PicketLink and Certificate Management API
by Pedro Igor Silva
Hi,
We're looking to provide a API to easily enable Key and Certificate Management to PicketLink-based applications.
The idea is turn a partition into a Certification Authority, responsible for issue, validate, revoke and renew certificates for the identity types (eg.: users, devices, etc) associated with it.
In the future, we also want to provide:
- RESTful Endpoints to perform not only certificate operations, but also manage keys. Specially public keys. Probably using JSON Web Keys (JWK).
- Better support for html5 and mobile applications that require some kind of support for certificates, assymetric keys, signature and encryption. Specially when using JWT and JOSE.
- Support Java KeyStores to load and store keys.
So far we did something like:
CertificateConfig config = new DefaultCertificateConfig();
// set config with signature algo, cert sign algo, default validity, bit length, etc
// create a CA based on a existing partition
CertificateAuthority authority = new DefaultCertificateAuthority(partition, config);
User user = // get user
CertificateRequest certRequest = new DefaultCertificateRequest(user, config)
X509Certificate userCert = ca.issue(certRequest); // issue a cert for user and sign it with the CA key
We're still working on it. But would like to check your feedback or opinions about requirements and use cases.
Regards.
Pedro Igor
10 years, 5 months
SAML SSO with signatures error
by Eric Wittmann
Hi guys.
I'm using the EAP IDP Valve with the SPFilter servlet filter running on
EAP 6.3.0 to implement web SSO. It works fine without signatures, but
now I'm trying to enable signatures on the IDP (meaning I want the IDP
to sign the saml response and I want the SPFilter to verify the sig).
I'm using picketlink 2.5.3.SP1 packaged into the SP WAR. I'm using
whatever picketlink version comes with EAP 6.3 (2.5.3.SP5 I think).
I currently have two problems. The first is that the SPFilter does this
in the verifySignature() method:
URL issuerURL;
try {
issuerURL = new URL(issuerID);
} catch (MalformedURLException e1) {
throw new IssuerNotTrustedException(e1);
}
This code fails for me because the issuerID in the saml response is
"/overlord-idp/". I haven't dug into this yet, but I imagine I need to
tweak something on the IDP to get it to put in a full issuer into the
saml response.
I can get past that with the debugger (by modifying the issuerID value)
but when I do I hit the following stack trace:
https://gist.github.com/EricWittmann/f05b65689367ba321fc8
The Signature in the saml response seems ok when I eyeball it. That
stack trace is pretty opaque to me - does anyone have any insight into it?
-Eric
10 years, 6 months
Problem with IDPFilter on Tomcat
by Eric Wittmann
Hey everyone.
We've run into the following issue when using the IDPFilter in Tomcat 7:
https://issues.jboss.org/browse/SRAMP-445
I added a comment with more information discovered after doing some
debugging.
Not sure what I'm going to do about this yet, but if anyone has any
ideas I'd be thrilled to hear them. :)
-Eric
10 years, 6 months
(no subject)
by Rahul Mahindrakar
Hi
I am not able to find the RelationshipIdentity class as per documentation
--
The next step is to define which identities participate in the
relationship. Once we create our identity property methods, we also need to
annotate them with the
org.picketlink.idm.model.annotation.RelationshipIdentity annotation. This
is done by creating a property for each identity type.
--
Any Ideas on how to create custom relationships?
Rahul
10 years, 6 months
Source in Eclipse
by Rahul Mahindrakar
Hi
I have downloaded the source in eclipse and when I import the pom from the
root folder as a maven project I get the following problem
Could not get configured mojo for
org.apache.maven.plugins:maven-checkstyle-plugin:2.12.1:checkstyle
{execution: check-style}
Plugin org.apache.maven.plugins:maven-checkstyle-plugin:2.12.1 or one of
its dependencies could not be resolved: Failed to collect dependencies for
org.apache.maven.plugins:maven-checkstyle-plugin:jar:2.12.1 ()
Any ideas?+
Rahul
10 years, 6 months
Re: [security-dev] Permission and Role
by Rahul Mahindrakar
Is it possible To aggregate permissions under roles.
This makes it easier To grant roles To A user and thereby A large set OF permissions.
-----Original Message-----
From: "Shane Bryzak" <sbryzak(a)redhat.com>
Sent: 2014-06-05 01:29
To: "security-dev(a)lists.jboss.org" <security-dev(a)lists.jboss.org>
Subject: Re: [security-dev] Permission and Role
Hi Rahul,
They are fundamentally two very different things. A role is typically used to define a set of users for which specific privileges are to be assigned, while a permission is used to control access to application resources or services. A permission check can actually use the user's roles to determine whether the user has the necessary privilege to perform an action. Here's a couple of pseudo-code examples to make this a little clearer:
1. Restricting access to a method based on the user's role:
@RolesAllowed("admin")
public void doProtectedOperation() {
...
}
2. Restricting access to a method to users with permission to cancel a specific "order":
public void cancelOrder(@HasPermission("cancel") Order order) {
...
}
Hope that helps!
Shane
On 06/05/2014 09:13 AM, Rahul Mahindrakar wrote:
Hi
I have not been able to have a grasp of the difference between the usage of Role and permissions.
Can someone guide me in this direction
Thanks
Rahul
_______________________________________________
security-dev mailing list
security-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev
10 years, 6 months
Permission and Role
by Rahul Mahindrakar
Hi
I have not been able to have a grasp of the difference between the usage of
Role and permissions.
Can someone guide me in this direction
Thanks
Rahul
10 years, 6 months