2 Replies Latest reply on Jun 5, 2014 5:44 PM by inacio-silva

    Is PicketLink a solution for browser, rest and ejb sso authentication?

    inacio-silva

      In my architeture each application is on a specific jboss profile.

      Each application has several rest services inside it.

      I need a SSO solution including browser authetication and rest access in another application.

      The transactional control is implemented with EJB, so I need security context propagation too.

      My users and roles backend is in a OpenLDAP Server and I have a customized login module to access it.

       

      Resteasy OAUTH2 doesn't deal with ejb authentication.

       

      SSO valve works well, but only between apps in the same profile.

       

      Is PicketLink ready to solve my problems?

       

       

      Thanks in advance!

      Inácio

        • 1. Re: Is PicketLink a solution for browser, rest and ejb sso authentication?
          anil.saldhana

          Because of [PLINK-115] SP SAML Handler to put IDP Assertion Into Http Session - JBoss Issue Tracker   the Service Provider (Web Application) can put the SAML Assertion received from the IDP in the HttpSession.  Now in the web application that makes calls to EJBs, you can use this SAML assertion as the credential for the user.  At the EJB side, you will need to have login modules to validate the SAML credential.

           

          Protecting EJB Endpoints - PicketLink - Project Documentation Editor

          1 of 1 people found this helpful
          • 2. Re: Is PicketLink a solution for browser, rest and ejb sso authentication?
            inacio-silva

            Thank you for the answer Anil!

             

            Now, I'm very confused.

             

            I need an IDP and a STS application, besides SP applications?

            I deployed both, IDP and STS on the same server. And SP on another one.

            I get the wsd accessing this URL: http://localhost:8080/picketlink-sts/PicketLinkSTSService?wsdl

            Apparently my STS is well deployed.

             

             

            My ejb is annotated with @SecurityDomain("ejb-remoting-sts")

            When I access a rest resource that inject my stateless ejb I'm redirected to IDP. I log in and get an exception when then ejb's method is accessed:

             

            18:16:30,872 DEBUG [org.jboss.security] (default task-4) PBOX000293: Exception caught: javax.naming.NameNotFoundException: policyRegistration -- service jboss.naming.context.java.policyRegistration

                at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:104)

                at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:202)

                at org.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:233)

                at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:188)

                at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:184)

                at javax.naming.InitialContext.lookup(InitialContext.java:411) [rt.jar:1.7.0_55]

                at javax.naming.InitialContext.lookup(InitialContext.java:411) [rt.jar:1.7.0_55]

                at org.jboss.security.plugins.javaee.EJBAuthorizationHelper.getPolicyRegistrationFromJNDI(EJBAuthorizationHelper.java:353) [picketbox-4.0.21.Beta1.jar:4.0.21.Beta1]...

             

            My Environment: WildFly-8.1.0.CR2

            PicketLink: 2.6.0.CR3

             

            Could you help me? What have I done wrong?

             

            Thanks in advance!

            Inacio