7:46 a.m.
Hello Bolek,
I would actually suggest getting some of the integration started for AS8
is something that may want to be looking at sooner rather than later -
we have a number of items that still need to be addressed in AS and it
makes more sense to be addressing them with the long term solution based
on PicketLink IDM rather than some intermediate solution.
We are close to looking at if we can switch from the forked HTTP server
to Undertow for domain management, I am just currently working on
integrating this with the existing realms used for domain management.
After that starting to look at switching to PicketLink for IDM would
make a lot of sense. That would then allow us to start taking the SASL
libraries to the next step with better integration.
One thing we need to remember however is that it is more than just a
subsystem, with the migration to PicketLink IDM we need to avoid the
situation where we have different security solutions in different
locations. This means that we need PicketLink IDM to also be integrated
for domain management. We do have some options for standalone mode
regarding if we use the subsystem but within domain mode this needs to
be configurable on the hosts where it will be running in a non-AS process.
I will speak with Brian next week regarding some of this as this is a
special case where we will want to maximise consistency of configuration
between something defined in a subsystem and something defined within
the core configuration.
When defining the configuration for PicketLink I think we also need to
remember that the way this is going to be used is really with two
different target audiences. We are all already familiar with developers
using our projects but this also needs to be usable by administrators
who have an in-depth knowledge of their own infrastructure and
environment but limited knowledge of the internals of the application
server.
I will start another thread for this but fairly closely related we need
an overall solution for SSL configuration, in some cases SSL is used
just to encrypt the traffic and in others it is used for authentication
- we need a unified solution across the application server and this will
also tie in with the IDM capabilities of PicketLink.
Regards,
Darran Lofthouse.
On 02/19/2013 11:13 AM, Bolesław Dawidowicz wrote:
Hi
We are doing some prototyping with PicketBox and PicketLink 3. As part
of this it makes sense for use to put it in separate subystem in AS7.
There is existing PicketLink 2.x one here:
https://github.com/picketlink/as-subsystem
From what I learned from Anil while it is on the roadmap PicketLink 3.x
subsystem won't happens soon. I would like to discus requirements for it
as we may be able to contribute something - at least some initial work.
I would also like to discuss how independent PicketLink service should
be exposed and consumed in applications. Most natural way would be to
provide both CDI integration and REST interface. Any thoughts on that?
As part of our prototyping we would like to avoid investing time into
something that would duplicate existing functionality or go against
already agreed design.
Bolek
_______________________________________________
security-dev mailing list
security-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev