In this presentation we will take a look at PicketLink, a security framework for Java EE and learn how its identity management, authentication and authorization features can be used to address the security requirements for all aspects of application development.
2. What is PicketLink ?
● Umbrella project for security related projects
● Open and Security Standards
● Each project with focus on a specific security aspect
– Federation
– Application Security
– Security As a Service (SecaaS)
● Toolbox for Application Security
● Apache License v2
Java EE Application Security With PicketLink
3. About PicketLink
● Java EE Security Alternative for Authentication
and Authorization
● First class support for CDI
● Identity Management API
● Web and REST Security / Servlet API Integration
● JWT and JOSE Token Support
● Social Authentication
● Federation Protocols : SAML v1 and v2, oAuth,
OpenID and WS-Trust STS
● Security for Cloud-based Applications
● A plenty of example applications (quickstarts)
Java EE Application Security With PicketLink
4. Reduce Design Flaws
● Covers the most common security concepts in a simple and easy to
use API
– How to represent identities ? Users, roles, groups, applications, etc.
– How to authenticate and authorize ?
– How to protect my application resources ? Beans, pages, servlets, REST
endpoints, etc.
– How to consume and produce security tokens ?
– How to enable Single Sign-On across different applications ?
● Focus on flexibility for specific security requirements
Java EE Application Security With PicketLink
5. Agenda
Authentication
Http Security
Identity Management
LDAP DB
Java EE Application Security With PicketLink
Authorization
BYO
Security
6. Configuration
● Configure PicketLink BOM (Bill of Materials)
and dependencies
● Listen to an event to configure behavior:
public void onInit(@Observes SecurityConfigurationEvent event) {
SecurityConfigurationBuilder builder = event.getBuilder();
builder
.identity() // the identity bean options
.idmConfig() // identity management options
.http() // http and web security options
}
Java EE Application Security With PicketLink
7. Authentication
● Single method invocation
credentials.setCredential(anyCredentialType);
Identity.login();
If (identity.isLoggedIn()) {
// user is now authenticated
}
Identity.logout();
● Useful events are fired during the authentication
Java EE Application Security With PicketLink
9. Identity Bean
● CDI Bean representing the authenticated user and acting as a central point for
authentication, logout and permissioning
private @Inject Identity identity;
● Authentication Scope. Defaults to Session Scope, but you can change that:
builder.identity().scope(RequestScoped.class)
● Stateless can be used with REST to consume
security tokens
● It may be exposed as as a service
– Expose through Servlet, JAX-RS, JAX-WS, EJB ...
Java EE Application Security With PicketLink
10. Authenticator
● A CDI bean that understands one or more credential
types and how to perform authentication
● By default, PicketLink uses a IdmAuthenticator
– Fully integrated with PicketLink IDM
● Write your own
● You can choose between different authenticators at
runtime
Java EE Application Security With PicketLink
11. Authenticator Example
@RequestScoped
@PicketLink
public class CustomAuthenticator extends BaseAuthenticator {
@Inject
private DefaultLoginCredentials credentials;
@Override
public void authenticate() {
If (validCredentials()) {
setStatus(AuthenticationStatus.SUCCESS);
setAccount(loadAccount());
}
}
}
Java EE Application Security With PicketLink
12. Credentials
● Provides what you need to verify user authenticity
● Usually it defines which authentication mechanism is going to be used
● Built-in credential types
– Username/Password, TOTP, DIGEST, X509, TOKEN
● Token-based Credentials can be used to
– Produce and consume your own tokens
– Consume tokens from 3rd party Identity Providers. Eg.: SAML, OpenID, CAS
● You can always write your own credential types. Just remember to also
provide the corresponding Authenticator.
Java EE Application Security With PicketLink
13. Credential Example
public class UsernamePasswordCredentials extends AbstractBaseCredentials {
private String userName;
private String password;
// getters and setters
}
Java EE Application Security With PicketLink
14. Http Security
● Useful for Web and RESTful applications
● Path-based protection
– Authentication
– Authorization
● URL Rewriting
– /demo-app/#{identity.account.id}
● Authentication Schemes
builder.http()
– FORM, DIGEST, BASIC, CLIENT-CERT, TOKEN
– Write Your Own
Java EE Application Security With PicketLink
.allPaths()
.authenticateWith()
.form()
.authorizeWith()
.role("Administrator")
.forPath("/logout")
.logout();
15. Multiple Authentication Paths
● Authenticate based on a specific path
configuration
builder.http()
.forPath("/webpages/*")
.authenticateWith()
.form()
.forPath("/rest/*")
.withHeaders()
.requestedWith("XMLHttpRequest")
.authenticateWith()
.token()
.realmName("Ajax Requests Realm");
Java EE Application Security With PicketLink
16. Path Groups
● Common policies may be enforced to different
paths
String adminPathGroup = “Admin Resources”
builder.http()
.forGroup(adminPathGroup)
.authenticateWith()
.form()
.authorizeWith()
.group(“Administrators”)
.forPath("/admin/*", adminPathGroup)
Java EE Application Security With PicketLink
17. PicketLink Identity Management API
● What is it ?
– Build Your Own Security Model
– Identity and Access Management API
– Built-In Identity Stores:
● LDAP, Relational Database, Filesystem,
Token, Mixed
● Write Your Own
– Multi-tenancy
– Flexible Identity Model
Java EE Application Security With PicketLink
18. Identity Model Example
● Custom Identity Model Guide
– http://picketlink.org/gettingstarted/custom_idm_model/
● Common requirements for SaaS
– Realm
– User
– Application
– Global and Application Roles
– Global and Application Groups
Java EE Application Security With PicketLink
19. Basic Identity Model
● Out-of-the-box implementation for very simple use cases
● You are not forced to use it
● Help you to quickly evaluate
PL features
● In real world use cases, you
would prefer writing your own
Identity Model
Java EE Application Security With PicketLink
20. Example Code
private @Inject IdentityManager identityManager;
public void addUser(String userName, String password) {
User john = new User(userName);
// add user
identityManager.add(john);
Password password = new Password(password)
// update credential
identityManager.updateCredential(john, password);
Java EE Application Security With PicketLink
}
private @Inject IdentityManager identityManager;
public void addRole(String roleName) {
Role manager = new Role(roleName);
// add role
identityManager.add(manager);
}
private @Inject RelationshipManager relationshipManager;
public void grantRole(User assignee, Role role) {
Grant grant = new Grant(assignee, role);
// create relationship, granting role to user
relationshipManager.add(grant);
}
21. Authorization
RelationshipQuery<Grant> query =
relationshipManager.createRelationshipQuery(Grant.class);
query.setParameter(Grant.ASSIGNEE, assignee);
query.setParameter(GroupRole.ROLE, role);
boolean hasRole = !query.getResultList().isEmpty();
Java EE Application Security With PicketLink
● Annotation-based Authorization
–@LoggedIn,
–@RolesAllowed
–@GroupsAllowed
–@PartitionsAllowed
–@RequiresPermission
–@Restrict
–Write Your Own
● Programmatic Authorization
– Using PicketLink IDM
Query API
22. Permissioning
● Privileges for application resources
– Assignee is allowed to perform operation on resource
● Provided by PicketLink IDM
– John has permission to read file.txt
– John has permission on classes of type
– John has permission on JPA Entity with identifier
● Identity Bean methods for permission checks
– boolean hasPermission(Object resource, String operation);
– boolean hasPermission(Class<?> resourceClass, Serializable identifier, String
operation);
Java EE Application Security With PicketLink
23. PicketLink Forge Addon
● Useful to quickly configure a project with PicketLink
● Configures a JPA Identity Store
– Generate entities from your Identity Types
● Authentication
– Choose a method
● Project Templates
– Have an idea, help us !
$ picketlink-setup --version 2.7.0.Beta2
$ picketlink-setup --feature idm
$ picketlink-setup --feature http
$ picketlink-setup --feature idm --generateEntitiesFromIdentityModel
Java EE Application Security With PicketLink
24. PicketLink Quickstarts
● Over 30 example applications
● Useful to get started and understand most of PicketLink
features
● Clone, import to your IDE, checkout a tag and deploy
git clone git@github.com:jboss-developer/jboss-picketlink-quickstarts.git
git checkout v2.7.0.CR1
mvn clean package jboss-as:deploy or mvn -Pwildfly clean package wildfly:deploy
Java EE Application Security With PicketLink
25. Thank You !
● Visit our site at http://picketlink.org
– You can find useful guides
– Access to documentation
● GitHub
– https://github.com/picketlink/
● Join us on the #picketlink IRC channel on Freenode
● Social
– @picketlink
– Google+ PicketLink Community
Java EE Application Security With PicketLink
26.
27. Creating a Simple Application
● Using PicketLink Forge Addon
– FORM-based Authentication
– RBAC
– Protect Application Resources
– User and Role Management
● Simple application to focus only on the security bits
Java EE Application Security With PicketLink