[security-dev] PicketLink IDM subsystem

Stian Thorgersen stian at redhat.com
Wed Apr 3 07:11:22 EDT 2013


This may not work at the moment, but should be fixed IMO. I think it should be possible to create a global IDM configuration through standalone.xml, or maybe even multiple (and some mechanism to select config for a deployment). By default the global configuration would be overridden by the application specific configuration (as in your example).

Not sure if there would be an IDM config OOTB, so a user would either have to configure one in standalone.xml or provide on in their applications.

There may also be a case for having an option to override application specific configurations, but that probably wouldn't be a very important feature to have.

----- Original Message -----
> From: "Pete Muir" <pmuir at redhat.com>
> To: "Bolesław Dawidowicz" <bdawidow at redhat.com>
> Cc: security-dev at lists.jboss.org
> Sent: Tuesday, 2 April, 2013 4:18:26 PM
> Subject: Re: [security-dev] PicketLink IDM subsystem
> 
> PicketLink IDM allows for programmatic configuration like
> https://github.com/picketlink/picketlink/blob/master/idm/tests/src/test/java/org/picketlink/test/idm/config/JPAIdentityStoreConfigurationTestCase.java#L94
> - can we still use something like this with the subsystem?
> 
> On 28 Mar 2013, at 20:10, Bolesław Dawidowicz <bdawidow at redhat.com> wrote:
> 
> > I'm not sure I fully follow. Could you give some example?
> > 
> > On 03/28/2013 03:31 PM, Pete Muir wrote:
> >> With Stian's approach, is it possible to hook into the bootstrap of the
> >> container managed IDM, and provide custom programmatic config?
> >> 
> >> As that would be enough for a Beta imo.
> >> 
> >> On 28 Mar 2013, at 14:28, Bolesław Dawidowicz <bdawidow at redhat.com> wrote:
> >> 
> >>> I think xml can wait a bit. Initial version can just boostrap default
> >>> stuff - JPA store. Then we add more proper config.
> >>> 
> >>> Just initialization of JPA store and exposing it to applications is
> >>> enough to kickstart the subsystem IMO - and this is what Stian
> >>> developed. At least that is pretty much what we need for now to move on.
> >>> 
> >>> I propose that we really start small but with common codebase under
> >>> picketlink umbrella and then discuss more detailed design and add more
> >>> features. And just release often.
> >>> 
> >>> On 03/28/2013 03:20 PM, Anil Saldhana wrote:
> >>>> We need to start the design discussions on the IDM subsystem right away.
> >>>> 
> >>>> We need to at least decide the schema and how the xml elements look.
> >>>> 
> >>>> On 03/28/2013 09:18 AM, Bolesław Dawidowicz wrote:
> >>>>> What Stian is proposing (and it was main reason to send this email) is
> >>>>> that we extract our work and put it in picketlink as a base for new
> >>>>> subsystem. Obviously if it matches expectations and goes in same
> >>>>> direction that you expect.
> >>>>> 
> >>>>> We don't want to duplicate work. The soon we align the better - and we
> >>>>> have a bit of time to help right now.
> >>>>> 
> >>>>> On 03/28/2013 03:05 PM, Anil Saldhana wrote:
> >>>>>> Hi Stain,
> >>>>>>      we will have the subsystem as one of the projects in the PL
> >>>>>>      github.
> >>>>>> That work has to start soon.  So it makes sense  to migrate some of
> >>>>>> the
> >>>>>> work you have done. Since Pedro did the PL2 subsystem, he will be
> >>>>>> coordinating the work on the PL3 subsystem.
> >>>>>> 
> >>>>>> Regards,
> >>>>>> Anil
> >>>>>> 
> >>>>>> On 03/28/2013 08:23 AM, Stian Thorgersen wrote:
> >>>>>>> As part of our project we need a basic JBoss AS subsystem for
> >>>>>>> PicketLink IDM. We hope to either contribute this to PicketLink, or
> >>>>>>> to be able to replace it with an official subsystem once it's
> >>>>>>> available. If there is any interest in what we've done so far, we
> >>>>>>> would welcome feedback and/or help to complete it.
> >>>>>>> 
> >>>>>>> I thought this would be a good time to send this mail as we have
> >>>>>>> something very basic working. It's available on github
> >>>>>>> (https://github.com/stianst/eventjuggler-services/tree/idm). It's
> >>>>>>> the Identity subsystem (identity/impl) that provides the PL IDM
> >>>>>>> subsystem equivalent.
> >>>>>>> 
> >>>>>>> To enable the Identity subsystem a deployment adds a dependency on
> >>>>>>> "org.eventjuggler.services.identity", this causes the deployment
> >>>>>>> processors in the Identity subsystem to:
> >>>>>>> 
> >>>>>>> * Add a dependency on our PL 3 module
> >>>>>>> * Install CDI extensions that provides the beans from PL jars + a
> >>>>>>> producer for EntityManager that uses an EntityManagerFactory created
> >>>>>>> by the Identity service
> >>>>>>> 
> >>>>>>> This in return means that the deployment doesn't have to include PL
> >>>>>>> jars or any PL configuration for the identity store.
> >>>>>>> 
> >>>>>>> We have an example application that uses this service. It uses only
> >>>>>>> PL 3 api's for authentication/authorization. That's also available
> >>>>>>> on github (https://github.com/stianst/eventjuggler/tree/idm/).
> >>>>>>> 
> >>>>>>> To try it out, first download JBoss EAP 6.1.0.Alpha, then run the
> >>>>>>> following:
> >>>>>>> 
> >>>>>>>        git clone https://github.com/stianst/eventjuggler-services.git
> >>>>>>>        cd eventjuggler-services
> >>>>>>>        git checkout origin/idm -b idm
> >>>>>>>        mvn -Djboss.zip=<location of jboss-eap-6.1.0.Alpha.zip>
> >>>>>>>        install
> >>>>>>>        build/target/jboss-eap-6.1/bin/standalone.sh
> >>>>>>> 
> >>>>>>> If you also want to try the example application run the following:
> >>>>>>> 
> >>>>>>>        git clone https://github.com/stianst/eventjuggler.git
> >>>>>>>        cd eventjuggler
> >>>>>>>        git checkout origin/idm -b idm
> >>>>>>>        mvn clean install
> >>>>>>>        mvn -pl ear jboss-as:deploy
> >>>>>>> 
> >>>>>>> Now you should be able to open
> >>>>>>> http://localhost:8080/eventjuggler-client and select register and
> >>>>>>> login to check that authentication works.
> >>>>>>> 
> >>>>>>> We haven't put to much effort into exactly what we're doing as we
> >>>>>>> wanted some feedback first. A few things that we've been thinking
> >>>>>>> about includes:
> >>>>>>> 
> >>>>>>> * Split idm and core into separate subsystems + modules
> >>>>>>> * Allow configuring the identity store (jpa, ldap or file) through
> >>>>>>> JBoss AS management
> >>>>>>> * Support multiple identity store configurations and a mechanism to
> >>>>>>> select which to use for a specific deployment
> >>>>>>> 
> >>>> _______________________________________________
> >>>> security-dev mailing list
> >>>> security-dev at lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/security-dev
> >>>> 
> >>> 
> >>> _______________________________________________
> >>> security-dev mailing list
> >>> security-dev at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/security-dev
> >> 
> > 
> 
> 
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev



More information about the security-dev mailing list