[security-dev] PicketLink AS Subsystem

Darran Lofthouse darran.lofthouse at jboss.com
Sat Feb 23 08:46:10 EST 2013 

Hello Bolek,

I would actually suggest getting some of the integration started for AS8 
is something that may want to be looking at sooner rather than later - 
we have a number of items that still need to be addressed in AS and it 
makes more sense to be addressing them with the long term solution based 
on PicketLink IDM rather than some intermediate solution.

We are close to looking at if we can switch from the forked HTTP server 
to Undertow for domain management, I am just currently working on 
integrating this with the existing realms used for domain management. 
After that starting to look at switching to PicketLink for IDM would 
make a lot of sense.  That would then allow us to start taking the SASL 
libraries to the next step with better integration.

One thing we need to remember however is that it is more than just a 
subsystem, with the migration to PicketLink IDM we need to avoid the 
situation where we have different security solutions in different 
locations.  This means that we need PicketLink IDM to also be integrated 
for domain management.  We do have some options for standalone mode 
regarding if we use the subsystem but within domain mode this needs to 
be configurable on the hosts where it will be running in a non-AS process.

I will speak with Brian next week regarding some of this as this is a 
special case where we will want to maximise consistency of configuration 
between something defined in a subsystem and something defined within 
the core configuration.

When defining the configuration for PicketLink I think we also need to 
remember that the way this is going to be used is really with two 
different target audiences.  We are all already familiar with developers 
using our projects but this also needs to be usable by administrators 
who have an in-depth knowledge of their own infrastructure and 
environment but limited knowledge of the internals of the application 
server.

I will start another thread for this but fairly closely related we need 
an overall solution for SSL configuration, in some cases SSL is used 
just to encrypt the traffic and in others it is used for authentication 
- we need a unified solution across the application server and this will 
also tie in with the IDM capabilities of PicketLink.

Regards,
Darran Lofthouse.

On 02/19/2013 11:13 AM, Bolesław Dawidowicz wrote:
> Hi
>
> We are doing some prototyping with PicketBox and PicketLink 3. As part
> of this it makes sense for use to put it in separate subystem in AS7.
>
> There is existing PicketLink 2.x one here:
>
> https://github.com/picketlink/as-subsystem
>
>   From what I learned from Anil while it is on the roadmap PicketLink 3.x
> subsystem won't happens soon. I would like to discus requirements for it
> as we may be able to contribute something - at least some initial work.
>
> I would also like to discuss how independent PicketLink service should
> be exposed and consumed in applications. Most natural way would be to
> provide both CDI integration and REST interface. Any thoughts on that?
>
> As part of our prototyping we would like to avoid investing time into
> something that would duplicate existing functionality or go against
> already agreed design.
>
> Bolek
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
>

More information about the security-dev mailing list