February 2013 - security-dev - Jboss List Archives

by Anil Saldhana

Hi All, our release ninja, Pedro has released PicketBox 5.0.0.Final whose notes is at https://docs.jboss.org/author/display/SECURITY/5.0.0.Final We delayed the release mainly to accommodate PicketLink v3.0 IDM that was under development. PicketBox5 uses the most recent version of IDM. ============== ** What is PicketBox5? ** ============== PicketBox5 is a project that provides the various tools for Java Security. https://docs.jboss.org/author/display/SECURITY/SecurityProjectsArchitecture ================== ** Are there quickstarts? ** ================== https://docs.jboss.org/author/display/SECURITY/PicketBox+Quickstarts ================== ** Where is PicketBox5 useful? ** ================== Java Applications wherever the following are needed: * Authentication. * Authorization * Audit * Session Management (non-http based) * Entitlements Management (https://docs.jboss.org/author/display/SECURITY/EntitlementsManager) It does have general purpose HTTP authentication (basic/form/digest) support that is not EE container security driven.(https://docs.jboss.org/author/display/SECURITY/PicketBox+HTTP) ========================= ** How is this different from PicketLink v3? ** ========================= PicketLink v3 is our umbrella project for enabling security for JavaEE applications (EE6+). PicketLinkv3 contains core security, IDM, SAML, OAuth and Social (facebook/twitter/openid) components that are useful for JavaEE applications. There is PicketLink Extensions project that does use PicketBox5 underneath to fill in some of the gaps missing in PicketLink v3, as we are transitioning features into PL3 based on user demand. Feedback welcome. Now onto making PicketLink v3 Final release a reality. :) Regards, Anil

12 years, 11 months

2
2
0 / 0

IDE Configs added to the PicketLink workspace

by Anil Saldhana

Hi All, I added a directory called ide-configs in the picketlink workspace. This contains the ide config files for the various IDEs (Eclipse/IDEA/NetBeans). I borrowed this directory from AS7 workspace. Regards, Anil

12 years, 11 months

2
1
0 / 0

PicketLink v3 Source License Headers changed to ASLv2

by Anil Saldhana

Hi All, as you know, PicketLink has approval for a license change to ASLv2. Toward this, I have changed the license headers in the source files to ASLv2. The official license header is: ============ /* * JBoss, Home of Professional Open Source * * Copyright 2013 Red Hat, Inc. and/or its affiliates. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ ============= I may have missed a few files. Please do inform me about the files missed or you are welcome to send a PR. :) Regards, Anil

12 years, 11 months

1
0
0 / 0

[PicketLink IDM] - Timed Release 3.0.0-2013Feb08

by Pedro Igor Silva

Hi, Today, we released a new timed version for the PicketLink IDM project. The documentation and quickstarts are being elaborated, but you can always check the test cases for a lot of usage examples. <dependency> <groupId>org.picketlink</groupId> <artifactId>picketlink-idm-impl</artifactId> <version>3.0.0-2013Feb08</version> </dependency> This version contains the changes required to support the last discussion regarding groups with the same name and group's path. https://issues.jboss.org/browse/PLINK-89 Regards. Pedro Igor

12 years, 11 months

2
4
0 / 0

PicketLink 3 - IDM API - Credential Management

by Darran Lofthouse

I am currently looking into using the IDM API as I am authenticating some HTTP requests and I am running into a couple of questions, the aspect of the API I am currently looking at is: - // Credential management boolean validateCredential(User user, Credential credential); void updateCredential(User user, Credential credential); Correct me if I am wrong as it is the foundation of what I am thinking about but I am seeing the 'validateCredential' as the method to call to validate that the Credential supplied by the user is valid so that we can verify the user is who they claim to be. There is quite a lot below so it may make sense to subsequently break these out into their own discussions. * Userless Validation * As mentioned on the other thread something I would find really useful is something along the lines of: - User validateCredential(Credential credential); This would be for situations where there is a direct mapping from the Credential to the user it relates to, my main example being a X509Certificate. I am looking at this from the perspective of - The IDM is already managing the association of User to Certificate so to call validateCredential I would see it as better that the calling code is not forced to map it to the user first. * Multiple Credentials * The validateCredential method potentially allows many different types of Credential to be used - however the updateCredential method seems to apply a 1:1 mapping of User and Credential. I can see situations where a user would have multiple Credentials, an immediate example being both a Password and a X509Certificate. * Ambiguous Meaning to Credentials * This is just something I am not as clear on how the two relate and think it has the potential to be confusing using the same Credential interface for validation and for association with the user. For Credentials such as the PasswordCredential and X509CertificateCredential these do make sense to both be validated and associated. But then there are Credentials like the DigestCredential which only make sense to be validated but not associated. * Multiple Representations of Same Credential * Another requirement I may have is storing multiple representations of the same Credential against the same user - this is just thinking out loud at the moment so not sure if this would be a responsibility of the IdentityStore. The situation here is that the user has one password but we want to support two different hashes with Digest authentication - if we want to choose to pre-hash the password with the username and realm we would need to do that once per type of hash supported. The benefit of pre-hashing in this way is that if the user has used the same password but for a different realm someone gaining access to the hashed form does not necessarily get access to all of that users accounts. * Access To The Credential * The next issue is where access to the credential is required or at the very least something is needed to be generated from the credential - this is used in client/server scenarios where the server also proves to the client that it knows the users password. Keeping the Credential so that it can not be retrieved from the IDM is good but it does open up the need to be able to generate some response values within the IDM based on additional information supplied. The example I currently have is regarding Digest authentication, I have a need for the following two hashes to be generated: - "username : realm : password" "username : realm : password : nonce : cnonce" The first could be the pre-hashed password I mention above but the second definitely needs generating on demand as we have both the nonce that was generated from the server and the nonce the client has sent to challenge the server. Regards, Darran Lofthouse.

12 years, 11 months

4
11
0 / 0

Group clarification

by Marek Posolda

Hello, One of the current requirements in GateIn is possibility to have groups with same name and with different parents. For example: I can have groups "/qa/management" and "/dev/management" In other words, I have two groups called "management" but both are in different parts of group tree, because first one has parent group "qa" and second has parent group "dev". Currently Picketlink IDM 3 doesn't support it (it always throws exception when it recognize that group with same name already exists). Also I am seeing that concept of GroupID (path to group from root group - something like "/qa/management") and group key has been removed as well even if it was supported in IDM 3.x couple of weeks before. Also for read usecase, there are two methods in IdentityManager to find groups: Group getGroup(String groupId); Group getGroup(String groupName, Group parent); I think that first one has been designed to find group with argument as groupId, so usage could looks like: Group qaManagersGroup = identityManager.getGroup("/qa/management"); Second one has been designed with usage of plain group names like: Group qaGroup = identityManager.getGroup("qa", null); Group qaManagersGroup = identityManager.getGroup("management", qaGroup); Problem is that currently we are always using first one with groupName as an argument (not groupId), so it obviously can't work correctly if we have two groups with same name "management" because it's unclear which one should be result of finding...:-\ Any ideas to address this? My current proposal is: - Return concept of groupId, which will return the path like "/qa/management". So usage could be like: Group qaGroup = new SimpleGroup("qa"); Group qaManagementGroup = new SimpleGroup("management", qaGroup); assertEquals("management", qaManagementGroup.getName()); assertEquals("/qa/management", qaManagement); - Either -- fix all existing usages of identityManager.getGroup(String groupId), so it really expects groupId as argument (not groupName): -- or introduce new method on IdentityManager (and IdentityStore) like: Group getGroupByGroupId(String groupId); It's possible that some identityStore implementations doesn't support groups with same name (For example current LDAPIdentityStore can't support it because there is only one DN for access all groups, but we discussed with Pedro that this is planned to address later) Any thoughts? Marek

12 years, 11 months

7
25
0 / 0

checkstyle.xml in PicketLink workspace

by Anil Saldhana

Hi All, wondering if we can enforce checkstyle across all the modules in the PL workspace? Currently just one or two modules are enforcing. I know some of you have philosophical indifference to checkstyle. I would like to propose unformity across the modules in terms of code structure. Regards, Anil

12 years, 11 months

2
2
0 / 0

Sorting support in IDM

by Marek Posolda

Hi, I've looked that currently there is no support for sorting of query results by some attributes. So I've added some support for sorting into IDM API into IdentityQuery class. Especially those four methods: /** * Parameters used to sort the results. First parameter has biggest priority. * For example: setSortParameter(User.LAST_NAME, User.FIRST_NAME) means that results will be sorted primarily by lastName * and firstName will be used to sort only records with same lastName * * @param sortParameters parameters to specify sort criteria * @return this query */ IdentityQuery<T> setSortParameters(QueryParameter... sortParameters); /** * @see #setSortParameters(QueryParameter...) */ QueryParameter[] getSortParameters(); /** * Specify if sorting will be ascending (true) or descending (false) * @param sortAscending to specify if sorting will be ascending or descending * @return this query */ IdentityQuery<T> setSortAscending(boolean sortAscending); /** * @return true if sorting will be ascending * @see #setSortAscending(boolean) */ boolean isSortAscending(); This adds support for sort by more attributes (if attribute1 has same value for some records, attribute2 will be used) and I hope that having this in API is sufficient to cover majority of usecases. WDYT? I've added support for sorting into JPAIdentityStore for now. Will try to add support also into FileIdentityStore and LDAPIdentityStore if you are ok with my proposal. I've added some unit tests to test this (they are enabled only for JPAIdentityStoreTestSuite now because it's implemented only here) WDYT? Cheers, Marek

12 years, 11 months

2
2
0 / 0

Fwd: [JIRA] Resolved: (JAX_RS_SPEC-346) NewCookie needs HttpOnly

by Bill Burke

Fixed in JAx-rs 2.0 -------- Original Message -------- Subject: [JIRA] Resolved: (JAX_RS_SPEC-346) NewCookie needs HttpOnly Date: Mon, 4 Feb 2013 20:24:53 +0000 (GMT+00:00) From: Marek Potociar (JIRA) <jira-no-reply(a)java.net> To: patriot1burke(a)java.net [ http://java.net/jira/browse/JAX_RS_SPEC-346?page=com.atlassian.jira.plugi... ] Marek Potociar resolved JAX_RS_SPEC-346. ---------------------------------------- Resolution: Fixed Fixed on the master branch. Added {{HttpOnly}}-aware constructors and {{isHttpOnly()}} getter to {{NewCookie}}. > NewCookie needs HttpOnly > ------------------------ > > Key: JAX_RS_SPEC-346 > URL: http://java.net/jira/browse/JAX_RS_SPEC-346 > Project: jax-rs-spec > Issue Type: New Feature > Components: runtime > Affects Versions: 1.1 > Reporter: patriot1burke > Assignee: Marek Potociar > Fix For: 2.0-pfd, 2.0 > > > This is needed to plug up certain security holes -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://java.net/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

12 years, 11 months

2
2
0 / 0

[Timed Releases] - Picketlink and PicketBox 5

by Pedro Igor Silva

Hi All, Today, we released a new timed version for PicketLink(IDM, Core and Extensions) and PicketBox 5. For PicketBox 5: - https://docs.jboss.org/author/display/SECURITY/Java+Application+Security - https://docs.jboss.org/author/display/SECURITY/Timed+Release+2013-Feb-01 - https://github.com/picketbox/picketbox-quickstarts For PicketLink IDM: - https://gist.github.com/4589102 <dependency> <groupId>org.picketlink</groupId> <artifactId>picketlink-idm-impl</artifactId> <version>3.0.0-2013Feb01</version> </dependency> For PicketLink Extensions: <dependency> <groupId>org.picketlink.extensions</groupId> <artifactId>picketlink-extensions-core</artifactId> <version>3.0.0-2013Feb01</version> </dependency> - Simple CDI Example with JSF 2, JPA, Authentication and Authorization, Identity Management https://github.com/picketbox/picketbox-quickstarts/tree/v5.0.0-2013Feb01/... - TODO Aerogear with JAX-RS, HTML5, JS, JPA, Authentication (User/Pass, OTP, Facebook, Google) and Authorization, Identity Management, Session Management. https://github.com/picketlink/TODO Regards. Pedro Igor

12 years, 11 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

security-dev February 2013