<div>
Great, thanks Bill!
</div>
<div><div><br></div><div><br></div><div><div>-- </div><div>"The measure of a man is what he does with power" - Plato</div><div>-</div><div>@abstractj</div><div>-</div><div>Volenti Nihil Difficile</div></div></div>
<p style="color: #A0A0A8;">On Monday, January 21, 2013 at 3:16 PM, Bill Burke wrote:</p>
<blockquote type="cite" style="border-left-style:solid;border-width:1px;margin-left:0px;padding-left:10px;">
<span><div><div><div>I'll be doing a release next week. I still have to write documentation, </div><div>but the features and examples are complete.</div><div><br></div><div><a href="https://github.com/resteasy/Resteasy/tree/master/jaxrs/examples/oauth2-as7-example">https://github.com/resteasy/Resteasy/tree/master/jaxrs/examples/oauth2-as7-example</a></div><div><br></div><div><br></div><div><br></div><div>On 1/21/2013 12:11 PM, Bruno Oliveira wrote:</div><blockquote type="cite"><div><div>Hi Bill, did you had the chance to move forward?</div><div><br></div><div><br></div><div>--</div><div>"The measure of a man is what he does with power" - Plato</div><div>-</div><div>@abstractj</div><div>-</div><div>Volenti Nihil Difficile</div><div><br></div><div>On Monday, January 7, 2013 at 9:14 PM, Bill Burke wrote:</div><div><br></div><blockquote type="cite"><div><div>A week or two so before Christmas, I decided to refocus my OAuth work so</div><div>that I could support *existing* JBoss web applications. I'm about a</div><div>week or two away from releasing something. I just need to do some final</div><div>minor feature work, test it a little bit more, and write some</div><div>documentation.</div><div><br></div><div>*NOTE* All this works with existing JBoss web applications and security</div><div>domain infrastructure.</div><div><br></div><div>FEATURE 1: TRADITIONAL OAUTH</div><div><br></div><div>You can take any existing web app and turn it into an OAuth2 provider.</div><div>Currently, it must be using servlet FORM authentication and a jboss</div><div>security domain. ALl that is required additionally is adding a valve to</div><div>jboss-web.xml <<a href="http://web.xml">http://web.xml</a>>, generating a realm key pain in a</div><div>keystore, and putting a</div><div>small json configuration file in your WAR's classpath. Once you've done</div><div>this, your existing web app can generate access tokens and</div><div>*additionally* do bearer token auth. Client apps, just need to follow</div><div>the OAuth2 client protocol to obtain their access tokens. And do</div><div>client-side OAuth2 bearer token authentication to access the web app.</div><div><br></div><div>FEATURE 2: CENTRALIZED AUTHZ and Distributed SSO</div><div>* Turn any existing user/password/roles JBoss Security Domain into a</div><div>remote, centralized, authentication and authorization server. It is as</div><div>simple as creating a small WAR that is FORM auth enabled, setting a</div><div>particular jboss-web valve, and defining a simple json configuration file.</div><div>* Next, you can take any existing web app that uses FORM auth, and point</div><div>it to this central server. The plugin will do the correct browser</div><div>redirects via OAuth2 protocol to the central server. Identity and role</div><div>mappings are transferred via the access token.</div><div>* This is authentication and authorization! user auth and role mappings!</div><div>* It supports Distributed SSO. Once you've logged into the central</div><div>authentication server, you are logged into any application configured to</div><div>accept authentication/authorization from the central server.</div><div>* It supports Distributed Log Out. So, you can log out of all web</div><div>applications</div><div>* Central server has a small admin interface that allows admins to</div><div>logout a specific user (or all users) on all secured web applications.</div><div>You can also set up bearer token policies like: don't accept tokens</div><div>created before a certain date.</div><div>* Bearer tokens are generated for each browser login.</div><div>* Tokens are propagated and can be access in business logic via a</div><div>request attribute, or in JAX-RS land, the @Context annotation. You can</div><div>then use this token to access other HTTP-based services on your network.</div><div>This allows your web application to talk securely with a network of</div><div>web services.</div><div><br></div><div>This all works by defining a simple OAuth2 Bearer token format and using</div><div>OAuth2 protocols to obtain and distribute these tokens. My format is a</div><div>small extension to JSON Web Token that has role-mapping information. It</div><div>is signed and verified using PKI.</div><div><br></div><div>I have plans to extend this to work with BASIC and CLIENT_CERT servlet</div><div>authentication.</div><div>--</div><div>Bill Burke</div><div>JBoss, a division of Red Hat</div><div><a href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></div><div>_______________________________________________</div><div>security-dev mailing list</div><div>security-dev@lists.jboss.org <<a href="mailto:security-dev@lists.jboss.org">mailto:security-dev@lists.jboss.org</a>></div><div><a href="https://lists.jboss.org/mailman/listinfo/security-dev">https://lists.jboss.org/mailman/listinfo/security-dev</a></div></div></blockquote></div></blockquote><div><br></div><div>-- </div><div>Bill Burke</div><div>JBoss, a division of Red Hat</div><div><a href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></div></div></div></span>
</blockquote>
<div>
<br>
</div>