engineer


[1] https://access.redhat.com/security/team/contact/

On Wed, Nov 11, 2015 at 7:49 AM, JPCERT/CC <vuls at jpcert.or.jp> wrote:
> To whom it may concern,
>
> Hello.  This is Tomotaka Ito from JPCERT/CC Vulnerability
> Handling Team.  Please excuse the sudden contact.
>
> If you're not familiar with us or our activities, please
> check the following websites for more information.
>
>   https://www.jpcert.or.jp/english/
>   https://www.jpcert.or.jp/english/vh/project.html
>   https://www.ipa.go.jp/files/000044732.pdf
>   https://jvn.jp/en/
>
> We have received a report of a vulnerability found in the
> product "PicketLink" from a researcher/user here in Japan
> under the vulnerability handling framework called "Information
> Security Early Warning Partnership" and the official announcements
> #235 and #110 "Software Vulnerability Related Information Handling
> Measures" which were designed by Ministry of Economy, Trade and
> Industry (METI), a Japanese cabinet.
>
> From the websites
>   https://github.com/picketlink
>   https://github.com/orgs/picketlink/people
>   http://www.slideshare.net/JBUG_London/london-jbug-april-2014
>   http://lists.jboss.org/pipermail/security-dev/2012-October/000176.html
>
> we found these email addresses. We would like to coordinate with you
> to solve the reported vulnerability, and your cooperation would be
> greatly appreciated.
>
> Before we provide you the details of the reported vulnerability,
> we would like to know the appropriate point-of-contact person,
> or department/group/team to communicate in regards to this issue.
> It would be greatly appreciated if you could provide us the below
> information at your earliest convenience.
>
>  -Name of the persons/team who is in charge of such issues
> ?*Please assign at least 2 persons (primary and backup).
>    If you have a division/team to handle such issue,
>    please provide us a name of division/team.
>
>  -Email address
>   *Please provide us email addresses of the primary person
>    and backup person.
>    If you have a division/team, please provide us a group-mail
>    address.
>
>  -PGP key if available
>
> Once we receive your reply and point-of-contact information,
> we will then send you the original vulnerability report and the
> details either in a PGP encrypted message or in a password protected
> zip file.
>
> If you have any questions or concerns, please do not hesitate
> to contact us any time.
>
> Thank you in advance for your attention on this email.
> We would very much appreciate your prompt reply.
>
> Sincerely yours,
>
> Tomotaka Ito
> Vulnerability Handling Team
> Information Coordination Group
> ======================================================================
> JPCERT Coordination Center (JPCERT/CC)
> TEL: +81-3-3518-4600  FAX: +81-3-3518-4602  EMAIL: vuls at jpcert.or.jp
> PGP key: 0x33E6021D: B9 E8 68 35 2D 39 19 29  63 89 52 D4 F8 8D 50 FC
> https://www.jpcert.or.jp/english/


From arthurshakal at gmail.com  Mon Nov 23 08:42:49 2015
From: arthurshakal at gmail.com (=?UTF-8?Q?Arthur_Greg=C3=B3rio?=)
Date: Mon, 23 Nov 2015 11:42:49 -0200
Subject: [security-dev] Picketlink 2.8.0
Message-ID: <CA+UvXkLw_RPbBuig0Sw4RxyT6BgSJGkHwzCeEYRuVE3W6ukzzA@mail.gmail.com>

Picketlink is dead?

The last commit in the project repo was in 9 july..

Is there a schedule for the new version or something like that?

at.,

*Arthur P. Greg?rio*
*+55 45 9958-0302 <%2B55%2045%209958-0302>*
@gregorioarthur
www.arthurgregorio.eti.br
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/security-dev/attachments/20151123/a3e2cb97/attachment.html 

From sagneta at gmail.com  Mon Nov 23 08:47:47 2015
From: sagneta at gmail.com (Stephen Agneta)
Date: Mon, 23 Nov 2015 13:47:47 +0000
Subject: [security-dev] Picketlink 2.8.0
In-Reply-To: <CA+UvXkLw_RPbBuig0Sw4RxyT6BgSJGkHwzCeEYRuVE3W6ukzzA@mail.gmail.com>
References: <CA+UvXkLw_RPbBuig0Sw4RxyT6BgSJGkHwzCeEYRuVE3W6ukzzA@mail.gmail.com>
Message-ID: <CAHqTQ70ngf1hNONF3q_ZKQA3_igN3+vv-7rsjZLwAMryJrShPA@mail.gmail.com>

It certainly appears that everything has moved to key-cloak but I am unsure
that keycloak is ready to take the burden of current Picketlink
implementations. Nor am I sure how the migration process would occur. The
abruptness of the change is a bit disconcerting. Having said that
Picketlink is working fine save for one defect that which I requested that
is on the git HEAD but not in any particular release.




On Mon, Nov 23, 2015 at 8:43 AM Arthur Greg?rio <arthurshakal at gmail.com>
wrote:

> Picketlink is dead?
>
> The last commit in the project repo was in 9 july..
>
> Is there a schedule for the new version or something like that?
>
> at.,
>
> *Arthur P. Greg?rio*
> *+55 45 9958-0302 <%2B55%2045%209958-0302>*
> @gregorioarthur
> www.arthurgregorio.eti.br
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/security-dev/attachments/20151123/8bc43568/attachment.html 

From arthurshakal at gmail.com  Mon Nov 23 08:54:01 2015
From: arthurshakal at gmail.com (=?UTF-8?Q?Arthur_Greg=C3=B3rio?=)
Date: Mon, 23 Nov 2015 11:54:01 -0200
Subject: [security-dev] Picketlink 2.8.0
In-Reply-To: <CAHqTQ70ngf1hNONF3q_ZKQA3_igN3+vv-7rsjZLwAMryJrShPA@mail.gmail.com>
References: <CA+UvXkLw_RPbBuig0Sw4RxyT6BgSJGkHwzCeEYRuVE3W6ukzzA@mail.gmail.com>
	<CAHqTQ70ngf1hNONF3q_ZKQA3_igN3+vv-7rsjZLwAMryJrShPA@mail.gmail.com>
Message-ID: <CA+UvXk+6UhQAQ0nV8fuociUbBj38+_JbbZpJ6vDbBMdWsp_ARw@mail.gmail.com>

And KC does not have the same purpose as the PL.

In short, I have no reason to migrate from one to the other, I use PL or go
back to Spring Security.

But it seems that there has not been any development in PL, at least in
recent months, in short, it seems that the project is dying and all that
were used for its own account.

And with bugs like this https://developer.jboss.org/thread/266387, it's not
cool to let the project stalled...


*Arthur P. Greg?rio*
*+55 45 9958-0302*
@gregorioarthur
www.arthurgregorio.eti.br

2015-11-23 11:47 GMT-02:00 Stephen Agneta <sagneta at gmail.com>:

>
> It certainly appears that everything has moved to key-cloak but I am
> unsure that keycloak is ready to take the burden of current Picketlink
> implementations. Nor am I sure how the migration process would occur. The
> abruptness of the change is a bit disconcerting. Having said that
> Picketlink is working fine save for one defect that which I requested that
> is on the git HEAD but not in any particular release.
>
>
>
>
> On Mon, Nov 23, 2015 at 8:43 AM Arthur Greg?rio <arthurshakal at gmail.com>
> wrote:
>
>> Picketlink is dead?
>>
>> The last commit in the project repo was in 9 july..
>>
>> Is there a schedule for the new version or something like that?
>>
>> at.,
>>
>> *Arthur P. Greg?rio*
>> *+55 45 9958-0302 <%2B55%2045%209958-0302>*
>> @gregorioarthur
>> www.arthurgregorio.eti.br
>> _______________________________________________
>> security-dev mailing list
>> security-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/security-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/security-dev/attachments/20151123/135c8efe/attachment.html 

From sagneta at gmail.com  Mon Nov 23 10:04:55 2015
From: sagneta at gmail.com (Stephen Agneta)
Date: Mon, 23 Nov 2015 15:04:55 +0000
Subject: [security-dev] Picketlink 2.8.0
In-Reply-To: <CA+UvXk+6UhQAQ0nV8fuociUbBj38+_JbbZpJ6vDbBMdWsp_ARw@mail.gmail.com>
References: <CA+UvXkLw_RPbBuig0Sw4RxyT6BgSJGkHwzCeEYRuVE3W6ukzzA@mail.gmail.com>
	<CAHqTQ70ngf1hNONF3q_ZKQA3_igN3+vv-7rsjZLwAMryJrShPA@mail.gmail.com>
	<CA+UvXk+6UhQAQ0nV8fuociUbBj38+_JbbZpJ6vDbBMdWsp_ARw@mail.gmail.com>
Message-ID: <CAHqTQ700a8N2zTN4z3AJQqLtOrkTkji7XJx1vSRQTu7HVbnZLg@mail.gmail.com>

I'll share what I know with you in the hopes that it will help somehow.

Well KC (keycloak) is a super-set of the PL (PicketLink) functionality thus
in theory it ought to work fine once it is ready and once some sort of
migration path is known. You may not wish to move to KC due to the
additional functionality which may be off-putting for lite applications but
KC will perform everything PL did and more and will do so in VM memory if
you so choose.

Essentially KC is a real federated authentication and authorization service
with identity management that can run standalone or in-VM within a WildFly
cluster. Although a Java implementation it works with other systems and
languages out of process. It does integrate with Spring which may interest
you.

The following link provides information for Wildfly 9 clustered
installation:
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#overlay_install

Thus you should be able to have your authorization demands met _in VM_ as
opposed to over-the-wire for performance reasons if necessary.

IMOP I think the KC project is the right move. They are fixing the big
issue which is the lack of an opensource Federated Identity Management
System. They also fixed little things such as Composite Roles which are
missing from PL.

 I merely disliked the abrupt change-over. I also can't move to keycloak
until I have more of an idea how the migration would work.
For example, how different is the default KC relational schema from the
default basic PL schema:

http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e136

It is also not clear if keycloak has a CDI demand system ready like
PicketLink. They only hint at it.  Also it runs in-cluster on Wildfly 9 and
I am on 8. Nothing huge but issues that will need to be addressed.

Hope that helps.











On Mon, Nov 23, 2015 at 8:54 AM Arthur Greg?rio <arthurshakal at gmail.com>
wrote:

> And KC does not have the same purpose as the PL.
>
> In short, I have no reason to migrate from one to the other, I use PL or
> go back to Spring Security.
>
> But it seems that there has not been any development in PL, at least in
> recent months, in short, it seems that the project is dying and all that
> were used for its own account.
>
> And with bugs like this https://developer.jboss.org/thread/266387, it's
> not cool to let the project stalled...
>
>
> *Arthur P. Greg?rio*
> *+55 45 9958-0302*
> @gregorioarthur
> www.arthurgregorio.eti.br
>
> 2015-11-23 11:47 GMT-02:00 Stephen Agneta <sagneta at gmail.com>:
>
>>
>> It certainly appears that everything has moved to key-cloak but I am
>> unsure that keycloak is ready to take the burden of current Picketlink
>> implementations. Nor am I sure how the migration process would occur. The
>> abruptness of the change is a bit disconcerting. Having said that
>> Picketlink is working fine save for one defect that which I requested that
>> is on the git HEAD but not in any particular release.
>>
>>
>>
>>
>> On Mon, Nov 23, 2015 at 8:43 AM Arthur Greg?rio <arthurshakal at gmail.com>
>> wrote:
>>
>>> Picketlink is dead?
>>>
>>> The last commit in the project repo was in 9 july..
>>>
>>> Is there a schedule for the new version or something like that?
>>>
>>> at.,
>>>
>>> *Arthur P. Greg?rio*
>>> *+55 45 9958-0302 <%2B55%2045%209958-0302>*
>>> @gregorioarthur
>>> www.arthurgregorio.eti.br
>>> _______________________________________________
>>> security-dev mailing list
>>> security-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/security-dev
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/security-dev/attachments/20151123/55d93651/attachment-0001.html 

From bruno at abstractj.org  Mon Nov 23 10:07:50 2015
From: bruno at abstractj.org (Bruno Oliveira)
Date: Mon, 23 Nov 2015 15:07:50 +0000
Subject: [security-dev] Picketlink 2.8.0
In-Reply-To: <CAHqTQ700a8N2zTN4z3AJQqLtOrkTkji7XJx1vSRQTu7HVbnZLg@mail.gmail.com>
References: <CA+UvXkLw_RPbBuig0Sw4RxyT6BgSJGkHwzCeEYRuVE3W6ukzzA@mail.gmail.com>
	<CAHqTQ70ngf1hNONF3q_ZKQA3_igN3+vv-7rsjZLwAMryJrShPA@mail.gmail.com>
	<CA+UvXk+6UhQAQ0nV8fuociUbBj38+_JbbZpJ6vDbBMdWsp_ARw@mail.gmail.com>
	<CAHqTQ700a8N2zTN4z3AJQqLtOrkTkji7XJx1vSRQTu7HVbnZLg@mail.gmail.com>
Message-ID: <CAM5SUC4r7NwBNJj6WZJ1rhviSuX6JMZxHcXUqb0LyC47X_TaQg@mail.gmail.com>

Please take a look at
http://picketlink.org/news/2015/03/10/PicketLink-and-Keycloak-project-merge/

I think this post answers your question.

On Mon, Nov 23, 2015 at 1:05 PM Stephen Agneta <sagneta at gmail.com> wrote:

> I'll share what I know with you in the hopes that it will help somehow.
>
> Well KC (keycloak) is a super-set of the PL (PicketLink) functionality
> thus in theory it ought to work fine once it is ready and once some sort of
> migration path is known. You may not wish to move to KC due to the
> additional functionality which may be off-putting for lite applications but
> KC will perform everything PL did and more and will do so in VM memory if
> you so choose.
>
> Essentially KC is a real federated authentication and authorization
> service with identity management that can run standalone or in-VM within a
> WildFly cluster. Although a Java implementation it works with other systems
> and languages out of process. It does integrate with Spring which may
> interest you.
>
> The following link provides information for Wildfly 9 clustered
> installation:
>
> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#overlay_install
>
> Thus you should be able to have your authorization demands met _in VM_ as
> opposed to over-the-wire for performance reasons if necessary.
>
> IMOP I think the KC project is the right move. They are fixing the big
> issue which is the lack of an opensource Federated Identity Management
> System. They also fixed little things such as Composite Roles which are
> missing from PL.
>
>  I merely disliked the abrupt change-over. I also can't move to keycloak
> until I have more of an idea how the migration would work.
> For example, how different is the default KC relational schema from the
> default basic PL schema:
>
>
> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e136
>
> It is also not clear if keycloak has a CDI demand system ready like
> PicketLink. They only hint at it.  Also it runs in-cluster on Wildfly 9
> and I am on 8. Nothing huge but issues that will need to be addressed.
>
> Hope that helps.
>
>
>
>
>
>
>
>
>
>
>
> On Mon, Nov 23, 2015 at 8:54 AM Arthur Greg?rio <arthurshakal at gmail.com>
> wrote:
>
>> And KC does not have the same purpose as the PL.
>>
>> In short, I have no reason to migrate from one to the other, I use PL or
>> go back to Spring Security.
>>
>> But it seems that there has not been any development in PL, at least in
>> recent months, in short, it seems that the project is dying and all that
>> were used for its own account.
>>
>> And with bugs like this https://developer.jboss.org/thread/266387, it's
>> not cool to let the project stalled...
>>
>>
>> *Arthur P. Greg?rio*
>> *+55 45 9958-0302*
>> @gregorioarthur
>> www.arthurgregorio.eti.br
>>
>> 2015-11-23 11:47 GMT-02:00 Stephen Agneta <sagneta at gmail.com>:
>>
>>>
>>> It certainly appears that everything has moved to key-cloak but I am
>>> unsure that keycloak is ready to take the burden of current Picketlink
>>> implementations. Nor am I sure how the migration process would occur. The
>>> abruptness of the change is a bit disconcerting. Having said that
>>> Picketlink is working fine save for one defect that which I requested that
>>> is on the git HEAD but not in any particular release.
>>>
>>>
>>>
>>>
>>> On Mon, Nov 23, 2015 at 8:43 AM Arthur Greg?rio <arthurshakal at gmail.com>
>>> wrote:
>>>
>>>> Picketlink is dead?
>>>>
>>>> The last commit in the project repo was in 9 july..
>>>>
>>>> Is there a schedule for the new version or something like that?
>>>>
>>>> at.,
>>>>
>>>> *Arthur P. Greg?rio*
>>>> *+55 45 9958-0302 <%2B55%2045%209958-0302>*
>>>> @gregorioarthur
>>>> www.arthurgregorio.eti.br
>>>> _______________________________________________
>>>> security-dev mailing list
>>>> security-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/security-dev
>>>
>>>
>> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/security-dev/attachments/20151123/d7e03bc2/attachment.html 

From arthurshakal at gmail.com  Mon Nov 23 11:19:34 2015
From: arthurshakal at gmail.com (=?UTF-8?Q?Arthur_Greg=C3=B3rio?=)
Date: Mon, 23 Nov 2015 14:19:34 -0200
Subject: [security-dev] Picketlink 2.8.0
In-Reply-To: <CAM5SUC4r7NwBNJj6WZJ1rhviSuX6JMZxHcXUqb0LyC47X_TaQg@mail.gmail.com>
References: <CA+UvXkLw_RPbBuig0Sw4RxyT6BgSJGkHwzCeEYRuVE3W6ukzzA@mail.gmail.com>
	<CAHqTQ70ngf1hNONF3q_ZKQA3_igN3+vv-7rsjZLwAMryJrShPA@mail.gmail.com>
	<CA+UvXk+6UhQAQ0nV8fuociUbBj38+_JbbZpJ6vDbBMdWsp_ARw@mail.gmail.com>
	<CAHqTQ700a8N2zTN4z3AJQqLtOrkTkji7XJx1vSRQTu7HVbnZLg@mail.gmail.com>
	<CAM5SUC4r7NwBNJj6WZJ1rhviSuX6JMZxHcXUqb0LyC47X_TaQg@mail.gmail.com>
Message-ID: <CA+UvXkJaZut5V_Omj3F3nz3acvQFOXRUhzcGbzE7fjeHo=f47g@mail.gmail.com>

I see this post, and i know what KC do..

What I mean is that I do not need all the things that KC does, I want
simple with the something like PL.

I posted in a thread about it on the same topic "continuity of PL" on the
dev list of KC and the same answer was given.

PL is such a cool framework, I refuse to believe that only I use it or only
I noticed this deep sleep that the project came...

Finally, the fact is that PL is like Spring Security, a swatter convenient
and fast flies. KC is already like a cannon, large and meaningless to the
context of solving a simple problem like killing a single mosquito.

But if so, the business is to make a project fork and working on my own
version.

at.,

*Arthur P. Greg?rio*
*+55 45 9958-0302*
@gregorioarthur
www.arthurgregorio.eti.br

2015-11-23 13:07 GMT-02:00 Bruno Oliveira <bruno at abstractj.org>:

> Please take a look at
> http://picketlink.org/news/2015/03/10/PicketLink-and-Keycloak-project-merge/
>
> I think this post answers your question.
>
> On Mon, Nov 23, 2015 at 1:05 PM Stephen Agneta <sagneta at gmail.com> wrote:
>
>> I'll share what I know with you in the hopes that it will help somehow.
>>
>> Well KC (keycloak) is a super-set of the PL (PicketLink) functionality
>> thus in theory it ought to work fine once it is ready and once some sort of
>> migration path is known. You may not wish to move to KC due to the
>> additional functionality which may be off-putting for lite applications but
>> KC will perform everything PL did and more and will do so in VM memory if
>> you so choose.
>>
>> Essentially KC is a real federated authentication and authorization
>> service with identity management that can run standalone or in-VM within a
>> WildFly cluster. Although a Java implementation it works with other systems
>> and languages out of process. It does integrate with Spring which may
>> interest you.
>>
>> The following link provides information for Wildfly 9 clustered
>> installation:
>>
>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#overlay_install
>>
>> Thus you should be able to have your authorization demands met _in VM_ as
>> opposed to over-the-wire for performance reasons if necessary.
>>
>> IMOP I think the KC project is the right move. They are fixing the big
>> issue which is the lack of an opensource Federated Identity Management
>> System. They also fixed little things such as Composite Roles which are
>> missing from PL.
>>
>>  I merely disliked the abrupt change-over. I also can't move to keycloak
>> until I have more of an idea how the migration would work.
>> For example, how different is the default KC relational schema from the
>> default basic PL schema:
>>
>>
>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e136
>>
>> It is also not clear if keycloak has a CDI demand system ready like
>> PicketLink. They only hint at it.  Also it runs in-cluster on Wildfly 9
>> and I am on 8. Nothing huge but issues that will need to be addressed.
>>
>> Hope that helps.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Mon, Nov 23, 2015 at 8:54 AM Arthur Greg?rio <arthurshakal at gmail.com>
>> wrote:
>>
>>> And KC does not have the same purpose as the PL.
>>>
>>> In short, I have no reason to migrate from one to the other, I use PL or
>>> go back to Spring Security.
>>>
>>> But it seems that there has not been any development in PL, at least in
>>> recent months, in short, it seems that the project is dying and all that
>>> were used for its own account.
>>>
>>> And with bugs like this https://developer.jboss.org/thread/266387, it's
>>> not cool to let the project stalled...
>>>
>>>
>>> *Arthur P. Greg?rio*
>>> *+55 45 9958-0302 <%2B55%2045%209958-0302>*
>>> @gregorioarthur
>>> www.arthurgregorio.eti.br
>>>
>>> 2015-11-23 11:47 GMT-02:00 Stephen Agneta <sagneta at gmail.com>:
>>>
>>>>
>>>> It certainly appears that everything has moved to key-cloak but I am
>>>> unsure that keycloak is ready to take the burden of current Picketlink
>>>> implementations. Nor am I sure how the migration process would occur. The
>>>> abruptness of the change is a bit disconcerting. Having said that
>>>> Picketlink is working fine save for one defect that which I requested that
>>>> is on the git HEAD but not in any particular release.
>>>>
>>>>
>>>>
>>>>
>>>> On Mon, Nov 23, 2015 at 8:43 AM Arthur Greg?rio <arthurshakal at gmail.com>
>>>> wrote:
>>>>
>>>>> Picketlink is dead?
>>>>>
>>>>> The last commit in the project repo was in 9 july..
>>>>>
>>>>> Is there a schedule for the new version or something like that?
>>>>>
>>>>> at.,
>>>>>
>>>>> *Arthur P. Greg?rio*
>>>>> *+55 45 9958-0302 <%2B55%2045%209958-0302>*
>>>>> @gregorioarthur
>>>>> www.arthurgregorio.eti.br
>>>>> _______________________________________________
>>>>> security-dev mailing list
>>>>> security-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/security-dev
>>>>
>>>>
>>> _______________________________________________
>> security-dev mailing list
>> security-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/security-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/security-dev/attachments/20151123/76a2bafb/attachment-0001.html 

From larry.mccay at gmail.com  Mon Nov 23 17:40:00 2015
From: larry.mccay at gmail.com (larry mccay)
Date: Mon, 23 Nov 2015 17:40:00 -0500
Subject: [security-dev] Picketlink 2.8.0
In-Reply-To: <CA+UvXkJaZut5V_Omj3F3nz3acvQFOXRUhzcGbzE7fjeHo=f47g@mail.gmail.com>
References: <CA+UvXkLw_RPbBuig0Sw4RxyT6BgSJGkHwzCeEYRuVE3W6ukzzA@mail.gmail.com>
	<CAHqTQ70ngf1hNONF3q_ZKQA3_igN3+vv-7rsjZLwAMryJrShPA@mail.gmail.com>
	<CA+UvXk+6UhQAQ0nV8fuociUbBj38+_JbbZpJ6vDbBMdWsp_ARw@mail.gmail.com>
	<CAHqTQ700a8N2zTN4z3AJQqLtOrkTkji7XJx1vSRQTu7HVbnZLg@mail.gmail.com>
	<CAM5SUC4r7NwBNJj6WZJ1rhviSuX6JMZxHcXUqb0LyC47X_TaQg@mail.gmail.com>
	<CA+UvXkJaZut5V_Omj3F3nz3acvQFOXRUhzcGbzE7fjeHo=f47g@mail.gmail.com>
Message-ID: <CACRbFygod5YiS8QzpMt1sai8izF_Svk9MGeTWuSq+0Ki5F117Q@mail.gmail.com>

This is a disappointing situation.
PL should have been continued and then consumed by KC.
I will not be pulling in KC in its entirely in order to do SAML SP
implementations - we will need to move to something else.

I suggest that a PL module be published from KC that has minimal
dependencies.
You can migrate the PL functionality to KC this way but not force all of
the new dependencies on consumers.

On Mon, Nov 23, 2015 at 11:19 AM, Arthur Greg?rio <arthurshakal at gmail.com>
wrote:

> I see this post, and i know what KC do..
>
> What I mean is that I do not need all the things that KC does, I want
> simple with the something like PL.
>
> I posted in a thread about it on the same topic "continuity of PL" on the
> dev list of KC and the same answer was given.
>
> PL is such a cool framework, I refuse to believe that only I use it or
> only I noticed this deep sleep that the project came...
>
> Finally, the fact is that PL is like Spring Security, a swatter convenient
> and fast flies. KC is already like a cannon, large and meaningless to the
> context of solving a simple problem like killing a single mosquito.
>
> But if so, the business is to make a project fork and working on my own
> version.
>
> at.,
>
> *Arthur P. Greg?rio*
> *+55 45 9958-0302 <%2B55%2045%209958-0302>*
> @gregorioarthur
> www.arthurgregorio.eti.br
>
> 2015-11-23 13:07 GMT-02:00 Bruno Oliveira <bruno at abstractj.org>:
>
>> Please take a look at
>> http://picketlink.org/news/2015/03/10/PicketLink-and-Keycloak-project-merge/
>>
>> I think this post answers your question.
>>
>> On Mon, Nov 23, 2015 at 1:05 PM Stephen Agneta <sagneta at gmail.com> wrote:
>>
>>> I'll share what I know with you in the hopes that it will help somehow.
>>>
>>> Well KC (keycloak) is a super-set of the PL (PicketLink) functionality
>>> thus in theory it ought to work fine once it is ready and once some sort of
>>> migration path is known. You may not wish to move to KC due to the
>>> additional functionality which may be off-putting for lite applications but
>>> KC will perform everything PL did and more and will do so in VM memory if
>>> you so choose.
>>>
>>> Essentially KC is a real federated authentication and authorization
>>> service with identity management that can run standalone or in-VM within a
>>> WildFly cluster. Although a Java implementation it works with other systems
>>> and languages out of process. It does integrate with Spring which may
>>> interest you.
>>>
>>> The following link provides information for Wildfly 9 clustered
>>> installation:
>>>
>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#overlay_install
>>>
>>> Thus you should be able to have your authorization demands met _in VM_
>>> as opposed to over-the-wire for performance reasons if necessary.
>>>
>>> IMOP I think the KC project is the right move. They are fixing the big
>>> issue which is the lack of an opensource Federated Identity Management
>>> System. They also fixed little things such as Composite Roles which are
>>> missing from PL.
>>>
>>>  I merely disliked the abrupt change-over. I also can't move to keycloak
>>> until I have more of an idea how the migration would work.
>>> For example, how different is the default KC relational schema from the
>>> default basic PL schema:
>>>
>>>
>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e136
>>>
>>> It is also not clear if keycloak has a CDI demand system ready like
>>> PicketLink. They only hint at it.  Also it runs in-cluster on Wildfly 9
>>> and I am on 8. Nothing huge but issues that will need to be addressed.
>>>
>>> Hope that helps.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Mon, Nov 23, 2015 at 8:54 AM Arthur Greg?rio <arthurshakal at gmail.com>
>>> wrote:
>>>
>>>> And KC does not have the same purpose as the PL.
>>>>
>>>> In short, I have no reason to migrate from one to the other, I use PL
>>>> or go back to Spring Security.
>>>>
>>>> But it seems that there has not been any development in PL, at least in
>>>> recent months, in short, it seems that the project is dying and all that
>>>> were used for its own account.
>>>>
>>>> And with bugs like this https://developer.jboss.org/thread/266387,
>>>> it's not cool to let the project stalled...
>>>>
>>>>
>>>> *Arthur P. Greg?rio*
>>>> *+55 45 9958-0302 <%2B55%2045%209958-0302>*
>>>> @gregorioarthur
>>>> www.arthurgregorio.eti.br
>>>>
>>>> 2015-11-23 11:47 GMT-02:00 Stephen Agneta <sagneta at gmail.com>:
>>>>
>>>>>
>>>>> It certainly appears that everything has moved to key-cloak but I am
>>>>> unsure that keycloak is ready to take the burden of current Picketlink
>>>>> implementations. Nor am I sure how the migration process would occur. The
>>>>> abruptness of the change is a bit disconcerting. Having said that
>>>>> Picketlink is working fine save for one defect that which I requested that
>>>>> is on the git HEAD but not in any particular release.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Mon, Nov 23, 2015 at 8:43 AM Arthur Greg?rio <
>>>>> arthurshakal at gmail.com> wrote:
>>>>>
>>>>>> Picketlink is dead?
>>>>>>
>>>>>> The last commit in the project repo was in 9 july..
>>>>>>
>>>>>> Is there a schedule for the new version or something like that?
>>>>>>
>>>>>> at.,
>>>>>>
>>>>>> *Arthur P. Greg?rio*
>>>>>> *+55 45 9958-0302 <%2B55%2045%209958-0302>*
>>>>>> @gregorioarthur
>>>>>> www.arthurgregorio.eti.br
>>>>>> _______________________________________________
>>>>>> security-dev mailing list
>>>>>> security-dev at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/security-dev
>>>>>
>>>>>
>>>> _______________________________________________
>>> security-dev mailing list
>>> security-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/security-dev
>>
>>
>
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/security-dev/attachments/20151123/93512292/attachment.html 

From mposolda at redhat.com  Tue Nov 24 02:46:57 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 24 Nov 2015 08:46:57 +0100
Subject: [security-dev] Picketlink 2.8.0
In-Reply-To: <CACRbFygod5YiS8QzpMt1sai8izF_Svk9MGeTWuSq+0Ki5F117Q@mail.gmail.com>
References: <CA+UvXkLw_RPbBuig0Sw4RxyT6BgSJGkHwzCeEYRuVE3W6ukzzA@mail.gmail.com>
	<CAHqTQ70ngf1hNONF3q_ZKQA3_igN3+vv-7rsjZLwAMryJrShPA@mail.gmail.com>
	<CA+UvXk+6UhQAQ0nV8fuociUbBj38+_JbbZpJ6vDbBMdWsp_ARw@mail.gmail.com>
	<CAHqTQ700a8N2zTN4z3AJQqLtOrkTkji7XJx1vSRQTu7HVbnZLg@mail.gmail.com>
	<CAM5SUC4r7NwBNJj6WZJ1rhviSuX6JMZxHcXUqb0LyC47X_TaQg@mail.gmail.com>
	<CA+UvXkJaZut5V_Omj3F3nz3acvQFOXRUhzcGbzE7fjeHo=f47g@mail.gmail.com>
	<CACRbFygod5YiS8QzpMt1sai8izF_Svk9MGeTWuSq+0Ki5F117Q@mail.gmail.com>
Message-ID: <565415F1.50103@redhat.com>

Keycloak now supports SAML SP implementation, which doesn't require KC 
server. It can talk to any other SAML Idp. The docs is here 
http://keycloak.github.io/docs/userguide/saml-client-adapter/html/index.html 
. For the future, we will mainly focus on improve/maintain the Keycloak 
SAML SP rather than Picketlink.

Also there is no need to fork the Picketlink project to your own, you 
can still propose and send PR to Picketlink . This will allow that more 
people from the community can suffer from your work.

Marek


On 23/11/15 23:40, larry mccay wrote:
> This is a disappointing situation.
> PL should have been continued and then consumed by KC.
> I will not be pulling in KC in its entirely in order to do SAML SP 
> implementations - we will need to move to something else.
>
> I suggest that a PL module be published from KC that has minimal 
> dependencies.
> You can migrate the PL functionality to KC this way but not force all 
> of the new dependencies on consumers.
>
> On Mon, Nov 23, 2015 at 11:19 AM, Arthur Greg?rio 
> <arthurshakal at gmail.com <mailto:arthurshakal at gmail.com>> wrote:
>
>     I see this post, and i know what KC do..
>
>     What I mean is that I do not need all the things that KC does, I
>     want simple with the something like PL.
>
>     I posted in a thread about it on the same topic "continuity of PL"
>     on the dev list of KC and the same answer was given.
>
>     PL is such a cool framework, I refuse to believe that only I use
>     it or only I noticed this deep sleep that the project came...
>
>     Finally, the fact is that PL is like Spring Security, a swatter
>     convenient and fast flies. KC is already like a cannon, large and
>     meaningless to the context of solving a simple problem like
>     killing a single mosquito.
>
>     But if so, the business is to make a project fork and working on
>     my own version.
>
>     at.,
>
>     *Arthur P. Greg?rio*
>     /+55 45 9958-0302 <tel:%2B55%2045%209958-0302>/
>     @gregorioarthur
>     www.arthurgregorio.eti.br <http://www.arthurgregorio.eti.br>
>
>     2015-11-23 13:07 GMT-02:00 Bruno Oliveira <bruno at abstractj.org
>     <mailto:bruno at abstractj.org>>:
>
>         Please take a look at
>         http://picketlink.org/news/2015/03/10/PicketLink-and-Keycloak-project-merge/
>
>
>         I think this post answers your question.
>
>         On Mon, Nov 23, 2015 at 1:05 PM Stephen Agneta
>         <sagneta at gmail.com <mailto:sagneta at gmail.com>> wrote:
>
>             I'll share what I know with you in the hopes that it will
>             help somehow.
>
>             Well KC (keycloak) is a super-set of the PL (PicketLink)
>             functionality thus in theory it ought to work fine once it
>             is ready and once some sort of migration path is known.
>             You may not wish to move to KC due to the additional
>             functionality which may be off-putting for lite
>             applications but KC will perform everything PL did and
>             more and will do so in VM memory if you so choose.
>
>             Essentially KC is a real federated authentication and
>             authorization service with identity management that can
>             run standalone or in-VM within a WildFly cluster. Although
>             a Java implementation it works with other systems and
>             languages out of process. It does integrate with Spring
>             which may interest you.
>
>             The following link provides information for Wildfly 9
>             clustered installation:
>             http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#overlay_install
>
>             Thus you should be able to have your authorization demands
>             met _in VM_ as opposed to over-the-wire for performance
>             reasons if necessary.
>
>             IMOP I think the KC project is the right move. They are
>             fixing the big issue which is the lack of an opensource
>             Federated Identity Management System. They also fixed
>             little things such as Composite Roles which are missing
>             from PL.
>
>              I merely disliked the abrupt change-over. I also can't
>             move to keycloak until I have more of an idea how the
>             migration would work.
>             For example, how different is the default KC relational
>             schema from the default basic PL schema:
>
>             http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e136
>
>             It is also not clear if keycloak has a CDI demand system
>             ready like PicketLink. They only hint at it.  Also it runs
>             in-cluster on Wildfly 9 and I am on 8. Nothing huge but
>             issues that will need to be addressed.
>
>             Hope that helps.
>
>
>
>
>
>
>
>
>
>
>
>             On Mon, Nov 23, 2015 at 8:54 AM Arthur Greg?rio
>             <arthurshakal at gmail.com <mailto:arthurshakal at gmail.com>>
>             wrote:
>
>                 And KC does not have the same purpose as the PL.
>
>                 In short, I have no reason to migrate from one to the
>                 other, I use PL or go back to Spring Security.
>
>                 But it seems that there has not been any development
>                 in PL, at least in recent months, in short, it seems
>                 that the project is dying and all that were used for
>                 its own account.
>
>                 And with bugs like this
>                 https://developer.jboss.org/thread/266387, it's not
>                 cool to let the project stalled...
>
>
>                 *Arthur P. Greg?rio*
>                 /+55 45 9958-0302 <tel:%2B55%2045%209958-0302>/
>                 @gregorioarthur
>                 www.arthurgregorio.eti.br
>                 <http://www.arthurgregorio.eti.br>
>
>                 2015-11-23 11:47 GMT-02:00 Stephen Agneta
>                 <sagneta at gmail.com <mailto:sagneta at gmail.com>>:
>
>
>                     It certainly appears that everything has moved to
>                     key-cloak but I am unsure that keycloak is ready
>                     to take the burden of current Picketlink
>                     implementations. Nor am I sure how the migration
>                     process would occur. The abruptness of the change
>                     is a bit disconcerting. Having said that
>                     Picketlink is working fine save for one defect
>                     that which I requested that is on the git HEAD but
>                     not in any particular release.
>
>
>
>
>                     On Mon, Nov 23, 2015 at 8:43 AM Arthur Greg?rio
>                     <arthurshakal at gmail.com
>                     <mailto:arthurshakal at gmail.com>> wrote:
>
>                         Picketlink is dead?
>
>                         The last commit in the project repo was in 9
>                         july..
>
>                         Is there a schedule for the new version or
>                         something like that?
>
>                         at.,
>
>                         *Arthur P. Greg?rio*
>                         /+55 45 9958-0302 <tel:%2B55%2045%209958-0302>/
>                         @gregorioarthur
>                         www.arthurgregorio.eti.br
>                         <http://www.arthurgregorio.eti.br>
>                         _______________________________________________
>                         security-dev mailing list
>                         security-dev at lists.jboss.org
>                         <mailto:security-dev at lists.jboss.org>
>                         https://lists.jboss.org/mailman/listinfo/security-dev
>
>
>             _______________________________________________
>             security-dev mailing list
>             security-dev at lists.jboss.org
>             <mailto:security-dev at lists.jboss.org>
>             https://lists.jboss.org/mailman/listinfo/security-dev
>
>
>
>     _______________________________________________
>     security-dev mailing list
>     security-dev at lists.jboss.org <mailto:security-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/security-dev
>
>
>
>
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/security-dev/attachments/20151124/e51e7a25/attachment-0001.html 

From arthurshakal at gmail.com  Tue Nov 24 05:50:48 2015
From: arthurshakal at gmail.com (=?UTF-8?Q?Arthur_Greg=C3=B3rio?=)
Date: Tue, 24 Nov 2015 08:50:48 -0200
Subject: [security-dev] Picketlink 2.8.0
In-Reply-To: <565415F1.50103@redhat.com>
References: <CA+UvXkLw_RPbBuig0Sw4RxyT6BgSJGkHwzCeEYRuVE3W6ukzzA@mail.gmail.com>
	<CAHqTQ70ngf1hNONF3q_ZKQA3_igN3+vv-7rsjZLwAMryJrShPA@mail.gmail.com>
	<CA+UvXk+6UhQAQ0nV8fuociUbBj38+_JbbZpJ6vDbBMdWsp_ARw@mail.gmail.com>
	<CAHqTQ700a8N2zTN4z3AJQqLtOrkTkji7XJx1vSRQTu7HVbnZLg@mail.gmail.com>
	<CAM5SUC4r7NwBNJj6WZJ1rhviSuX6JMZxHcXUqb0LyC47X_TaQg@mail.gmail.com>
	<CA+UvXkJaZut5V_Omj3F3nz3acvQFOXRUhzcGbzE7fjeHo=f47g@mail.gmail.com>
	<CACRbFygod5YiS8QzpMt1sai8izF_Svk9MGeTWuSq+0Ki5F117Q@mail.gmail.com>
	<565415F1.50103@redhat.com>
Message-ID: <CA+UvXkJYDfsyOf6=AUwsTo+Tc1bmY-bXQsO4CA2jRfgbk69n5w@mail.gmail.com>

I only use JPA/LDAP authentication, simple and not need to mess with XML
and have only a single Jar in my classpath without relying on my aplication
server or something.

In short, KC can be very good at it, but for those who already have
something done and solid in the PL, it is impossible to migrate.

Until someone says I can use the KC to do this [1] with the same effort
that I have with the PL, I will continue thinking that the framework should
receive attention again.

[1]
https://github.com/jboss-developer/jboss-picketlink-quickstarts/tree/master/picketlink-authentication-form-with-jsf

*Arthur P. Greg?rio*
*+55 45 9958-0302*
@gregorioarthur
www.arthurgregorio.eti.br

2015-11-24 5:46 GMT-02:00 Marek Posolda <mposolda at redhat.com>:

> Keycloak now supports SAML SP implementation, which doesn't require KC
> server. It can talk to any other SAML Idp. The docs is here
> http://keycloak.github.io/docs/userguide/saml-client-adapter/html/index.html
> . For the future, we will mainly focus on improve/maintain the Keycloak
> SAML SP rather than Picketlink.
>
> Also there is no need to fork the Picketlink project to your own, you can
> still propose and send PR to Picketlink . This will allow that more people
> from the community can suffer from your work.
>
> Marek
>
>
>
> On 23/11/15 23:40, larry mccay wrote:
>
> This is a disappointing situation.
> PL should have been continued and then consumed by KC.
> I will not be pulling in KC in its entirely in order to do SAML SP
> implementations - we will need to move to something else.
>
> I suggest that a PL module be published from KC that has minimal
> dependencies.
> You can migrate the PL functionality to KC this way but not force all of
> the new dependencies on consumers.
>
> On Mon, Nov 23, 2015 at 11:19 AM, Arthur Greg?rio <arthurshakal at gmail.com>
> wrote:
>
>> I see this post, and i know what KC do..
>>
>> What I mean is that I do not need all the things that KC does, I want
>> simple with the something like PL.
>>
>> I posted in a thread about it on the same topic "continuity of PL" on the
>> dev list of KC and the same answer was given.
>>
>> PL is such a cool framework, I refuse to believe that only I use it or
>> only I noticed this deep sleep that the project came...
>>
>> Finally, the fact is that PL is like Spring Security, a swatter
>> convenient and fast flies. KC is already like a cannon, large and
>> meaningless to the context of solving a simple problem like killing a
>> single mosquito.
>>
>> But if so, the business is to make a project fork and working on my own
>> version.
>>
>> at.,
>>
>> *Arthur P. Greg?rio*
>> *+55 45 9958-0302 <%2B55%2045%209958-0302>*
>> @gregorioarthur
>> www.arthurgregorio.eti.br
>>
>> 2015-11-23 13:07 GMT-02:00 Bruno Oliveira < <bruno at abstractj.org>
>> bruno at abstractj.org>:
>>
>>> Please take a look at
>>> <http://picketlink.org/news/2015/03/10/PicketLink-and-Keycloak-project-merge/>
>>> http://picketlink.org/news/2015/03/10/PicketLink-and-Keycloak-project-merge/
>>>
>>> I think this post answers your question.
>>>
>>> On Mon, Nov 23, 2015 at 1:05 PM Stephen Agneta < <sagneta at gmail.com>
>>> sagneta at gmail.com> wrote:
>>>
>>>> I'll share what I know with you in the hopes that it will help somehow.
>>>>
>>>> Well KC (keycloak) is a super-set of the PL (PicketLink) functionality
>>>> thus in theory it ought to work fine once it is ready and once some sort of
>>>> migration path is known. You may not wish to move to KC due to the
>>>> additional functionality which may be off-putting for lite applications but
>>>> KC will perform everything PL did and more and will do so in VM memory if
>>>> you so choose.
>>>>
>>>> Essentially KC is a real federated authentication and authorization
>>>> service with identity management that can run standalone or in-VM within a
>>>> WildFly cluster. Although a Java implementation it works with other systems
>>>> and languages out of process. It does integrate with Spring which may
>>>> interest you.
>>>>
>>>> The following link provides information for Wildfly 9 clustered
>>>> installation:
>>>>
>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#overlay_install
>>>>
>>>> Thus you should be able to have your authorization demands met _in VM_
>>>> as opposed to over-the-wire for performance reasons if necessary.
>>>>
>>>> IMOP I think the KC project is the right move. They are fixing the big
>>>> issue which is the lack of an opensource Federated Identity Management
>>>> System. They also fixed little things such as Composite Roles which are
>>>> missing from PL.
>>>>
>>>>  I merely disliked the abrupt change-over. I also can't move to
>>>> keycloak until I have more of an idea how the migration would work.
>>>> For example, how different is the default KC relational schema from the
>>>> default basic PL schema:
>>>>
>>>>
>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e136
>>>>
>>>> It is also not clear if keycloak has a CDI demand system ready like
>>>> PicketLink. They only hint at it.  Also it runs in-cluster on Wildfly
>>>> 9 and I am on 8. Nothing huge but issues that will need to be addressed.
>>>>
>>>> Hope that helps.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Mon, Nov 23, 2015 at 8:54 AM Arthur Greg?rio <
>>>> <arthurshakal at gmail.com>arthurshakal at gmail.com> wrote:
>>>>
>>>>> And KC does not have the same purpose as the PL.
>>>>>
>>>>> In short, I have no reason to migrate from one to the other, I use PL
>>>>> or go back to Spring Security.
>>>>>
>>>>> But it seems that there has not been any development in PL, at least
>>>>> in recent months, in short, it seems that the project is dying and all that
>>>>> were used for its own account.
>>>>>
>>>>> And with bugs like this <https://developer.jboss.org/thread/266387>
>>>>> https://developer.jboss.org/thread/266387, it's not cool to let the
>>>>> project stalled...
>>>>>
>>>>>
>>>>> *Arthur P. Greg?rio*
>>>>> *+55 45 9958-0302 <%2B55%2045%209958-0302>*
>>>>> @gregorioarthur
>>>>> www.arthurgregorio.eti.br
>>>>>
>>>>> 2015-11-23 11:47 GMT-02:00 Stephen Agneta < <sagneta at gmail.com>
>>>>> sagneta at gmail.com>:
>>>>>
>>>>>>
>>>>>> It certainly appears that everything has moved to key-cloak but I am
>>>>>> unsure that keycloak is ready to take the burden of current Picketlink
>>>>>> implementations. Nor am I sure how the migration process would occur. The
>>>>>> abruptness of the change is a bit disconcerting. Having said that
>>>>>> Picketlink is working fine save for one defect that which I requested that
>>>>>> is on the git HEAD but not in any particular release.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Mon, Nov 23, 2015 at 8:43 AM Arthur Greg?rio <
>>>>>> <arthurshakal at gmail.com>arthurshakal at gmail.com> wrote:
>>>>>>
>>>>>>> Picketlink is dead?
>>>>>>>
>>>>>>> The last commit in the project repo was in 9 july..
>>>>>>>
>>>>>>> Is there a schedule for the new version or something like that?
>>>>>>>
>>>>>>> at.,
>>>>>>>
>>>>>>> *Arthur P. Greg?rio*
>>>>>>> *+55 45 9958-0302 <%2B55%2045%209958-0302>*
>>>>>>> @gregorioarthur
>>>>>>> <http://www.arthurgregorio.eti.br>www.arthurgregorio.eti.br
>>>>>>> _______________________________________________
>>>>>>> security-dev mailing list
>>>>>>> security-dev at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/security-dev
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>> security-dev mailing list
>>>> security-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/security-dev
>>>
>>>
>>
>> _______________________________________________
>> security-dev mailing list
>> security-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/security-dev
>>
>
>
>
> _______________________________________________
> security-dev mailing listsecurity-dev at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/security-dev
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/security-dev/attachments/20151124/c011aef7/attachment-0001.html 

From mposolda at redhat.com  Wed Nov 25 05:29:05 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 25 Nov 2015 11:29:05 +0100
Subject: [security-dev] Picketlink 2.8.0
In-Reply-To: <CA+UvXkJYDfsyOf6=AUwsTo+Tc1bmY-bXQsO4CA2jRfgbk69n5w@mail.gmail.com>
References: <CA+UvXkLw_RPbBuig0Sw4RxyT6BgSJGkHwzCeEYRuVE3W6ukzzA@mail.gmail.com>
	<CAHqTQ70ngf1hNONF3q_ZKQA3_igN3+vv-7rsjZLwAMryJrShPA@mail.gmail.com>
	<CA+UvXk+6UhQAQ0nV8fuociUbBj38+_JbbZpJ6vDbBMdWsp_ARw@mail.gmail.com>
	<CAHqTQ700a8N2zTN4z3AJQqLtOrkTkji7XJx1vSRQTu7HVbnZLg@mail.gmail.com>
	<CAM5SUC4r7NwBNJj6WZJ1rhviSuX6JMZxHcXUqb0LyC47X_TaQg@mail.gmail.com>
	<CA+UvXkJaZut5V_Omj3F3nz3acvQFOXRUhzcGbzE7fjeHo=f47g@mail.gmail.com>
	<CACRbFygod5YiS8QzpMt1sai8izF_Svk9MGeTWuSq+0Ki5F117Q@mail.gmail.com>
	<565415F1.50103@redhat.com>
	<CA+UvXkJYDfsyOf6=AUwsTo+Tc1bmY-bXQsO4CA2jRfgbk69n5w@mail.gmail.com>
Message-ID: <56558D71.4010603@redhat.com>

On 24/11/15 11:50, Arthur Greg?rio wrote:
> I only use JPA/LDAP authentication, simple and not need to mess with 
> XML and have only a single Jar in my classpath without relying on my 
> aplication server or something.
With Keycloak, you also don't need to mess with any XML. The idea is, 
that there is minimal code needed on application side. All the work like 
authentication, identity management, LDAP integration, social 
integration etc is done on Keycloak server. Your application just needs 
to know how to talk to Keycloak server, so you need to add keycloak.json 
file with some "adapter configuration", which points how your 
application can talk to Keycloak server (it uses OpenID Connect or SAML2 
protocols for communication with server) . The amount of dependencies on 
application side is also quite minimal.
>
> In short, KC can be very good at it, but for those who already have 
> something done and solid in the PL, it is impossible to migrate.
>
> Until someone says I can use the KC to do this [1] with the same 
> effort that I have with the PL, I will continue thinking that the 
> framework should receive attention again.
>
> [1] 
> https://github.com/jboss-developer/jboss-picketlink-quickstarts/tree/master/picketlink-authentication-form-with-jsf
The amount of effort on application side is even less than with 
picketlink. The thing is that you need keycloak server. It can be 
executed either in same JVM ( Wildfly/EAP instance) like your 
application or on completely different server.

The best is to start with keycloak documentation and possibly 
screencasts and try examples.

Marek
>
> *Arthur P. Greg?rio*
> /+55 45 9958-0302/
> @gregorioarthur
> www.arthurgregorio.eti.br <http://www.arthurgregorio.eti.br>
>
> 2015-11-24 5:46 GMT-02:00 Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>>:
>
>     Keycloak now supports SAML SP implementation, which doesn't
>     require KC server. It can talk to any other SAML Idp. The docs is
>     here
>     http://keycloak.github.io/docs/userguide/saml-client-adapter/html/index.html
>     . For the future, we will mainly focus on improve/maintain the
>     Keycloak SAML SP rather than Picketlink.
>
>     Also there is no need to fork the Picketlink project to your own,
>     you can still propose and send PR to Picketlink . This will allow
>     that more people from the community can suffer from your work.
>
>     Marek
>
>
>
>     On 23/11/15 23:40, larry mccay wrote:
>>     This is a disappointing situation.
>>     PL should have been continued and then consumed by KC.
>>     I will not be pulling in KC in its entirely in order to do SAML
>>     SP implementations - we will need to move to something else.
>>
>>     I suggest that a PL module be published from KC that has minimal
>>     dependencies.
>>     You can migrate the PL functionality to KC this way but not force
>>     all of the new dependencies on consumers.
>>
>>     On Mon, Nov 23, 2015 at 11:19 AM, Arthur Greg?rio
>>     <arthurshakal at gmail.com <mailto:arthurshakal at gmail.com>> wrote:
>>
>>         I see this post, and i know what KC do..
>>
>>         What I mean is that I do not need all the things that KC
>>         does, I want simple with the something like PL.
>>
>>         I posted in a thread about it on the same topic "continuity
>>         of PL" on the dev list of KC and the same answer was given.
>>
>>         PL is such a cool framework, I refuse to believe that only I
>>         use it or only I noticed this deep sleep that the project came...
>>
>>         Finally, the fact is that PL is like Spring Security, a
>>         swatter convenient and fast flies. KC is already like a
>>         cannon, large and meaningless to the context of solving a
>>         simple problem like killing a single mosquito.
>>
>>         But if so, the business is to make a project fork and working
>>         on my own version.
>>
>>         at.,
>>
>>         *Arthur P. Greg?rio*
>>         /+55 45 9958-0302 <tel:%2B55%2045%209958-0302>/
>>         @gregorioarthur
>>         www.arthurgregorio.eti.br <http://www.arthurgregorio.eti.br>
>>
>>         2015-11-23 13:07 GMT-02:00 Bruno Oliveira
>>         <bruno at abstractj.org <mailto:bruno at abstractj.org>>:
>>
>>             Please take a look at
>>             http://picketlink.org/news/2015/03/10/PicketLink-and-Keycloak-project-merge/
>>
>>
>>             I think this post answers your question.
>>
>>             On Mon, Nov 23, 2015 at 1:05 PM Stephen Agneta
>>             <sagneta at gmail.com <mailto:sagneta at gmail.com>> wrote:
>>
>>                 I'll share what I know with you in the hopes that it
>>                 will help somehow.
>>
>>                 Well KC (keycloak) is a super-set of the PL
>>                 (PicketLink) functionality thus in theory it ought to
>>                 work fine once it is ready and once some sort of
>>                 migration path is known. You may not wish to move to
>>                 KC due to the additional functionality which may be
>>                 off-putting for lite applications but KC will perform
>>                 everything PL did and more and will do so in VM
>>                 memory if you so choose.
>>
>>                 Essentially KC is a real federated authentication and
>>                 authorization service with identity management that
>>                 can run standalone or in-VM within a WildFly cluster.
>>                 Although a Java implementation it works with other
>>                 systems and languages out of process. It does
>>                 integrate with Spring which may interest you.
>>
>>                 The following link provides information for Wildfly 9
>>                 clustered installation:
>>                 http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#overlay_install
>>
>>                 Thus you should be able to have your authorization
>>                 demands met _in VM_ as opposed to over-the-wire for
>>                 performance reasons if necessary.
>>
>>                 IMOP I think the KC project is the right move. They
>>                 are fixing the big issue which is the lack of an
>>                 opensource Federated Identity Management System. They
>>                 also fixed little things such as Composite Roles
>>                 which are missing from PL.
>>
>>                  I merely disliked the abrupt change-over. I also
>>                 can't move to keycloak until I have more of an idea
>>                 how the migration would work.
>>                 For example, how different is the default KC
>>                 relational schema from the default basic PL schema:
>>
>>                 http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e136
>>
>>                 It is also not clear if keycloak has a CDI demand
>>                 system ready like PicketLink. They only hint at it.
>>                  Also it runs in-cluster on Wildfly 9 and I am on 8.
>>                 Nothing huge but issues that will need to be addressed.
>>
>>                 Hope that helps.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>                 On Mon, Nov 23, 2015 at 8:54 AM Arthur Greg?rio
>>                 <arthurshakal at gmail.com
>>                 <mailto:arthurshakal at gmail.com>> wrote:
>>
>>                     And KC does not have the same purpose as the PL.
>>
>>                     In short, I have no reason to migrate from one to
>>                     the other, I use PL or go back to Spring Security.
>>
>>                     But it seems that there has not been any
>>                     development in PL, at least in recent months, in
>>                     short, it seems that the project is dying and all
>>                     that were used for its own account.
>>
>>                     And with bugs like this
>>                     https://developer.jboss.org/thread/266387, it's
>>                     not cool to let the project stalled...
>>
>>
>>                     *Arthur P. Greg?rio*
>>                     /+55 45 9958-0302 <tel:%2B55%2045%209958-0302>/
>>                     @gregorioarthur
>>                     www.arthurgregorio.eti.br
>>                     <http://www.arthurgregorio.eti.br>
>>
>>                     2015-11-23 11:47 GMT-02:00 Stephen Agneta
>>                     <sagneta at gmail.com <mailto:sagneta at gmail.com>>:
>>
>>
>>                         It certainly appears that everything has
>>                         moved to key-cloak but I am unsure that
>>                         keycloak is ready to take the burden of
>>                         current Picketlink implementations. Nor am I
>>                         sure how the migration process would occur.
>>                         The abruptness of the change is a bit
>>                         disconcerting. Having said that Picketlink is
>>                         working fine save for one defect that which I
>>                         requested that is on the git HEAD but not in
>>                         any particular release.
>>
>>
>>
>>
>>                         On Mon, Nov 23, 2015 at 8:43 AM Arthur
>>                         Greg?rio <arthurshakal at gmail.com
>>                         <mailto:arthurshakal at gmail.com>> wrote:
>>
>>                             Picketlink is dead?
>>
>>                             The last commit in the project repo was
>>                             in 9 july..
>>
>>                             Is there a schedule for the new version
>>                             or something like that?
>>
>>                             at.,
>>
>>                             *Arthur P. Greg?rio*
>>                             /+55 45 9958-0302
>>                             <tel:%2B55%2045%209958-0302>/
>>                             @gregorioarthur
>>                             www.arthurgregorio.eti.br
>>                             <http://www.arthurgregorio.eti.br>
>>                             _______________________________________________
>>                             security-dev mailing list
>>                             security-dev at lists.jboss.org
>>                             <mailto:security-dev at lists.jboss.org>
>>                             https://lists.jboss.org/mailman/listinfo/security-dev
>>
>>
>>                 _______________________________________________
>>                 security-dev mailing list
>>                 security-dev at lists.jboss.org
>>                 <mailto:security-dev at lists.jboss.org>
>>                 https://lists.jboss.org/mailman/listinfo/security-dev
>>
>>
>>
>>         _______________________________________________
>>         security-dev mailing list
>>         security-dev at lists.jboss.org
>>         <mailto:security-dev at lists.jboss.org>
>>         https://lists.jboss.org/mailman/listinfo/security-dev
>>
>>
>>
>>
>>     _______________________________________________
>>     security-dev mailing list
>>     security-dev at lists.jboss.org <mailto:security-dev at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/security-dev
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/security-dev/attachments/20151125/5cacfa2b/attachment-0001.html 

From arthurshakal at gmail.com  Wed Nov 25 06:25:39 2015
From: arthurshakal at gmail.com (=?UTF-8?Q?Arthur_Greg=C3=B3rio?=)
Date: Wed, 25 Nov 2015 09:25:39 -0200
Subject: [security-dev] Picketlink 2.8.0
In-Reply-To: <56558D71.4010603@redhat.com>
References: <CA+UvXkLw_RPbBuig0Sw4RxyT6BgSJGkHwzCeEYRuVE3W6ukzzA@mail.gmail.com>
	<CAHqTQ70ngf1hNONF3q_ZKQA3_igN3+vv-7rsjZLwAMryJrShPA@mail.gmail.com>
	<CA+UvXk+6UhQAQ0nV8fuociUbBj38+_JbbZpJ6vDbBMdWsp_ARw@mail.gmail.com>
	<CAHqTQ700a8N2zTN4z3AJQqLtOrkTkji7XJx1vSRQTu7HVbnZLg@mail.gmail.com>
	<CAM5SUC4r7NwBNJj6WZJ1rhviSuX6JMZxHcXUqb0LyC47X_TaQg@mail.gmail.com>
	<CA+UvXkJaZut5V_Omj3F3nz3acvQFOXRUhzcGbzE7fjeHo=f47g@mail.gmail.com>
	<CACRbFygod5YiS8QzpMt1sai8izF_Svk9MGeTWuSq+0Ki5F117Q@mail.gmail.com>
	<565415F1.50103@redhat.com>
	<CA+UvXkJYDfsyOf6=AUwsTo+Tc1bmY-bXQsO4CA2jRfgbk69n5w@mail.gmail.com>
	<56558D71.4010603@redhat.com>
Message-ID: <CA+UvXk+bL3gzd2idgsaMBURrL31SWVZtyCfZkDgt5=Aio3Ciqw@mail.gmail.com>

The amount of effort on application side is even less than with
picketlink. *The
thing is that you need keycloak server*. It can be executed either in same
JVM ( Wildfly/EAP instance) like your application or on completely
different server.

The best is to start with keycloak documentation and possibly screencasts
and try examples.


This is the "problem". Think about it:

I develop an open source system that uses a secure system and in theory,
can run on any application server compatible with JEE7+

My "users" will download the war, put on WF them still have to make a
number of settings on the server to be able to type username and password,
login, make control access, create groups, give permission ... Anyway,
unnecessary for this scenario.

What I know is that KC is a more business world, where we have a more
robust infrastructure. PL can be used in that case or something heavier
integrated with KC.

Well, what I am saying since I wrote my first e-mail is that technology
does not replace the other, but can complement each other...

But okay. For now, I would just someone could generate versions of PL,
snapshots, see and apply PR, make snapshots and publish to the maven, this
would be a great help.


*Arthur P. Greg?rio*
*+55 45 9958-0302*
@gregorioarthur
www.arthurgregorio.eti.br

2015-11-25 8:29 GMT-02:00 Marek Posolda <mposolda at redhat.com>:

> On 24/11/15 11:50, Arthur Greg?rio wrote:
>
> I only use JPA/LDAP authentication, simple and not need to mess with XML
> and have only a single Jar in my classpath without relying on my aplication
> server or something.
>
> With Keycloak, you also don't need to mess with any XML. The idea is, that
> there is minimal code needed on application side. All the work like
> authentication, identity management, LDAP integration, social integration
> etc is done on Keycloak server. Your application just needs to know how to
> talk to Keycloak server, so you need to add keycloak.json file with some
> "adapter configuration", which points how your application can talk to
> Keycloak server (it uses OpenID Connect or SAML2 protocols for
> communication with server) . The amount of dependencies on application side
> is also quite minimal.
>
>
> In short, KC can be very good at it, but for those who already have
> something done and solid in the PL, it is impossible to migrate.
>
> Until someone says I can use the KC to do this [1] with the same effort
> that I have with the PL, I will continue thinking that the framework should
> receive attention again.
>
> [1]
> https://github.com/jboss-developer/jboss-picketlink-quickstarts/tree/master/picketlink-authentication-form-with-jsf
>
> The amount of effort on application side is even less than with
> picketlink. The thing is that you need keycloak server. It can be executed
> either in same JVM ( Wildfly/EAP instance) like your application or on
> completely different server.
>
> The best is to start with keycloak documentation and possibly screencasts
> and try examples.
>
> Marek
>
>
> *Arthur P. Greg?rio*
> *+55 45 9958-0302 <%2B55%2045%209958-0302>*
> @gregorioarthur
> www.arthurgregorio.eti.br
>
> 2015-11-24 5:46 GMT-02:00 Marek Posolda <mposolda at redhat.com>:
>
>> Keycloak now supports SAML SP implementation, which doesn't require KC
>> server. It can talk to any other SAML Idp. The docs is here
>> http://keycloak.github.io/docs/userguide/saml-client-adapter/html/index.html
>> . For the future, we will mainly focus on improve/maintain the Keycloak
>> SAML SP rather than Picketlink.
>>
>> Also there is no need to fork the Picketlink project to your own, you can
>> still propose and send PR to Picketlink . This will allow that more people
>> from the community can suffer from your work.
>>
>> Marek
>>
>>
>>
>> On 23/11/15 23:40, larry mccay wrote:
>>
>> This is a disappointing situation.
>> PL should have been continued and then consumed by KC.
>> I will not be pulling in KC in its entirely in order to do SAML SP
>> implementations - we will need to move to something else.
>>
>> I suggest that a PL module be published from KC that has minimal
>> dependencies.
>> You can migrate the PL functionality to KC this way but not force all of
>> the new dependencies on consumers.
>>
>> On Mon, Nov 23, 2015 at 11:19 AM, Arthur Greg?rio <
>> <arthurshakal at gmail.com>arthurshakal at gmail.com> wrote:
>>
>>> I see this post, and i know what KC do..
>>>
>>> What I mean is that I do not need all the things that KC does, I want
>>> simple with the something like PL.
>>>
>>> I posted in a thread about it on the same topic "continuity of PL" on
>>> the dev list of KC and the same answer was given.
>>>
>>> PL is such a cool framework, I refuse to believe that only I use it or
>>> only I noticed this deep sleep that the project came...
>>>
>>> Finally, the fact is that PL is like Spring Security, a swatter
>>> convenient and fast flies. KC is already like a cannon, large and
>>> meaningless to the context of solving a simple problem like killing a
>>> single mosquito.
>>>
>>> But if so, the business is to make a project fork and working on my own
>>> version.
>>>
>>> at.,
>>>
>>> *Arthur P. Greg?rio*
>>> *+55 45 9958-0302 <%2B55%2045%209958-0302>*
>>> @gregorioarthur
>>> www.arthurgregorio.eti.br
>>>
>>> 2015-11-23 13:07 GMT-02:00 Bruno Oliveira < <bruno at abstractj.org>
>>> bruno at abstractj.org>:
>>>
>>>> Please take a look at
>>>> http://picketlink.org/news/2015/03/10/PicketLink-and-Keycloak-project-merge/
>>>>
>>>> I think this post answers your question.
>>>>
>>>> On Mon, Nov 23, 2015 at 1:05 PM Stephen Agneta < <sagneta at gmail.com>
>>>> sagneta at gmail.com> wrote:
>>>>
>>>>> I'll share what I know with you in the hopes that it will help
>>>>> somehow.
>>>>>
>>>>> Well KC (keycloak) is a super-set of the PL (PicketLink) functionality
>>>>> thus in theory it ought to work fine once it is ready and once some sort of
>>>>> migration path is known. You may not wish to move to KC due to the
>>>>> additional functionality which may be off-putting for lite applications but
>>>>> KC will perform everything PL did and more and will do so in VM memory if
>>>>> you so choose.
>>>>>
>>>>> Essentially KC is a real federated authentication and authorization
>>>>> service with identity management that can run standalone or in-VM within a
>>>>> WildFly cluster. Although a Java implementation it works with other systems
>>>>> and languages out of process. It does integrate with Spring which may
>>>>> interest you.
>>>>>
>>>>> The following link provides information for Wildfly 9 clustered
>>>>> installation:
>>>>>
>>>>> <http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#overlay_install>
>>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#overlay_install
>>>>>
>>>>> Thus you should be able to have your authorization demands met _in VM_
>>>>> as opposed to over-the-wire for performance reasons if necessary.
>>>>>
>>>>> IMOP I think the KC project is the right move. They are fixing the big
>>>>> issue which is the lack of an opensource Federated Identity Management
>>>>> System. They also fixed little things such as Composite Roles which are
>>>>> missing from PL.
>>>>>
>>>>>  I merely disliked the abrupt change-over. I also can't move to
>>>>> keycloak until I have more of an idea how the migration would work.
>>>>> For example, how different is the default KC relational schema from
>>>>> the default basic PL schema:
>>>>>
>>>>>
>>>>> <http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e136>
>>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e136
>>>>>
>>>>> It is also not clear if keycloak has a CDI demand system ready like
>>>>> PicketLink. They only hint at it.  Also it runs in-cluster on Wildfly
>>>>> 9 and I am on 8. Nothing huge but issues that will need to be addressed.
>>>>>
>>>>> Hope that helps.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Mon, Nov 23, 2015 at 8:54 AM Arthur Greg?rio <
>>>>> <arthurshakal at gmail.com>arthurshakal at gmail.com> wrote:
>>>>>
>>>>>> And KC does not have the same purpose as the PL.
>>>>>>
>>>>>> In short, I have no reason to migrate from one to the other, I use PL
>>>>>> or go back to Spring Security.
>>>>>>
>>>>>> But it seems that there has not been any development in PL, at least
>>>>>> in recent months, in short, it seems that the project is dying and all that
>>>>>> were used for its own account.
>>>>>>
>>>>>> And with bugs like this <https://developer.jboss.org/thread/266387>
>>>>>> https://developer.jboss.org/thread/266387, it's not cool to let the
>>>>>> project stalled...
>>>>>>
>>>>>>
>>>>>> *Arthur P. Greg?rio*
>>>>>> *+55 45 9958-0302 <%2B55%2045%209958-0302>*
>>>>>> @gregorioarthur
>>>>>> <http://www.arthurgregorio.eti.br>www.arthurgregorio.eti.br
>>>>>>
>>>>>> 2015-11-23 11:47 GMT-02:00 Stephen Agneta < <sagneta at gmail.com>
>>>>>> sagneta at gmail.com>:
>>>>>>
>>>>>>>
>>>>>>> It certainly appears that everything has moved to key-cloak but I am
>>>>>>> unsure that keycloak is ready to take the burden of current Picketlink
>>>>>>> implementations. Nor am I sure how the migration process would occur. The
>>>>>>> abruptness of the change is a bit disconcerting. Having said that
>>>>>>> Picketlink is working fine save for one defect that which I requested that
>>>>>>> is on the git HEAD but not in any particular release.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Nov 23, 2015 at 8:43 AM Arthur Greg?rio <
>>>>>>> <arthurshakal at gmail.com>arthurshakal at gmail.com> wrote:
>>>>>>>
>>>>>>>> Picketlink is dead?
>>>>>>>>
>>>>>>>> The last commit in the project repo was in 9 july..
>>>>>>>>
>>>>>>>> Is there a schedule for the new version or something like that?
>>>>>>>>
>>>>>>>> at.,
>>>>>>>>
>>>>>>>> *Arthur P. Greg?rio*
>>>>>>>> *+55 45 9958-0302 <%2B55%2045%209958-0302>*
>>>>>>>> @gregorioarthur
>>>>>>>> <http://www.arthurgregorio.eti.br>www.arthurgregorio.eti.br
>>>>>>>> _______________________________________________
>>>>>>>> security-dev mailing list
>>>>>>>> <security-dev at lists.jboss.org>security-dev at lists.jboss.org
>>>>>>>> <https://lists.jboss.org/mailman/listinfo/security-dev>
>>>>>>>> https://lists.jboss.org/mailman/listinfo/security-dev
>>>>>>>
>>>>>>>
>>>>>> _______________________________________________
>>>>> security-dev mailing list
>>>>> security-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/security-dev
>>>>
>>>>
>>>
>>> _______________________________________________
>>> security-dev mailing list
>>> security-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/security-dev
>>>
>>
>>
>>
>> _______________________________________________
>> security-dev mailing listsecurity-dev at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/security-dev
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/security-dev/attachments/20151125/b91b1f02/attachment-0001.html 

From bburke at redhat.com  Mon Nov 30 14:12:40 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 30 Nov 2015 14:12:40 -0500
Subject: [security-dev] Picketlink 2.8.0
In-Reply-To: <565415F1.50103@redhat.com>
References: <CA+UvXkLw_RPbBuig0Sw4RxyT6BgSJGkHwzCeEYRuVE3W6ukzzA@mail.gmail.com>
	<CAHqTQ70ngf1hNONF3q_ZKQA3_igN3+vv-7rsjZLwAMryJrShPA@mail.gmail.com>
	<CA+UvXk+6UhQAQ0nV8fuociUbBj38+_JbbZpJ6vDbBMdWsp_ARw@mail.gmail.com>
	<CAHqTQ700a8N2zTN4z3AJQqLtOrkTkji7XJx1vSRQTu7HVbnZLg@mail.gmail.com>
	<CAM5SUC4r7NwBNJj6WZJ1rhviSuX6JMZxHcXUqb0LyC47X_TaQg@mail.gmail.com>
	<CA+UvXkJaZut5V_Omj3F3nz3acvQFOXRUhzcGbzE7fjeHo=f47g@mail.gmail.com>
	<CACRbFygod5YiS8QzpMt1sai8izF_Svk9MGeTWuSq+0Ki5F117Q@mail.gmail.com>
	<565415F1.50103@redhat.com>
Message-ID: <565C9FA8.8090803@redhat.com>

Correct.  Keycloak SAML SP adapter is completely independent of Keycloak 
IDP and should be usable with any SAML identity provider.  If not, we 
are more than happy to quickly fix and release to make that happen. 
Keycloak SP is actually derived from PL SAML SP adapter.  Think of it as 
PL SAML SP version 3.0.

To be honest, PL SAML SP code was becoming a maintenance problem.  It 
was a mess mainly because the PL team had to move so fast and quickly 
and had little time to make things right.  It exposed too many 
implementation details and IDP and SP code were intermixed and there was 
a lot of code copied between different adapter types (filter, tomcat, 
jetty, jboss eap, wildfly) making it hard to maintain.  The new adapter 
shares most code in a common cross-platform module with only minimal 
platform specific code.  We're also sharing a bit of common code with 
our OpenID Connect adapters.




On 11/24/2015 2:46 AM, Marek Posolda wrote:
> Keycloak now supports SAML SP implementation, which doesn't require KC
> server. It can talk to any other SAML Idp. The docs is here
> http://keycloak.github.io/docs/userguide/saml-client-adapter/html/index.html
> . For the future, we will mainly focus on improve/maintain the Keycloak
> SAML SP rather than Picketlink.
>
> Also there is no need to fork the Picketlink project to your own, you
> can still propose and send PR to Picketlink . This will allow that more
> people from the community can suffer from your work.
>
> Marek
>
>
> On 23/11/15 23:40, larry mccay wrote:
>> This is a disappointing situation.
>> PL should have been continued and then consumed by KC.
>> I will not be pulling in KC in its entirely in order to do SAML SP
>> implementations - we will need to move to something else.
>>
>> I suggest that a PL module be published from KC that has minimal
>> dependencies.
>> You can migrate the PL functionality to KC this way but not force all
>> of the new dependencies on consumers.
>>
>> On Mon, Nov 23, 2015 at 11:19 AM, Arthur Greg?rio
>> <arthurshakal at gmail.com <mailto:arthurshakal at gmail.com>> wrote:
>>
>>     I see this post, and i know what KC do..
>>
>>     What I mean is that I do not need all the things that KC does, I
>>     want simple with the something like PL.
>>
>>     I posted in a thread about it on the same topic "continuity of PL"
>>     on the dev list of KC and the same answer was given.
>>
>>     PL is such a cool framework, I refuse to believe that only I use
>>     it or only I noticed this deep sleep that the project came...
>>
>>     Finally, the fact is that PL is like Spring Security, a swatter
>>     convenient and fast flies. KC is already like a cannon, large and
>>     meaningless to the context of solving a simple problem like
>>     killing a single mosquito.
>>
>>     But if so, the business is to make a project fork and working on
>>     my own version.
>>
>>     at.,
>>
>>     *Arthur P. Greg?rio*
>>     /+55 45 9958-0302 <tel:%2B55%2045%209958-0302>/
>>     @gregorioarthur
>>     www.arthurgregorio.eti.br <http://www.arthurgregorio.eti.br>
>>
>>     2015-11-23 13:07 GMT-02:00 Bruno Oliveira
>>     <<mailto:bruno at abstractj.org>bruno at abstractj.org>:
>>
>>         Please take a look at
>>         <http://picketlink.org/news/2015/03/10/PicketLink-and-Keycloak-project-merge/>http://picketlink.org/news/2015/03/10/PicketLink-and-Keycloak-project-merge/
>>
>>
>>         I think this post answers your question.
>>
>>         On Mon, Nov 23, 2015 at 1:05 PM Stephen Agneta
>>         <<mailto:sagneta at gmail.com>sagneta at gmail.com> wrote:
>>
>>             I'll share what I know with you in the hopes that it will
>>             help somehow.
>>
>>             Well KC (keycloak) is a super-set of the PL (PicketLink)
>>             functionality thus in theory it ought to work fine once it
>>             is ready and once some sort of migration path is known.
>>             You may not wish to move to KC due to the additional
>>             functionality which may be off-putting for lite
>>             applications but KC will perform everything PL did and
>>             more and will do so in VM memory if you so choose.
>>
>>             Essentially KC is a real federated authentication and
>>             authorization service with identity management that can
>>             run standalone or in-VM within a WildFly cluster. Although
>>             a Java implementation it works with other systems and
>>             languages out of process. It does integrate with Spring
>>             which may interest you.
>>
>>             The following link provides information for Wildfly 9
>>             clustered installation:
>>             http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#overlay_install
>>
>>             Thus you should be able to have your authorization demands
>>             met _in VM_ as opposed to over-the-wire for performance
>>             reasons if necessary.
>>
>>             IMOP I think the KC project is the right move. They are
>>             fixing the big issue which is the lack of an opensource
>>             Federated Identity Management System. They also fixed
>>             little things such as Composite Roles which are missing
>>             from PL.
>>
>>              I merely disliked the abrupt change-over. I also can't
>>             move to keycloak until I have more of an idea how the
>>             migration would work.
>>             For example, how different is the default KC relational
>>             schema from the default basic PL schema:
>>
>>             http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e136
>>
>>             It is also not clear if keycloak has a CDI demand system
>>             ready like PicketLink. They only hint at it.  Also it runs
>>             in-cluster on Wildfly 9 and I am on 8. Nothing huge but
>>             issues that will need to be addressed.
>>
>>             Hope that helps.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>             On Mon, Nov 23, 2015 at 8:54 AM Arthur Greg?rio
>>             <<mailto:arthurshakal at gmail.com>arthurshakal at gmail.com> wrote:
>>
>>                 And KC does not have the same purpose as the PL.
>>
>>                 In short, I have no reason to migrate from one to the
>>                 other, I use PL or go back to Spring Security.
>>
>>                 But it seems that there has not been any development
>>                 in PL, at least in recent months, in short, it seems
>>                 that the project is dying and all that were used for
>>                 its own account.
>>
>>                 And with bugs like this
>>                 <https://developer.jboss.org/thread/266387>https://developer.jboss.org/thread/266387,
>>                 it's not cool to let the project stalled...
>>
>>
>>                 *Arthur P. Greg?rio*
>>                 /+55 45 9958-0302 <tel:%2B55%2045%209958-0302>/
>>                 @gregorioarthur
>>                 www.arthurgregorio.eti.br
>>                 <http://www.arthurgregorio.eti.br>
>>
>>                 2015-11-23 11:47 GMT-02:00 Stephen Agneta
>>                 <<mailto:sagneta at gmail.com>sagneta at gmail.com>:
>>
>>
>>                     It certainly appears that everything has moved to
>>                     key-cloak but I am unsure that keycloak is ready
>>                     to take the burden of current Picketlink
>>                     implementations. Nor am I sure how the migration
>>                     process would occur. The abruptness of the change
>>                     is a bit disconcerting. Having said that
>>                     Picketlink is working fine save for one defect
>>                     that which I requested that is on the git HEAD but
>>                     not in any particular release.
>>
>>
>>
>>
>>                     On Mon, Nov 23, 2015 at 8:43 AM Arthur Greg?rio
>>                     <<mailto:arthurshakal at gmail.com>arthurshakal at gmail.com>
>>                     wrote:
>>
>>                         Picketlink is dead?
>>
>>                         The last commit in the project repo was in 9
>>                         july..
>>
>>                         Is there a schedule for the new version or
>>                         something like that?
>>
>>                         at.,
>>
>>                         *Arthur P. Greg?rio*
>>                         /+55 45 9958-0302 <tel:%2B55%2045%209958-0302>/
>>                         @gregorioarthur
>>                         <http://www.arthurgregorio.eti.br>www.arthurgregorio.eti.br
>>                         _______________________________________________
>>                         security-dev mailing list
>>                         security-dev at lists.jboss.org
>>                         <mailto:security-dev at lists.jboss.org>
>>                         https://lists.jboss.org/mailman/listinfo/security-dev
>>
>>
>>             _______________________________________________
>>             security-dev mailing list
>>             security-dev at lists.jboss.org
>>             <mailto:security-dev at lists.jboss.org>
>>             https://lists.jboss.org/mailman/listinfo/security-dev
>>
>>
>>
>>     _______________________________________________
>>     security-dev mailing list
>>     security-dev at lists.jboss.org <mailto:security-dev at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/security-dev
>>
>>
>>
>>
>> _______________________________________________
>> security-dev mailing list
>> security-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/security-dev
>
>
>
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com