[security-dev] PicketLink Usecase: SAML/GWT/REST Authentication

Eric Wittmann eric.wittmann at redhat.com
Wed Jun 26 14:45:49 EDT 2013


Everyone,

I'll just add a few more details to (hopefully) help add context.

We have multiple UI applications in the Overlord world, and we wanted 
them all to be secured using SSO.  PicketLink/SAML worked very well to 
accomplish this, and it was trivial to get all of the UI WARs protected.

Once the GWT apps themselves are protected, the browser can make RPC 
calls to the originating context for free, and the servlets being 
invoked will have a JAAS authenticated user.

The last piece is then making REST calls to some *other* web context on 
behalf of the JAAS user.  The REST services might be hosted in some 
other context on the same server or even on some other server.

So the approach is to issue a SAML token that contains the principal and 
all its roles, then pass that in an HTTP header when invoking the remote 
REST services.  The REST services are protected by two login modules - a 
standard BASIC auth login module and another one that can consume a SAML 
token.

There is a vital piece still missing, which is to actually sign the SAML 
token when sending, and verifying the signature when consuming.  If 
anyone would like to help with that it'd be super helpful!  :)

Lastly - I'm certainly not a security expert, and am happy to be shown a 
better way to solve this use case going forward (note: we needed to use 
the version of picketlink that comes with EAP 6.1 - fwiw).

-Eric


On 06/26/2013 02:18 PM, Anil Saldhana wrote:
> Hi All,
>     this is a use case solved by Eric Wittman of Project Overlord using
> PicketLink.
>
> Final Solution in Eric's words:
> Use-case is:  GWT UI app is protected by SAML SSO.  The UI makes GWT RPC
> calls back to itself.  The UI RPC servlets (server-side) then make REST
> calls to a set of REST services hosted in another web application, using
> SAML tokens for authentication.
>
> JIRA: https://issues.jboss.org/browse/DTGOV-11
>
> Background:
> Eric had gotten his GWT UI App to use SAML SSO using PicketLink. He was
> looking for ways to now make calls from the GWT app to REST services on
> RESTEasy without re-authentication.He needed to get this usecase working
> with PicketLink and RESTEasy bundled in EAP6. During discussions and
> future plan, it was decided to use OAuth for REST services and look at
> SAML Bearer Token Profile for guidance.
>
> Solution:
> Since RESTEasy authentication can use JAAS authentication,  Eric wrote a
> login module for SAML bearer tokens.
> https://github.com/Governance/overlord-commons/blob/master/overlord-commons-auth/src/main/java/org/overlord/commons/auth/jboss7/SAMLBearerTokenLoginModule.java
>
> I created a JIRA issue in PicketLink to migrate this login module:
> https://issues.jboss.org/browse/PLINK-165
>
> This login module will be available in PicketLink v2.5.0
> https://github.com/anilsaldhana/picketlink-bindings/blob/0808a9916093af6095430447e6899172fe19e86a/picketlink-jbas-common/src/main/java/org/picketlink/trust/jbossws/jaas/SAMLBearerTokenLoginModule.java
>
> I wanted to open a thread for discussion on this. I am unsure if other
> projects have similar needs but this use case is pretty awesome to share
> here.
>
> Regards,
> Anil
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
>


More information about the security-dev mailing list