PicketLink is a security framework for Java EE applications that provides functionality for identity management, authentication, authorization, and federation. It includes APIs for managing users, groups, and roles and supports storing identity data in different sources. PicketLink also allows securing application methods and RESTful endpoints, as well as implementing user registration and social login.
3. What is it?
Security framework for Java EE
● Apache License V2
● First class support for CDI
● Secures your beans, bean methods, view layer,
RESTful endpoints, servlets and more
● Simple API for managing Users, Groups and Roles
● Authenticate any way you want
● Federation (SAML, WS-Trust, OpenID)
3
Sunday, July 7, 13
5. Identity Management
Manage users, groups, roles and more
● Built in support for storing your identities in:
● File system
● A relational database (using JPA)
● LDAP
● Well defined SPI for creating custom identity stores
● Powerful query API for querying identities
● All operations done through IdentityManager,
which can be simply @Injected into your beans
5
Sunday, July 7, 13
6. BYO Identity Model
● We provide you with optional User, Group, Role
classes
● We also provide a few default relationships – group
membership, group role and application role
● But custom relationships (between two or more
participating identities) are also easy to define
● Provides the flexibility you need to meet the
requirements of your business or project
6
Sunday, July 7, 13
7. Authentication
Authentication is initiated with Identity.login()
● Identity bean is a session-scoped bean that tracks
the current user
Authenticator can be configured per application or per
request
● Supports multiple authentication methods in a single
application (e.g. Username/password and OpenID)
● We provide some default (optional) support for some
credential types
7
Sunday, July 7, 13
11. RESTful Authentication Endpoint
org.jboss.jdf.example.ticketmonster.security.rest.LoginServic
e
● Username/password passed in via the credential param
● Identity.login() invoked
● If authentication successful, the User object is read from
the Identity bean and passed back in the REST response
● We haven't configured an Authenticator for this application,
so by default Identity Management is used to authenticate
11
Sunday, July 7, 13
12. Where are our users defined?
org.jboss.jdf.example.ticketmonster.security.IdentityManagementInitializer
● @Startup bean is instantiated during app startup
● IdentityManager is @Injected
● initialize() is a @PostConstruct method
● Is executed automatically
● Creates the users, roles and default passwords for our
application
● Sensible IDM configuration defaults make this possible
12
Sunday, July 7, 13
13. Securing application methods
org.jboss.jdf.example.ticketmonster.rest.BookingService
● We want to restrict the createBooking() method to
only logged-in users
● @UserLoggedIn is a Security Binding Type, an
annotation used to restrict access to beans and bean
methods
● This feature is provided by Apache DeltaSpike
● A Security Binding Type requires an Authorizer method,
annotated with @Secures in addition to the binding
annotation
13
Sunday, July 7, 13
14. Implementing the Authorizer method
org.jboss.jdf.example.ticketmonster.security.AuthorizationManager
● The isUserLoggedIn() method controls access to
methods annotated with @UserLoggedIn
● Is annotated with both @Secures and @UserLoggedIn
● Parameters of an authorizer method are treated as
injection points
● Must return a boolean to indicate whether the
authorization was successful – a result of true means
the restricted method may be invoked by the current user
14
Sunday, July 7, 13
16. View layer security
We can also tailor the user experience based on the
current user's privileges
● JSF <ui:fragment> control can be used to show or
hide parts of the page based on roles
● Can access the Identity bean directly via EL, e.g.
#{identity.loggedIn}
● Can also use application-specific checks, e.g.
AuthorizationManager.isAdmin()
16
Sunday, July 7, 13
17. User Registration
IDM makes it easy to implement user self-registration
●
org.jboss.jdf.example.ticketmonster.security.rest.RegistrationService
● The register() method receives a user registration
request
● The performRegistration() method creates a new
User, assigns them the User role, and adds them to the
Users group.
● The registering user is even automatically logged in by
the performSilentAuthentication() method
● An alternative would be to send a confirmation e-mail
17
Sunday, July 7, 13
18. Other IDM Features
Built-in authentication support for
● Form-based, BASIC, DIGEST, X509 Certificate,
Username/Password
Password encoding
● Defaults to a salted hash, or BYO
Mix and match identity stores
● Store your users in LDAP, roles and groups in DB
18
Sunday, July 7, 13
19. Other Features of PicketLink
PicketLink Federation (SSO and Trust)
● SAML 2.0
● SAML 1.1
● WS-Trust 1.3
19
Sunday, July 7, 13
20. Other Features of PicketLink
PicketLink Social Login
● Login using Facebook
● Login using Twitter
● Login using Google
● Login using OpenID
20
Sunday, July 7, 13
21. PicketLink RoadMap
PicketLink v2.5.0 is the target
● Currently in frequent beta releases (Last Beta4)
● CR cycles to start soon
● Current emphasis on QE, Quickstarts and Demos
● Final planned mid-july (+ or - 2 weeks)
21
Sunday, July 7, 13