Comparing Authentication/Authorization Options
scrublet Jul 16, 2013 1:10 AMI'm in the middle of developing a REST-based web application for JBoss AS7 and I've reached the point of implementing multi-role user security. It's probably best to outline some high-level requirements:
- Users will be created somehow in the server (or application? preferably server...). They will be assigned Roles (also created in the server).
- Roles will be in a simple 5-level hierarchy, where the lowest role has read-only access to resources, the middle roles have read-write access, and the top role has read-write plus the ability to manage the user/role system
JBoss as a whole seems to provide several different projects that would let me avoid writing my own authentication/authorization provider that the application then utilizes. I'm going to attempt to summarize what I've found so far, but I am seriously doubting both the accuracy and completeness of this list:
- Built-in JBoss AS7 configuration - using the security domains/realms that comes with an unmodified JBoss AS 7.1.1 installation, all configured in standalone-full.xml and connected in web.xml/jboss-web.xml project files
- GateIn - This seems to provide a lot of the configuration I'm interested in, but only in the context of portals/portlets. My application at this stage is primarily a back-end that can support any REST client and may in the future provide some sort of front-end on the server.
- PicketBox - This looks to be a Java SE-oriented project in line with the Java EE PicketLink (greatly oversimplifying here I'm sure)
- PicketLink - The new home for Seam 3 Security. At this stage this seems to be the most relevant to my goals, but its inclusion in JBoss AS 7 is unclear to me. On one hand I see it in the modules so it seems included, but the PicketLink project itself documents replacing these modules and configuring them as if this is a totally separate add-in. Additionally I do not see any documentation on the AS 7 side acknowledging PicketLink's existence/inclusion.
I'm pretty sure I'm not supposed to be using GateIn or PicketBox to accomplish this. I'm working through both AS7 and PicketLink documentation but wanted to see if there was some intended vision for how this should be done (e.g., if future versions of AS/Wildfly were all going to depend on PicketLink for user management over anything else). Hopefully this all makes sense and I'm understand the purposes of these projects correctly.