Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Introduction to PicketLink
JBUG, London
JBoss by Red Hat
Peter ˇSkopek, pskopek@redhat.com, twitter: @pskopek
Apr 30, 2014...
Section 1
Welcome
Welcome
Agenda
1 Welcome
2 PicketLink Overview
Areas of usage
3 Java EE Application Security
Authentication API
Permission...
Section 2
PicketLink Overview
PicketLink Overview Areas of usage
What is PicketLink?
PicketLink is an Application Security Framework for Java EE
applica...
PicketLink Overview Areas of usage
Areas of Usage
PicketLink Overview Areas of usage
Java EE Application Security
Authentication
Authorization and Permissions API
CDI Based...
PicketLink Overview Areas of usage
Identity Management
Built-in Identity Stores for Databases and LDAP
Rich and Extensible...
PicketLink Overview Areas of usage
Identity Federation
SAML (v2.0 and v1.1)
OAuth2
XACML v2
OpenID
Security Token Server (...
PicketLink Overview Areas of usage
Social Login
Facebook Connect
Twitter Login
Google+ Login
Section 3
Java EE Application Security
Java EE Application Security Authentication API
PicketLink API
Identity - central PicketLink API bean has following method...
Java EE Application Security Authentication API
Authentication Example in JSF application
@Named
@RequestScoped
public cla...
Java EE Application Security Authentication API
Authentication Example in JSF application
<h:form rendered="#{not identity...
Java EE Application Security Authentication API
Authentication Process
Java EE Application Security Authentication API
Authenticator
It is a bean handling authentication.
@PicketLink
public cla...
Java EE Application Security Authentication API
Authenticator
The first thing we can notice about the above code is that th...
Java EE Application Security Authentication API
Credentials
Credentials are something that provides evidence of a user’s
i...
Java EE Application Security Authentication API
Custom Authenticator and
DefaultLoginCredentials
The DefaultLoginCredentia...
Java EE Application Security Permissions API
Permissions API
The Permissions API is a set of extensible authorization feat...
Java EE Application Security Permissions API
Permissions API
Each permission instance represents a specific resource permis...
Java EE Application Security Permissions API
Checking permissions for the current user
The primary method for accessing th...
Java EE Application Security Permissions API
Checking permissions for the current user -
example 1
@Inject Identity identi...
Java EE Application Security Permissions API
Checking permissions for the current user -
example 2
When you don’t have a r...
Java EE Application Security Permissions API
Restricting resource operations
For many resource types it makes sense to res...
Java EE Application Security Permissions API
Restricting resource operations on Class
One can check if the current user ha...
Section 4
Identity Management
Identity Management Overview
Overview
PicketLink Identity Management is a fundamental module of
PicketLink, with all other...
Identity Management Overview
Core Concepts
PartitionManager
is used to manage identity partitions, which are essentially
c...
Identity Management Overview
Schema
Section 5
PicketLink Federation
PicketLink Federation Overview
PicketLink Federation - Overview
The PicketLink Federation project provides the support for...
Section 6
PicketLink WildFly Subsystems
PicketLink WildFly Subsystems
General
The PicketLink Subsystem extends WildFly Application Server to
introduce some new ca...
PicketLink WildFly Subsystems Federation
Federation Subsystem
A rich domain model supporting the configuration of
PicketLin...
PicketLink WildFly Subsystems Identity Management
Identity Managemet Subsystem
Subsystem parses the configuration, automati...
PicketLink WildFly Subsystems Identity Management
Bibliography
PicketLink Documentation Site
http://docs.jboss.org/picketl...
The end.
Thanks for listening.
Upcoming SlideShare
Loading in …5
×

1

Share

Download to read offline

Introduction to PicketLink

Download to read offline

Presentation by Peter Skopek (JBoss by Red Hat) delivered at the London JBoss User Group event on the 30th of April 2014.

Presentation

Introductory talk to PicketLink from Federation through to Identity Management.
What is PicketLink?

PicketLink is an umbrella project for security and identity management for Java Applications. PicketLink is an important project under the security offerings from JBoss.

A Picket Fence is a secure system of pickets joined together via some type of links. Basically, the Pickets by themselves do not offer any security. But when they are brought together by linking them, they provide the necessary security.

This project is that link for other security systems or systems to bring together or join, to finally provide the necessary secure system.

For more information visit http://picketlink.org/

Related Books

Free with a 30 day trial from Scribd

See all

Introduction to PicketLink

  1. 1. Introduction to PicketLink JBUG, London JBoss by Red Hat Peter ˇSkopek, pskopek@redhat.com, twitter: @pskopek Apr 30, 2014 Abstract PicketLink is project offering multiple solutions to identity management and security for Java applications.
  2. 2. Section 1 Welcome
  3. 3. Welcome Agenda 1 Welcome 2 PicketLink Overview Areas of usage 3 Java EE Application Security Authentication API Permissions API 4 Identity Management Overview 5 PicketLink Federation Overview 6 PicketLink WildFly Subsystems Federation Identity Management
  4. 4. Section 2 PicketLink Overview
  5. 5. PicketLink Overview Areas of usage What is PicketLink? PicketLink is an Application Security Framework for Java EE applications. It provides features for authenticating users, authorizing access to the business methods of your application, managing your application’s users, groups, roles and permissions. Areas of usage: Java EE Application Security Identity Management Identity Federation Social Login Mobile Applications Security REST Applications Security
  6. 6. PicketLink Overview Areas of usage Areas of Usage
  7. 7. PicketLink Overview Areas of usage Java EE Application Security Authentication Authorization and Permissions API CDI Based Integration REST Security
  8. 8. PicketLink Overview Areas of usage Identity Management Built-in Identity Stores for Databases and LDAP Rich and Extensible API Multitenancy
  9. 9. PicketLink Overview Areas of usage Identity Federation SAML (v2.0 and v1.1) OAuth2 XACML v2 OpenID Security Token Server (STS) for WS-Trust
  10. 10. PicketLink Overview Areas of usage Social Login Facebook Connect Twitter Login Google+ Login
  11. 11. Section 3 Java EE Application Security
  12. 12. Java EE Application Security Authentication API PicketLink API Identity - central PicketLink API bean has following methods: boolean isLoggedIn(); AuthenticationResult login() throws AuthenticationException; void logout(); boolean hasPermission(Object resource, String operation); boolean hasPermission(Class<?>resourceClass, Serializable identifier, String operation); Account getAccount(); Please note that Identity bean is marked with @Named annotation, which means that its methods may be invoked directly from the view layer (if the view layer, such as JSF, supports it) via an EL expression.
  13. 13. Java EE Application Security Authentication API Authentication Example in JSF application @Named @RequestScoped public class AuthController { @Inject private FacesContext facesContext; @Inject private Conversation conversation; @Inject private Identity identity; public void login() { AuthenticationResult result = identity.login(); if (AuthenticationResult.FAILED.equals(result)) { facesContext.addMessage(null, new FacesMessage( "Authentication was unsuccessful. Please check your username and password " + "before trying again.")); } else { User user = getCurrentUser(); if (user == null) { user = createUser(getCurrentUserName()); } conversation.begin(); } } }
  14. 14. Java EE Application Security Authentication API Authentication Example in JSF application <h:form rendered="#{not identity.loggedIn}"> <h:panelGrid columns="2" > <h:outputLabel value="Username" /> <h:inputText value="#{loginCredentials.userId}" /> <h:outputLabel value="Password" /> <h:inputSecret value="#{loginCredentials.password}" /> <h:commandButton value="Log in" action="#{authController.login}" /> </h:panelGrid> </h:form>
  15. 15. Java EE Application Security Authentication API Authentication Process
  16. 16. Java EE Application Security Authentication API Authenticator It is a bean handling authentication. @PicketLink public class SimpleAuthenticator extends BaseAuthenticator { @Inject DefaultLoginCredentials credentials; @Override public void authenticate() { if ("jsmith".equals(credentials.getUserId()) && "abc123".equals(credentials.getPassword())) { setStatus(AuthenticationStatus.SUCCESS); setAccount(new User("jsmith")); } else { setStatus(AuthenticationStatus.FAILURE); FacesContext.getCurrentInstance().addMessage(null, new FacesMessage( "Authentication Failure - The username or password you provided were invalid.")); } } }
  17. 17. Java EE Application Security Authentication API Authenticator The first thing we can notice about the above code is that the class is annotated with the @PicketLink annotation. This annotation indicates that this bean should be used for the authentication process. The next thing is that the authenticator class extends something called BaseAuthenticator. Which is abstract base class provided by PicketLink which makes it easier for custom authenticator to just implement authenticate() method.
  18. 18. Java EE Application Security Authentication API Credentials Credentials are something that provides evidence of a user’s identity. PicketLink has extensive support for a variety of credential types, and also makes it relatively simple to add custom support for credential types that PicketLink doesn’t support out of the box itself. UsernamePasswordCredentials TOTPCredentials X509CertificateCredentials DigestCredentials
  19. 19. Java EE Application Security Authentication API Custom Authenticator and DefaultLoginCredentials The DefaultLoginCredentials bean is provided by PicketLink as a convenience, and is intended to serve as a general purpose Credentials implementation suitable for a variety of use cases. It supports the setting of a userId and credential property, and provides convenience methods for working with text-based passwords. It is a request-scoped bean and is also annotated with @Named so as to make it accessible directly from the view layer. public class VerySimpleAuthenticator extends BaseAuthenticator { @Inject DefaultLoginCredentials credentials; // code snipped }
  20. 20. Java EE Application Security Permissions API Permissions API The Permissions API is a set of extensible authorization features that provide capabilities for determining access privileges for application resources. public interface Permission { Object getResource(); Class<?> getResourceClass(); Serializable getResourceIdentifier(); IdentityType getAssignee(); String getOperation(); }
  21. 21. Java EE Application Security Permissions API Permissions API Each permission instance represents a specific resource permission, and contains three important pieces of state: assignee - identity to which the permission is assigned operation - string value that represents the exact action that the assigned identity is allowed to perform reference - to the resource (if known), or a combination of a resource class and resource identifier. This value represents the resource to which the permission applies.
  22. 22. Java EE Application Security Permissions API Checking permissions for the current user The primary method for accessing the Permissions API is via the Identity bean, which provides the following two methods for checking permissions for the currently authenticated user: boolean hasPermission(Object resource, String operation); boolean hasPermission(Class<?> resourceClass, Serializable identifier, String operation);
  23. 23. Java EE Application Security Permissions API Checking permissions for the current user - example 1 @Inject Identity identity; public void deleteAccount(Account account) { // Check the current user has permission to delete the account if (identity.hasPermission(account, "DELETE")) { // Logic to delete Account object goes here } else { throw new SecurityException("Insufficient privileges!"); } }
  24. 24. Java EE Application Security Permissions API Checking permissions for the current user - example 2 When you don’t have a reference to the resource object, but you have it’s identifier value (for example the primary key value of an entity bean). It is more efficient to not a resource when don’t actually need it. @Inject Identity identity; public void deleteCustomer(Long customerId) { // Check the current user has permission to delete the customer if (identity.hasPermission(Customer.class, customerId, "DELETE")) { // Logic to delete Customer object goes here } else { throw new SecurityException("Insufficient privileges!"); } }
  25. 25. Java EE Application Security Permissions API Restricting resource operations For many resource types it makes sense to restrict the set of resource operations for which permissions might be assigned. classOperation option can be set to true if the permission applies to the class itself, and not an instance of a class. @Entity @AllowedOperations({ @AllowedOperation(value = "CREATE", classOperation = true), @AllowedOperation(value = "READ"), @AllowedOperation(value = "UPDATE"), @AllowedOperation(value = "DELETE") }) public class Country implements Serializable {
  26. 26. Java EE Application Security Permissions API Restricting resource operations on Class One can check if the current user has permission to actually create a new Country bean. In this case, the permission check would look something like this: @Inject Identity identity; public void createCountry() { if (!identity.hasPermission(Country.class, "CREATE")) { throw new SecurityException( "Current user has insufficient privileges for this operation."); } .... }
  27. 27. Section 4 Identity Management
  28. 28. Identity Management Overview Overview PicketLink Identity Management is a fundamental module of PicketLink, with all other modules building on top of the IDM component to implement their extended features. Provides rich and extensible API for managing the identities (such as users, groups and roles) of your applications and services Supports a flexible system for identity partitioning Provides the core Identity Model API classes (see below) upon which an application’s identity classes are defined to provide the security structure for that application
  29. 29. Identity Management Overview Core Concepts PartitionManager is used to manage identity partitions, which are essentially containers for a set of identity objects IdentityManager is used to manage identity objects within the scope of a partition RelationshipManager is used to manage relationships - a relationship is a typed association between two or more identities IdentityStore provides the backend store for identity persistency JPAIdentityStore LDAPIdentityStore FileBasedIdentityStore
  30. 30. Identity Management Overview Schema
  31. 31. Section 5 PicketLink Federation
  32. 32. PicketLink Federation Overview PicketLink Federation - Overview The PicketLink Federation project provides the support for Federated Identity and Single Sign On type scenarios. PicketLink provides support for technologies SAML (v2.0 and v1.1) OAuth2 XACML v2 OpenID Security Token Server (STS) for WS-Trust OAuth2 Integration with following servers is supported WildFly 8 JBoss AS7 JBoss Application Server v5.0 onwards Apache Tomcat v5.5 onwards
  33. 33. Section 6 PicketLink WildFly Subsystems
  34. 34. PicketLink WildFly Subsystems General The PicketLink Subsystem extends WildFly Application Server to introduce some new capabilities, providing a infrastructure to deploy and manage PicketLink deployments and services. Minimal configuration for deployments. Part of the configuration is done automatically with some hooks for customizations. Minimal dependencies for deployments. All PicketLink dependencies are automatically set from modules. Configuration management using JBoss Application Server Management API. It can be managed in different ways: HTTP/JSON, CLI, Native DMR, etc. example located at docs/examples/configs/standalone-picketlink.xml
  35. 35. PicketLink WildFly Subsystems Federation Federation Subsystem A rich domain model supporting the configuration of PicketLink Federation deployments and Identity Management services. No need to provide picketlink.xml deployment descriptor Cetralized configuration
  36. 36. PicketLink WildFly Subsystems Identity Management Identity Managemet Subsystem Subsystem parses the configuration, automatically build a org.picketlink.idm.PartitionManager and expose it via JNDI for further access. Externalize and centralize the IDM configuration for deployments Define multiple configuration for identity management services Expose the PartitionManager via JNDI for further access If using CDI, inject the PartitionManager instances using the Resource annotation If using CDI, use the PicketLink IDM alone without requiring the base module dependencies
  37. 37. PicketLink WildFly Subsystems Identity Management Bibliography PicketLink Documentation Site http://docs.jboss.org/picketlink/2/latest/reference/html/ Security Assertion Markup Language (SAML) v2.0 https://www.oasis-open.org/standards#samlv2.0 PicketLink Web Site http://www.picketlink.org/
  38. 38. The end. Thanks for listening.
  • hmidibessem

    Apr. 25, 2016

Presentation by Peter Skopek (JBoss by Red Hat) delivered at the London JBoss User Group event on the 30th of April 2014. Presentation Introductory talk to PicketLink from Federation through to Identity Management. What is PicketLink? PicketLink is an umbrella project for security and identity management for Java Applications. PicketLink is an important project under the security offerings from JBoss. A Picket Fence is a secure system of pickets joined together via some type of links. Basically, the Pickets by themselves do not offer any security. But when they are brought together by linking them, they provide the necessary security. This project is that link for other security systems or systems to bring together or join, to finally provide the necessary secure system. For more information visit http://picketlink.org/

Views

Total views

13,201

On Slideshare

0

From embeds

0

Number of embeds

7,087

Actions

Downloads

102

Shares

0

Comments

0

Likes

1

×