<div>
Hi Bill, did you had the chance to move forward?
</div>
<div><div><br></div><div><br></div><div><div>-- </div><div>"The measure of a man is what he does with power" - Plato</div><div>-</div><div>@abstractj</div><div>-</div><div>Volenti Nihil Difficile</div></div></div>
<p style="color: #A0A0A8;">On Monday, January 7, 2013 at 9:14 PM, Bill Burke wrote:</p>
<blockquote type="cite" style="border-left-style:solid;border-width:1px;margin-left:0px;padding-left:10px;">
<span><div><div><div>A week or two so before Christmas, I decided to refocus my OAuth work so </div><div>that I could support *existing* JBoss web applications. I'm about a </div><div>week or two away from releasing something. I just need to do some final </div><div>minor feature work, test it a little bit more, and write some documentation.</div><div><br></div><div>*NOTE* All this works with existing JBoss web applications and security </div><div>domain infrastructure.</div><div><br></div><div>FEATURE 1: TRADITIONAL OAUTH</div><div><br></div><div>You can take any existing web app and turn it into an OAuth2 provider. </div><div>Currently, it must be using servlet FORM authentication and a jboss </div><div>security domain. ALl that is required additionally is adding a valve to </div><div>jboss-<a href="http://web.xml">web.xml</a>, generating a realm key pain in a keystore, and putting a </div><div>small json configuration file in your WAR's classpath. Once you've done </div><div>this, your existing web app can generate access tokens and </div><div>*additionally* do bearer token auth. Client apps, just need to follow </div><div>the OAuth2 client protocol to obtain their access tokens. And do </div><div>client-side OAuth2 bearer token authentication to access the web app.</div><div><br></div><div>FEATURE 2: CENTRALIZED AUTHZ and Distributed SSO</div><div>* Turn any existing user/password/roles JBoss Security Domain into a </div><div>remote, centralized, authentication and authorization server. It is as </div><div>simple as creating a small WAR that is FORM auth enabled, setting a </div><div>particular jboss-web valve, and defining a simple json configuration file.</div><div>* Next, you can take any existing web app that uses FORM auth, and point </div><div>it to this central server. The plugin will do the correct browser </div><div>redirects via OAuth2 protocol to the central server. Identity and role </div><div>mappings are transferred via the access token.</div><div>* This is authentication and authorization! user auth and role mappings!</div><div>* It supports Distributed SSO. Once you've logged into the central </div><div>authentication server, you are logged into any application configured to </div><div>accept authentication/authorization from the central server.</div><div>* It supports Distributed Log Out. So, you can log out of all web </div><div>applications</div><div>* Central server has a small admin interface that allows admins to </div><div>logout a specific user (or all users) on all secured web applications. </div><div>You can also set up bearer token policies like: don't accept tokens </div><div>created before a certain date.</div><div>* Bearer tokens are generated for each browser login.</div><div>* Tokens are propagated and can be access in business logic via a </div><div>request attribute, or in JAX-RS land, the @Context annotation. You can </div><div>then use this token to access other HTTP-based services on your network. </div><div> This allows your web application to talk securely with a network of </div><div>web services.</div><div><br></div><div>This all works by defining a simple OAuth2 Bearer token format and using </div><div>OAuth2 protocols to obtain and distribute these tokens. My format is a </div><div>small extension to JSON Web Token that has role-mapping information. It </div><div>is signed and verified using PKI.</div><div><br></div><div>I have plans to extend this to work with BASIC and CLIENT_CERT servlet </div><div>authentication.</div><div>-- </div><div>Bill Burke</div><div>JBoss, a division of Red Hat</div><div><a href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></div><div>_______________________________________________</div><div>security-dev mailing list</div><div><a href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a></div><div><a href="https://lists.jboss.org/mailman/listinfo/security-dev">https://lists.jboss.org/mailman/listinfo/security-dev</a></div></div></div></span>
</blockquote>
<div>
<br>
</div>