On Monday, January 21, 2013 at 3:16 PM, Bill Burke wrote:
I'll be doing a release next week. I still have to write documentation,but the features and examples are complete.On 1/21/2013 12:11 PM, Bruno Oliveira wrote:Hi Bill, did you had the chance to move forward?--"The measure of a man is what he does with power" - Plato-@abstractj-Volenti Nihil DifficileOn Monday, January 7, 2013 at 9:14 PM, Bill Burke wrote:A week or two so before Christmas, I decided to refocus my OAuth work sothat I could support *existing* JBoss web applications. I'm about aweek or two away from releasing something. I just need to do some finalminor feature work, test it a little bit more, and write somedocumentation.*NOTE* All this works with existing JBoss web applications and securitydomain infrastructure.FEATURE 1: TRADITIONAL OAUTHYou can take any existing web app and turn it into an OAuth2 provider.Currently, it must be using servlet FORM authentication and a jbosssecurity domain. ALl that is required additionally is adding a valve tojboss-web.xml <http://web.xml>, generating a realm key pain in akeystore, and putting asmall json configuration file in your WAR's classpath. Once you've donethis, your existing web app can generate access tokens and*additionally* do bearer token auth. Client apps, just need to followthe OAuth2 client protocol to obtain their access tokens. And doclient-side OAuth2 bearer token authentication to access the web app.FEATURE 2: CENTRALIZED AUTHZ and Distributed SSO* Turn any existing user/password/roles JBoss Security Domain into aremote, centralized, authentication and authorization server. It is assimple as creating a small WAR that is FORM auth enabled, setting aparticular jboss-web valve, and defining a simple json configuration file.* Next, you can take any existing web app that uses FORM auth, and pointit to this central server. The plugin will do the correct browserredirects via OAuth2 protocol to the central server. Identity and rolemappings are transferred via the access token.* This is authentication and authorization! user auth and role mappings!* It supports Distributed SSO. Once you've logged into the centralauthentication server, you are logged into any application configured toaccept authentication/authorization from the central server.* It supports Distributed Log Out. So, you can log out of all webapplications* Central server has a small admin interface that allows admins tologout a specific user (or all users) on all secured web applications.You can also set up bearer token policies like: don't accept tokenscreated before a certain date.* Bearer tokens are generated for each browser login.* Tokens are propagated and can be access in business logic via arequest attribute, or in JAX-RS land, the @Context annotation. You canthen use this token to access other HTTP-based services on your network.This allows your web application to talk securely with a network ofweb services.This all works by defining a simple OAuth2 Bearer token format and usingOAuth2 protocols to obtain and distribute these tokens. My format is asmall extension to JSON Web Token that has role-mapping information. Itis signed and verified using PKI.I have plans to extend this to work with BASIC and CLIENT_CERT servletauthentication.--Bill BurkeJBoss, a division of Red Hat_______________________________________________security-dev mailing listsecurity-dev@lists.jboss.org <mailto:security-dev@lists.jboss.org>--Bill BurkeJBoss, a division of Red Hat