REST API for user provisioning
by Anil Saldhana
Hi All,
now that we have an excellent IDM subsystem as part of PicketLink3,
we need to next look at incorporating SCIM
(http://www.simplecloud.info/), a set of standards surrounding REST API
for Cloud Provisioning. SCIM is part of the IETF.
Probably in the PicketLink 3.1+ timeframe.
Regards,
Anil
11 years, 8 months
PicketLink IDM subsystem
by Stian Thorgersen
As part of our project we need a basic JBoss AS subsystem for PicketLink IDM. We hope to either contribute this to PicketLink, or to be able to replace it with an official subsystem once it's available. If there is any interest in what we've done so far, we would welcome feedback and/or help to complete it.
I thought this would be a good time to send this mail as we have something very basic working. It's available on github (https://github.com/stianst/eventjuggler-services/tree/idm). It's the Identity subsystem (identity/impl) that provides the PL IDM subsystem equivalent.
To enable the Identity subsystem a deployment adds a dependency on "org.eventjuggler.services.identity", this causes the deployment processors in the Identity subsystem to:
* Add a dependency on our PL 3 module
* Install CDI extensions that provides the beans from PL jars + a producer for EntityManager that uses an EntityManagerFactory created by the Identity service
This in return means that the deployment doesn't have to include PL jars or any PL configuration for the identity store.
We have an example application that uses this service. It uses only PL 3 api's for authentication/authorization. That's also available on github (https://github.com/stianst/eventjuggler/tree/idm/).
To try it out, first download JBoss EAP 6.1.0.Alpha, then run the following:
git clone https://github.com/stianst/eventjuggler-services.git
cd eventjuggler-services
git checkout origin/idm -b idm
mvn -Djboss.zip=<location of jboss-eap-6.1.0.Alpha.zip> install
build/target/jboss-eap-6.1/bin/standalone.sh
If you also want to try the example application run the following:
git clone https://github.com/stianst/eventjuggler.git
cd eventjuggler
git checkout origin/idm -b idm
mvn clean install
mvn -pl ear jboss-as:deploy
Now you should be able to open http://localhost:8080/eventjuggler-client and select register and login to check that authentication works.
We haven't put to much effort into exactly what we're doing as we wanted some feedback first. A few things that we've been thinking about includes:
* Split idm and core into separate subsystems + modules
* Allow configuring the identity store (jpa, ldap or file) through JBoss AS management
* Support multiple identity store configurations and a mechanism to select which to use for a specific deployment
11 years, 8 months
PL3.0 RoadMap has been altered
by Anil Saldhana
Based on discussions last week with many project leads we need to extend
the PL3 release cycle with additional betas. I am working on the
roadmap and will reply this week with it. :)
11 years, 9 months
JBossWay: Quickstarts and Demos
by Anil Saldhana
Hi All,
I wanted to brainstorm here to collect a set of quickstarts and demos
we can have for PicketLink v3 release. I am hoping Pete can guide us on
this from JBossWay perspective.
Regards,
Anil
11 years, 9 months
[PicketLink] - Version 3.0.0.Beta1 Released
by Pedro Igor Silva
Hi All,
Today we released the first Beta version for PicketLink. For now, we're releasing only the IDM and CORE modules.
<dependency>
<groupId>org.picketlink</groupId>
<artifactId>picketlink-idm-impl</artifactId>
<version>3.0.0.Beta1</version>
</dependency>
<dependency>
<groupId>org.picketlink</groupId>
<artifactId>picketlink-core-impl</artifactId>
<version>3.0.0.Beta1</version>
</dependency>
We're waiting on SourceForge to upload the distribution package with the binaries, docs and sources. I'll let you know when everything is ok.
Regards.
Pedro Igor
11 years, 9 months
Security Role Mappings
by Darran Lofthouse
I am looking for some clarification regarding the <security-role>
element in the jboss-web.xml - trying to dig through some historic use
of the element I am starting to think a mistake was made in AS7 and that
the mapping logic is not what was originally intended by the element.
Take the following definition: -
<security-role>
<role-name>Support</role-name>
<principal-name>Mark</principal-name>
<principal-name>Tom</principal-name>
</security-role>
My interpretation of this is that originally this was used where we had
a run-as-principal-define, this would mean if the run-as-principal is
either 'Mark' or 'Tom' then assume that membership of the role 'Support'
is also true.
Where there is no run-as-principal I believe this also evolved to mean,
if the authenticated user is 'Mark' or 'Tom' then assume that they are a
member of the role 'Support'.
However for some reason within AS7 we seem to now be matching the
principal-name values against the users currently assigned roles and not
matching it against the name of the Principal.
To me this new behaviour is wrong and is confusing but I wanted to check
if there were other opinions. Where a role to role mapping is required
there is already a login module to provide that capability and I think
that has been confused with the principal to role mapping of the
deployment descriptor.
Regards,
Darran Lofthouse.
11 years, 9 months
Beta coming soon
by Anil Saldhana
There are some important fixes to be done. Shane and Pedro are diligently working on it. Beta should be out very shortly. Targeting this week.
The changes do not affect the functionality that Aerogear depends on afaik but nevertheless we need to fix it.
Spoke to Jay in person last evening and he agreed that it is important to make the fixes for Beta.
Once our Beta is released, Aerogear v1.0 will be released soon. <excited/>
11 years, 9 months
Password masking/clear text
by Anil Saldhana
Hi All,
*Background* :-
almost all projects have a password that need to be configured in a
configuration file or needs to be set as a value in an annotation.
Nobody likes to see cleartext passwords.
*What we did until now* :-
Since encryption/decryption requires a symmetric key and it is a pain to
manage symmetric keys, we have used Password Based Encryption (PBE)
which is not bullet proof encryption but a low grade attempt at masking
the passwords.
PicketBox historically had the PBE utility classes.
PicketBox4 has the Vault interface/default implementation that was
placed into AS7. The Vault uses AES encryption to encrypt the passwords
using a Java Keystore. But it uses a weak link ( PBE to mask the
password to the keystore).
Why we need to think about this? :-
JBoss Community projects either run standalone (sometime may need to run
of different App Servers) or run in JBoss AS. An example would be Drools
Management (aka BRMS). If the project runs on JBossAS, you should be
using the vault facility to mask the passwords.
What do we do with standalone projects for the future?
a) We can ask them to download the picketbox library as dependency and
build on the vault SPI or
b) Migrate the vault from PicketBox to PicketLink going forward.
Thoughts?
Regards,
Anil
11 years, 9 months