5:13 a.m.
Hi
We are doing some prototyping with PicketBox and PicketLink 3. As part
of this it makes sense for use to put it in separate subystem in AS7.
There is existing PicketLink 2.x one here:
https://github.com/picketlink/as-subsystem
From what I learned from Anil while it is on the roadmap PicketLink 3.x
subsystem won't happens soon. I would like to discus requirements for it
as we may be able to contribute something - at least some initial work.
I would also like to discuss how independent PicketLink service should
be exposed and consumed in applications. Most natural way would be to
provide both CDI integration and REST interface. Any thoughts on that?
As part of our prototyping we would like to avoid investing time into
something that would duplicate existing functionality or go against
already agreed design.
Bolek
6:20 a.m.
On 19 Feb 2013, at 11:13, Bolesław Dawidowicz <bdawidow(a)redhat.com> wrote:
Hi
We are doing some prototyping with PicketBox and PicketLink 3. As part
of this it makes sense for use to put it in separate subystem in AS7.
There is existing PicketLink 2.x one here:
https://github.com/picketlink/as-subsystem
From what I learned from Anil while it is on the roadmap PicketLink 3.x
subsystem won't happens soon.
The focus has been on making something thats easily consumable however it's packaged
initially, but with the idea it should be available as AS7 service at some point.
I would like to discus requirements for it
as we may be able to contribute something - at least some initial work.
Awesome :-)
I would also like to discuss how independent PicketLink service should
be exposed and consumed in applications. Most natural way would be to
provide both CDI integration and REST interface. Any thoughts on that?
Via the Java API should be the top priority IMO. A REST interface would be awesome, but
probably lower priority.
For a Java API, my proposal would be to expose the various managers (IdentityManager,
PermissionManager) via JNDI. We can also provide a default CDI producer that can allow
them to be injected using CDI for application.
We also need to think about how this alters configuring PicketLink. To date, this is via a
programmatic API. Do we want to offer this via the service (Ideally yes, but not sure how,
maybe some callback when the app starts?)? We definitely want to be able to configure from
standalone/domain.xml, what does this look like? Should there be a PicketLink xml (if we
can do it via the programmatic API still, then I think not).
As part of our prototyping we would like to avoid investing time into
something that would duplicate existing functionality or go against
already agreed design.
AFAIK, the above is as far as Shane and I have got :-)
Bolek
_______________________________________________
security-dev mailing list
security-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev
2:23 a.m.
Thanks for the summary Pete. We'll try to look in this direction
For the configuration part I'm not sure myself yet. Marek is working on
the xml config for IDM which could be useful here. Would be good to
discuss this with specific use cases in mind
Another question... should the code still live in separate repo? Just
wondering if as part of all the repo unifications you would want to
merge it back.
On 02/19/2013 01:20 PM, Pete Muir wrote:
On 19 Feb 2013, at 11:13, Bolesław Dawidowicz <bdawidow(a)redhat.com> wrote:
> Hi
>
> We are doing some prototyping with PicketBox and PicketLink 3. As part
> of this it makes sense for use to put it in separate subystem in AS7.
>
> There is existing PicketLink 2.x one here:
>
> https://github.com/picketlink/as-subsystem
>
> From what I learned from Anil while it is on the roadmap PicketLink 3.x
> subsystem won't happens soon.
The focus has been on making something thats easily consumable however it's packaged
initially, but with the idea it should be available as AS7 service at some point.
> I would like to discus requirements for it
> as we may be able to contribute something - at least some initial work.
Awesome :-)
>
> I would also like to discuss how independent PicketLink service should
> be exposed and consumed in applications. Most natural way would be to
> provide both CDI integration and REST interface. Any thoughts on that?
Via the Java API should be the top priority IMO. A REST interface would be awesome, but
probably lower priority.
For a Java API, my proposal would be to expose the various managers (IdentityManager,
PermissionManager) via JNDI. We can also provide a default CDI producer that can allow
them to be injected using CDI for application.
We also need to think about how this alters configuring PicketLink. To date, this is via
a programmatic API. Do we want to offer this via the service (Ideally yes, but not sure
how, maybe some callback when the app starts?)? We definitely want to be able to configure
from standalone/domain.xml, what does this look like? Should there be a PicketLink xml (if
we can do it via the programmatic API still, then I think not).
>
> As part of our prototyping we would like to avoid investing time into
> something that would duplicate existing functionality or go against
> already agreed design.
AFAIK, the above is as far as Shane and I have got :-)
>
> Bolek
> _______________________________________________
> security-dev mailing list
> security-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
4:18 a.m.
On 20 Feb 2013, at 08:23, Bolesław Dawidowicz <bdawidow(a)redhat.com> wrote:
Thanks for the summary Pete. We'll try to look in this direction
For the configuration part I'm not sure myself yet. Marek is working on the xml
config for IDM which could be useful here. Would be good to discuss this with specific use
cases in mind
Yep, definitely. This could be our picketlink.xml. We should make sure it's consistent
with the style of standalone.xml, then it should be easy to use a similar/same schema
there.
Another question... should the code still live in separate repo?
I think so. One day, we'll probably want this in the app server?
Just wondering if as part of all the repo unifications you would want
to merge it back.
On 02/19/2013 01:20 PM, Pete Muir wrote:
>
> On 19 Feb 2013, at 11:13, Bolesław Dawidowicz <bdawidow(a)redhat.com> wrote:
>
>> Hi
>>
>> We are doing some prototyping with PicketBox and PicketLink 3. As part
>> of this it makes sense for use to put it in separate subystem in AS7.
>>
>> There is existing PicketLink 2.x one here:
>>
>> https://github.com/picketlink/as-subsystem
>>
>> From what I learned from Anil while it is on the roadmap PicketLink 3.x
>> subsystem won't happens soon.
>
> The focus has been on making something thats easily consumable however it's
packaged initially, but with the idea it should be available as AS7 service at some
point.
>
>> I would like to discus requirements for it
>> as we may be able to contribute something - at least some initial work.
>
> Awesome :-)
>
>>
>> I would also like to discuss how independent PicketLink service should
>> be exposed and consumed in applications. Most natural way would be to
>> provide both CDI integration and REST interface. Any thoughts on that?
>
> Via the Java API should be the top priority IMO. A REST interface would be awesome,
but probably lower priority.
>
> For a Java API, my proposal would be to expose the various managers (IdentityManager,
PermissionManager) via JNDI. We can also provide a default CDI producer that can allow
them to be injected using CDI for application.
>
> We also need to think about how this alters configuring PicketLink. To date, this is
via a programmatic API. Do we want to offer this via the service (Ideally yes, but not
sure how, maybe some callback when the app starts?)? We definitely want to be able to
configure from standalone/domain.xml, what does this look like? Should there be a
PicketLink xml (if we can do it via the programmatic API still, then I think not).
>
>>
>> As part of our prototyping we would like to avoid investing time into
>> something that would duplicate existing functionality or go against
>> already agreed design.
>
> AFAIK, the above is as far as Shane and I have got :-)
>
>>
>> Bolek
>> _______________________________________________
>> security-dev mailing list
>> security-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/security-dev
>
7:26 a.m.
I don't think that expose REST interfaces are a high priority at the moment (doable,
but not a priority). But if you're interested in Anil and Pedro started something
related, with the basics on picketlink-extensions
(https://github.com/picketlink/picketlink-extensions/tree/master/core/src/...).
Currently I'm more concerned about the basics: HTTP basic & digest authentication
+ authorization on RESTful endpoints.
--
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile
On Tuesday, February 19, 2013 at 8:13 AM, Bolesław Dawidowicz wrote:
I would also like to discuss how independent PicketLink service
should
be exposed and consumed in applications. Most natural way would be to
provide both CDI integration and REST interface. Any thoughts on that?
2:23 a.m.
On 02/19/2013 02:26 PM, Bruno Oliveira wrote:
I don't think that expose REST interfaces are a high priority at
the moment (doable, but not a priority). But if you're interested in Anil and Pedro
started something related, with the basics on picketlink-extensions
(https://github.com/picketlink/picketlink-extensions/tree/master/core/src/...).
Thanks for pointing this out
Currently I'm more concerned about the basics: HTTP basic &
digest authentication + authorization on RESTful endpoints.
--
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile
On Tuesday, February 19, 2013 at 8:13 AM, Bolesław Dawidowicz wrote:
> I would also like to discuss how independent PicketLink service should
> be exposed and consumed in applications. Most natural way would be to
> provide both CDI integration and REST interface. Any thoughts on that?
9 a.m.
The subsystem will be critical for AS8 Security. So we need to have a wider
discussion on the subsystem design. At a bare minimum, we need a PL
subsystem that exposes the IDM.
On 02/19/2013 05:13 AM, Bolesław Dawidowicz wrote:
Hi
We are doing some prototyping with PicketBox and PicketLink 3. As part
of this it makes sense for use to put it in separate subystem in AS7.
There is existing PicketLink 2.x one here:
https://github.com/picketlink/as-subsystem
From what I learned from Anil while it is on the roadmap PicketLink 3.x
subsystem won't happens soon. I would like to discus requirements for it
as we may be able to contribute something - at least some initial work.
I would also like to discuss how independent PicketLink service should
be exposed and consumed in applications. Most natural way would be to
provide both CDI integration and REST interface. Any thoughts on that?
As part of our prototyping we would like to avoid investing time into
something that would duplicate existing functionality or go against
already agreed design.
Bolek
9:06 a.m.
A REST interface is orthogonal, IMO. For instance, you could have a
Java facade over your REST interface, then, your application code
doesn't even know if it is going remote or not to interact with the IDM.
On 2/19/2013 10:00 AM, Anil Saldhana wrote:
The subsystem will be critical for AS8 Security. So we need to have
a wider
discussion on the subsystem design. At a bare minimum, we need a PL
subsystem that exposes the IDM.
On 02/19/2013 05:13 AM, Bolesław Dawidowicz wrote:
> Hi
>
> We are doing some prototyping with PicketBox and PicketLink 3. As part
> of this it makes sense for use to put it in separate subystem in AS7.
>
> There is existing PicketLink 2.x one here:
>
> https://github.com/picketlink/as-subsystem
>
> From what I learned from Anil while it is on the roadmap PicketLink 3.x
> subsystem won't happens soon. I would like to discus requirements for it
> as we may be able to contribute something - at least some initial work.
>
> I would also like to discuss how independent PicketLink service should
> be exposed and consumed in applications. Most natural way would be to
> provide both CDI integration and REST interface. Any thoughts on that?
>
> As part of our prototyping we would like to avoid investing time into
> something that would duplicate existing functionality or go against
> already agreed design.
>
> Bolek
_______________________________________________
security-dev mailing list
security-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
11:30 a.m.
----- Original Message -----
From: "Bolesław Dawidowicz" <bdawidow(a)redhat.com>
To: security-dev(a)lists.jboss.org
Cc: "Stian Thorgersen" <stian(a)redhat.com>
Sent: Tuesday, February 19, 2013 8:13:46 AM
Subject: [security-dev] PicketLink AS Subsystem
Hi
We are doing some prototyping with PicketBox and PicketLink 3. As
part
of this it makes sense for use to put it in separate subystem in AS7.
There is existing PicketLink 2.x one here:
https://github.com/picketlink/as-subsystem
This subsystem aims to allow PicketLink Federation users to configure their IDP and SP
applications via standalone/domain xml files. It also provides a domain model that is used
by the PicketLink Federation Console to manage deployments.
Basically, it reads the configuration from the standalone/domain files and automatically
configures the valves for IDPs and SPs. An application can have one of these roles very
easyly, without any specific packaging or configuration.
When working with this subsystem, I did some initial tests creating the picketlink.xml and
adding it during the deployment. Maybe we can use this approach for PL 3, using the XML
config that Marek is working on. There are some drawbacks when doing such thing, mainly
related with the mapping between the xsd used by picketlink and the one used by the
subsystem. But can be an option.
From what I learned from Anil while it is on the roadmap PicketLink
3.x
subsystem won't happens soon. I would like to discus requirements for
it
as we may be able to contribute something - at least some initial
work.
I would also like to discuss how independent PicketLink service
should
be exposed and consumed in applications. Most natural way would be to
provide both CDI integration and REST interface. Any thoughts on
that?
As part of our prototyping we would like to avoid investing time into
something that would duplicate existing functionality or go against
already agreed design.
Bolek
_______________________________________________
security-dev mailing list
security-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev
11:32 a.m.
It's definitely a requirement to be able to configure the subsystem from within the
deployment. Ideally via a programmatic API and XML.
Understood re mapping the xsd. Not sure what we can do about that.
On 20 Feb 2013, at 17:30, Pedro Igor Silva <psilva(a)redhat.com> wrote:
----- Original Message -----
> From: "Bolesław Dawidowicz" <bdawidow(a)redhat.com>
> To: security-dev(a)lists.jboss.org
> Cc: "Stian Thorgersen" <stian(a)redhat.com>
> Sent: Tuesday, February 19, 2013 8:13:46 AM
> Subject: [security-dev] PicketLink AS Subsystem
>
> Hi
>
> We are doing some prototyping with PicketBox and PicketLink 3. As
> part
> of this it makes sense for use to put it in separate subystem in AS7.
>
> There is existing PicketLink 2.x one here:
>
> https://github.com/picketlink/as-subsystem
This subsystem aims to allow PicketLink Federation users to configure their IDP and SP
applications via standalone/domain xml files. It also provides a domain model that is used
by the PicketLink Federation Console to manage deployments.
Basically, it reads the configuration from the standalone/domain files and automatically
configures the valves for IDPs and SPs. An application can have one of these roles very
easyly, without any specific packaging or configuration.
When working with this subsystem, I did some initial tests creating the picketlink.xml
and adding it during the deployment. Maybe we can use this approach for PL 3, using the
XML config that Marek is working on. There are some drawbacks when doing such thing,
mainly related with the mapping between the xsd used by picketlink and the one used by the
subsystem. But can be an option.
>
> From what I learned from Anil while it is on the roadmap PicketLink
> 3.x
> subsystem won't happens soon. I would like to discus requirements for
> it
> as we may be able to contribute something - at least some initial
> work.
>
> I would also like to discuss how independent PicketLink service
> should
> be exposed and consumed in applications. Most natural way would be to
> provide both CDI integration and REST interface. Any thoughts on
> that?
>
> As part of our prototyping we would like to avoid investing time into
> something that would duplicate existing functionality or go against
> already agreed design.
>
> Bolek
> _______________________________________________
> security-dev mailing list
> security-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
>
_______________________________________________
security-dev mailing list
security-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev
7:46 a.m.
Hello Bolek,
I would actually suggest getting some of the integration started for AS8
is something that may want to be looking at sooner rather than later -
we have a number of items that still need to be addressed in AS and it
makes more sense to be addressing them with the long term solution based
on PicketLink IDM rather than some intermediate solution.
We are close to looking at if we can switch from the forked HTTP server
to Undertow for domain management, I am just currently working on
integrating this with the existing realms used for domain management.
After that starting to look at switching to PicketLink for IDM would
make a lot of sense. That would then allow us to start taking the SASL
libraries to the next step with better integration.
One thing we need to remember however is that it is more than just a
subsystem, with the migration to PicketLink IDM we need to avoid the
situation where we have different security solutions in different
locations. This means that we need PicketLink IDM to also be integrated
for domain management. We do have some options for standalone mode
regarding if we use the subsystem but within domain mode this needs to
be configurable on the hosts where it will be running in a non-AS process.
I will speak with Brian next week regarding some of this as this is a
special case where we will want to maximise consistency of configuration
between something defined in a subsystem and something defined within
the core configuration.
When defining the configuration for PicketLink I think we also need to
remember that the way this is going to be used is really with two
different target audiences. We are all already familiar with developers
using our projects but this also needs to be usable by administrators
who have an in-depth knowledge of their own infrastructure and
environment but limited knowledge of the internals of the application
server.
I will start another thread for this but fairly closely related we need
an overall solution for SSL configuration, in some cases SSL is used
just to encrypt the traffic and in others it is used for authentication
- we need a unified solution across the application server and this will
also tie in with the IDM capabilities of PicketLink.
Regards,
Darran Lofthouse.
On 02/19/2013 11:13 AM, Bolesław Dawidowicz wrote:
Hi
We are doing some prototyping with PicketBox and PicketLink 3. As part
of this it makes sense for use to put it in separate subystem in AS7.
There is existing PicketLink 2.x one here:
https://github.com/picketlink/as-subsystem
From what I learned from Anil while it is on the roadmap PicketLink 3.x
subsystem won't happens soon. I would like to discus requirements for it
as we may be able to contribute something - at least some initial work.
I would also like to discuss how independent PicketLink service should
be exposed and consumed in applications. Most natural way would be to
provide both CDI integration and REST interface. Any thoughts on that?
As part of our prototyping we would like to avoid investing time into
something that would duplicate existing functionality or go against
already agreed design.
Bolek
_______________________________________________
security-dev mailing list
security-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev
4315
days inactive
4319
days old
10 comments
7 participants
participants (7)
-
Anil Saldhana -
Bill Burke -
Bolesław Dawidowicz -
Bruno Oliveira -
Darran Lofthouse -
Pedro Igor Silva -
Pete Muir