Feedback: IDPFilter/SPFilter
by Eric Wittmann
Hey everyone. Recently we've switched Overlord over to using primarily
the IDPFilter and SPFilter implementations for our picketlink based SAML
SSO solution. Previously we were using the app-server specific approach
(e.g. valves). We're doing this because we need to support both JBoss
and Fuse. The latter is an OSGi environment and uses Jetty as its web
app container. We also support standalone jetty (why not?) and Tomcat.
My hope was that I could have as few differences as possible with
respect to security across all these platforms. Hence the attempt to
use the filter implementations where possible.
Overall this effort resulted in some success and some failure.
Primarily, we have been successful in using the filter approach to get
everything working in Fuse! This was the primary goal, so that's great.
However, here are some issues we ran into (and are still problems):
1) I couldn't get our IDP working in JBoss EAP 6.x when using the
IDPFilter approach. The problem is that the IDP doesn't seem to do the
redirect back to the SP. I poked at this a *very* little bit but didn't
find the problem. Workaround: continue to use the more native approach
when deploying to EAP.
2) Ran into a pax-web bug that caused an infinite redirect loop when
using welcome-files in the SP web.xml. Workaround: implement a custom
filter to mimic welcome-file behavior. (this is not a problem with
picketlink, just informational)
3) When running in jetty (or in fuse) we see a number of picketlink
stack traces: https://gist.github.com/EricWittmann/aafd2c05954cbfea8a87
Workaround: none - we're ignoring them. :(
So finally, if you want to reproduce any of these or just have a look at
some code, go here:
https://github.com/EricWittmann/karaf-picketlink-test
See the README.md for a description of how to run it either in Fuse or
Jetty. To run it in EAP just copy the relevant WARs into
standalone/deployments (make sure to name them properly as I have not
included jboss-web.xml files: idp.war, sp1.war, sp2.war).
-Eric
10 years, 8 months
PicketLink Contribution from community volunteer: Max
by Anil Saldhana
Hi all,
Max is a PicketLink community volunteer. He initially had a question
about using custom user types in PicketLink IDM.
Pedro worked with Max to convert Max's use case into an excellent
quickstart/demo. Thanks to Max for the contribution.
https://github.com/jboss-developer/jboss-picketlink-quickstarts/tree/mast...
The quickstart has the following features:
- Secure HTML5-based applications using AngularJS at the frontend
- Secure RESTful endpoints based on RBAC and Security Annotations
- Token-based Authentication using JSON Web Token and JSON Web Signature
- Provide a custom credential type and handler
- Provide your own types to represent your users
Regards,
Anil
10 years, 8 months
CSRF and json
by Bill Burke
If you have a JSON based web-service is it still vulnerable to CSRF
requests? CORS should be one protection. For cross domain FORM posts,
if the json service checks the media type for application/json it should
abort the request, correct?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years, 9 months
