[security-dev] PicketLink IDM subsystem

Pete Muir pmuir at redhat.com
Wed Apr 3 07:41:50 EDT 2013


Agreed, this is how I saw it as well.

On 3 Apr 2013, at 12:11, Stian Thorgersen <stian at redhat.com> wrote:

> This may not work at the moment, but should be fixed IMO. I think it should be possible to create a global IDM configuration through standalone.xml, or maybe even multiple (and some mechanism to select config for a deployment). By default the global configuration would be overridden by the application specific configuration (as in your example).
> 
> Not sure if there would be an IDM config OOTB, so a user would either have to configure one in standalone.xml or provide on in their applications.
> 
> There may also be a case for having an option to override application specific configurations, but that probably wouldn't be a very important feature to have.
> 
> ----- Original Message -----
>> From: "Pete Muir" <pmuir at redhat.com>
>> To: "Bolesław Dawidowicz" <bdawidow at redhat.com>
>> Cc: security-dev at lists.jboss.org
>> Sent: Tuesday, 2 April, 2013 4:18:26 PM
>> Subject: Re: [security-dev] PicketLink IDM subsystem
>> 
>> PicketLink IDM allows for programmatic configuration like
>> https://github.com/picketlink/picketlink/blob/master/idm/tests/src/test/java/org/picketlink/test/idm/config/JPAIdentityStoreConfigurationTestCase.java#L94
>> - can we still use something like this with the subsystem?
>> 
>> On 28 Mar 2013, at 20:10, Bolesław Dawidowicz <bdawidow at redhat.com> wrote:
>> 
>>> I'm not sure I fully follow. Could you give some example?
>>> 
>>> On 03/28/2013 03:31 PM, Pete Muir wrote:
>>>> With Stian's approach, is it possible to hook into the bootstrap of the
>>>> container managed IDM, and provide custom programmatic config?
>>>> 
>>>> As that would be enough for a Beta imo.
>>>> 
>>>> On 28 Mar 2013, at 14:28, Bolesław Dawidowicz <bdawidow at redhat.com> wrote:
>>>> 
>>>>> I think xml can wait a bit. Initial version can just boostrap default
>>>>> stuff - JPA store. Then we add more proper config.
>>>>> 
>>>>> Just initialization of JPA store and exposing it to applications is
>>>>> enough to kickstart the subsystem IMO - and this is what Stian
>>>>> developed. At least that is pretty much what we need for now to move on.
>>>>> 
>>>>> I propose that we really start small but with common codebase under
>>>>> picketlink umbrella and then discuss more detailed design and add more
>>>>> features. And just release often.
>>>>> 
>>>>> On 03/28/2013 03:20 PM, Anil Saldhana wrote:
>>>>>> We need to start the design discussions on the IDM subsystem right away.
>>>>>> 
>>>>>> We need to at least decide the schema and how the xml elements look.
>>>>>> 
>>>>>> On 03/28/2013 09:18 AM, Bolesław Dawidowicz wrote:
>>>>>>> What Stian is proposing (and it was main reason to send this email) is
>>>>>>> that we extract our work and put it in picketlink as a base for new
>>>>>>> subsystem. Obviously if it matches expectations and goes in same
>>>>>>> direction that you expect.
>>>>>>> 
>>>>>>> We don't want to duplicate work. The soon we align the better - and we
>>>>>>> have a bit of time to help right now.
>>>>>>> 
>>>>>>> On 03/28/2013 03:05 PM, Anil Saldhana wrote:
>>>>>>>> Hi Stain,
>>>>>>>>     we will have the subsystem as one of the projects in the PL
>>>>>>>>     github.
>>>>>>>> That work has to start soon.  So it makes sense  to migrate some of
>>>>>>>> the
>>>>>>>> work you have done. Since Pedro did the PL2 subsystem, he will be
>>>>>>>> coordinating the work on the PL3 subsystem.
>>>>>>>> 
>>>>>>>> Regards,
>>>>>>>> Anil
>>>>>>>> 
>>>>>>>> On 03/28/2013 08:23 AM, Stian Thorgersen wrote:
>>>>>>>>> As part of our project we need a basic JBoss AS subsystem for
>>>>>>>>> PicketLink IDM. We hope to either contribute this to PicketLink, or
>>>>>>>>> to be able to replace it with an official subsystem once it's
>>>>>>>>> available. If there is any interest in what we've done so far, we
>>>>>>>>> would welcome feedback and/or help to complete it.
>>>>>>>>> 
>>>>>>>>> I thought this would be a good time to send this mail as we have
>>>>>>>>> something very basic working. It's available on github
>>>>>>>>> (https://github.com/stianst/eventjuggler-services/tree/idm). It's
>>>>>>>>> the Identity subsystem (identity/impl) that provides the PL IDM
>>>>>>>>> subsystem equivalent.
>>>>>>>>> 
>>>>>>>>> To enable the Identity subsystem a deployment adds a dependency on
>>>>>>>>> "org.eventjuggler.services.identity", this causes the deployment
>>>>>>>>> processors in the Identity subsystem to:
>>>>>>>>> 
>>>>>>>>> * Add a dependency on our PL 3 module
>>>>>>>>> * Install CDI extensions that provides the beans from PL jars + a
>>>>>>>>> producer for EntityManager that uses an EntityManagerFactory created
>>>>>>>>> by the Identity service
>>>>>>>>> 
>>>>>>>>> This in return means that the deployment doesn't have to include PL
>>>>>>>>> jars or any PL configuration for the identity store.
>>>>>>>>> 
>>>>>>>>> We have an example application that uses this service. It uses only
>>>>>>>>> PL 3 api's for authentication/authorization. That's also available
>>>>>>>>> on github (https://github.com/stianst/eventjuggler/tree/idm/).
>>>>>>>>> 
>>>>>>>>> To try it out, first download JBoss EAP 6.1.0.Alpha, then run the
>>>>>>>>> following:
>>>>>>>>> 
>>>>>>>>>       git clone https://github.com/stianst/eventjuggler-services.git
>>>>>>>>>       cd eventjuggler-services
>>>>>>>>>       git checkout origin/idm -b idm
>>>>>>>>>       mvn -Djboss.zip=<location of jboss-eap-6.1.0.Alpha.zip>
>>>>>>>>>       install
>>>>>>>>>       build/target/jboss-eap-6.1/bin/standalone.sh
>>>>>>>>> 
>>>>>>>>> If you also want to try the example application run the following:
>>>>>>>>> 
>>>>>>>>>       git clone https://github.com/stianst/eventjuggler.git
>>>>>>>>>       cd eventjuggler
>>>>>>>>>       git checkout origin/idm -b idm
>>>>>>>>>       mvn clean install
>>>>>>>>>       mvn -pl ear jboss-as:deploy
>>>>>>>>> 
>>>>>>>>> Now you should be able to open
>>>>>>>>> http://localhost:8080/eventjuggler-client and select register and
>>>>>>>>> login to check that authentication works.
>>>>>>>>> 
>>>>>>>>> We haven't put to much effort into exactly what we're doing as we
>>>>>>>>> wanted some feedback first. A few things that we've been thinking
>>>>>>>>> about includes:
>>>>>>>>> 
>>>>>>>>> * Split idm and core into separate subsystems + modules
>>>>>>>>> * Allow configuring the identity store (jpa, ldap or file) through
>>>>>>>>> JBoss AS management
>>>>>>>>> * Support multiple identity store configurations and a mechanism to
>>>>>>>>> select which to use for a specific deployment
>>>>>>>>> 
>>>>>> _______________________________________________
>>>>>> security-dev mailing list
>>>>>> security-dev at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/security-dev
>>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> security-dev mailing list
>>>>> security-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/security-dev
>>>> 
>>> 
>> 
>> 
>> _______________________________________________
>> security-dev mailing list
>> security-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/security-dev




More information about the security-dev mailing list