[security-dev] Picketlink 2.8.0

Marek Posolda mposolda at redhat.com
Tue Nov 24 02:46:57 EST 2015


Keycloak now supports SAML SP implementation, which doesn't require KC 
server. It can talk to any other SAML Idp. The docs is here 
http://keycloak.github.io/docs/userguide/saml-client-adapter/html/index.html 
. For the future, we will mainly focus on improve/maintain the Keycloak 
SAML SP rather than Picketlink.

Also there is no need to fork the Picketlink project to your own, you 
can still propose and send PR to Picketlink . This will allow that more 
people from the community can suffer from your work.

Marek


On 23/11/15 23:40, larry mccay wrote:
> This is a disappointing situation.
> PL should have been continued and then consumed by KC.
> I will not be pulling in KC in its entirely in order to do SAML SP 
> implementations - we will need to move to something else.
>
> I suggest that a PL module be published from KC that has minimal 
> dependencies.
> You can migrate the PL functionality to KC this way but not force all 
> of the new dependencies on consumers.
>
> On Mon, Nov 23, 2015 at 11:19 AM, Arthur Gregório 
> <arthurshakal at gmail.com <mailto:arthurshakal at gmail.com>> wrote:
>
>     I see this post, and i know what KC do..
>
>     What I mean is that I do not need all the things that KC does, I
>     want simple with the something like PL.
>
>     I posted in a thread about it on the same topic "continuity of PL"
>     on the dev list of KC and the same answer was given.
>
>     PL is such a cool framework, I refuse to believe that only I use
>     it or only I noticed this deep sleep that the project came...
>
>     Finally, the fact is that PL is like Spring Security, a swatter
>     convenient and fast flies. KC is already like a cannon, large and
>     meaningless to the context of solving a simple problem like
>     killing a single mosquito.
>
>     But if so, the business is to make a project fork and working on
>     my own version.
>
>     at.,
>
>     *Arthur P. Gregório*
>     /+55 45 9958-0302 <tel:%2B55%2045%209958-0302>/
>     @gregorioarthur
>     www.arthurgregorio.eti.br <http://www.arthurgregorio.eti.br>
>
>     2015-11-23 13:07 GMT-02:00 Bruno Oliveira <bruno at abstractj.org
>     <mailto:bruno at abstractj.org>>:
>
>         Please take a look at
>         http://picketlink.org/news/2015/03/10/PicketLink-and-Keycloak-project-merge/
>
>
>         I think this post answers your question.
>
>         On Mon, Nov 23, 2015 at 1:05 PM Stephen Agneta
>         <sagneta at gmail.com <mailto:sagneta at gmail.com>> wrote:
>
>             I'll share what I know with you in the hopes that it will
>             help somehow.
>
>             Well KC (keycloak) is a super-set of the PL (PicketLink)
>             functionality thus in theory it ought to work fine once it
>             is ready and once some sort of migration path is known.
>             You may not wish to move to KC due to the additional
>             functionality which may be off-putting for lite
>             applications but KC will perform everything PL did and
>             more and will do so in VM memory if you so choose.
>
>             Essentially KC is a real federated authentication and
>             authorization service with identity management that can
>             run standalone or in-VM within a WildFly cluster. Although
>             a Java implementation it works with other systems and
>             languages out of process. It does integrate with Spring
>             which may interest you.
>
>             The following link provides information for Wildfly 9
>             clustered installation:
>             http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#overlay_install
>
>             Thus you should be able to have your authorization demands
>             met _in VM_ as opposed to over-the-wire for performance
>             reasons if necessary.
>
>             IMOP I think the KC project is the right move. They are
>             fixing the big issue which is the lack of an opensource
>             Federated Identity Management System. They also fixed
>             little things such as Composite Roles which are missing
>             from PL.
>
>              I merely disliked the abrupt change-over. I also can't
>             move to keycloak until I have more of an idea how the
>             migration would work.
>             For example, how different is the default KC relational
>             schema from the default basic PL schema:
>
>             http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e136
>
>             It is also not clear if keycloak has a CDI demand system
>             ready like PicketLink. They only hint at it.  Also it runs
>             in-cluster on Wildfly 9 and I am on 8. Nothing huge but
>             issues that will need to be addressed.
>
>             Hope that helps.
>
>
>
>
>
>
>
>
>
>
>
>             On Mon, Nov 23, 2015 at 8:54 AM Arthur Gregório
>             <arthurshakal at gmail.com <mailto:arthurshakal at gmail.com>>
>             wrote:
>
>                 And KC does not have the same purpose as the PL.
>
>                 In short, I have no reason to migrate from one to the
>                 other, I use PL or go back to Spring Security.
>
>                 But it seems that there has not been any development
>                 in PL, at least in recent months, in short, it seems
>                 that the project is dying and all that were used for
>                 its own account.
>
>                 And with bugs like this
>                 https://developer.jboss.org/thread/266387, it's not
>                 cool to let the project stalled...
>
>
>                 *Arthur P. Gregório*
>                 /+55 45 9958-0302 <tel:%2B55%2045%209958-0302>/
>                 @gregorioarthur
>                 www.arthurgregorio.eti.br
>                 <http://www.arthurgregorio.eti.br>
>
>                 2015-11-23 11:47 GMT-02:00 Stephen Agneta
>                 <sagneta at gmail.com <mailto:sagneta at gmail.com>>:
>
>
>                     It certainly appears that everything has moved to
>                     key-cloak but I am unsure that keycloak is ready
>                     to take the burden of current Picketlink
>                     implementations. Nor am I sure how the migration
>                     process would occur. The abruptness of the change
>                     is a bit disconcerting. Having said that
>                     Picketlink is working fine save for one defect
>                     that which I requested that is on the git HEAD but
>                     not in any particular release.
>
>
>
>
>                     On Mon, Nov 23, 2015 at 8:43 AM Arthur Gregório
>                     <arthurshakal at gmail.com
>                     <mailto:arthurshakal at gmail.com>> wrote:
>
>                         Picketlink is dead?
>
>                         The last commit in the project repo was in 9
>                         july..
>
>                         Is there a schedule for the new version or
>                         something like that?
>
>                         at.,
>
>                         *Arthur P. Gregório*
>                         /+55 45 9958-0302 <tel:%2B55%2045%209958-0302>/
>                         @gregorioarthur
>                         www.arthurgregorio.eti.br
>                         <http://www.arthurgregorio.eti.br>
>                         _______________________________________________
>                         security-dev mailing list
>                         security-dev at lists.jboss.org
>                         <mailto:security-dev at lists.jboss.org>
>                         https://lists.jboss.org/mailman/listinfo/security-dev
>
>
>             _______________________________________________
>             security-dev mailing list
>             security-dev at lists.jboss.org
>             <mailto:security-dev at lists.jboss.org>
>             https://lists.jboss.org/mailman/listinfo/security-dev
>
>
>
>     _______________________________________________
>     security-dev mailing list
>     security-dev at lists.jboss.org <mailto:security-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/security-dev
>
>
>
>
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/security-dev/attachments/20151124/e51e7a25/attachment-0001.html 


More information about the security-dev mailing list