PL Use Case: WildFly SSO with Picketlink IDM
I am adding PicketLink IDM to an existing deploy that relies on the SSO feature added to WildFly from the WFLY-2404 feature request. This form of SSO is simplistic because its to allow multiple deployments to share a Session instance, the deployments are linked via the Security Domain defined in the jboss-web.xml file. The WildFly SSO creates a cookie called JSESSIONIDSSO, this also allows authentication identities to be shared between deployments. This is mostly handled by the SingleSignOnAuthenticationMechanism class from Undertow.
My existing deployments run under WildFly 8.2.0 Final and are two WAR files using LdapUsersLoginModule as the JaaS LoginModule in the security domain configuration. I now need to add Groups Roles and Permissions to my access control layer. Picketlink is the best framework to achieve the desired security setup, via the Identity Management module. Because Picketlink happens outside of the JaaS context the SSO features of the container are not working, resulting in BASIC AUTH prompts when accessing content from the other WAR deployment.
After coming across a similar thread on this discussion forum, and speaking with Pedro Igor pcraveiro, I have come to the conclusion that a JaaS LoginModule would be required to enable integration between Picketlink and WildFly SSO. I have created the following GitHub Project to house collaboration efforts on this use case. While the basic JaaS user/pass authentication side will be trivial, from my perspective integrating Picketlink PartionManager and Sessions into the LoginModule may take heavy insight from the PL team insiders.
I want to keep track of this Use Case, because I feel that it can evolve to be part of core PicketLink offerings, with WildFly getting more popular every day migrating JBoss users used to using the Container provided low level SSO will desire the same features.
starr0stealer/PL-IDM-JAAS-LM · GitHub
WildFly Security Domain details
Enable WildFly SSO
<subsystem xmlns="urn:jboss:domain:undertow:1.2"> ... <server name="default-server"> ... <host name="default-host" alias="localhost"> ... <single-sign-on path="/"/> </host> </server> ... </subsystem>
Sample WildFly Security Domain
<subsystem xmlns="urn:jboss:domain:security:1.2"> <security-domains> <security-domain name="sso" cache-type="default"> <authentication> <login-module code="com.example.SecurityLoginModule" flag="required"> <module-option name="usersProperties" value="users.properties"/> <module-option name="rolesProperties" value="roles.properties"/> </login-module> </authentication> </security-domain> ... </subsystem>
Link Deployment to Security Domain
<jboss-web> <security-domain>sso</security-domain> </jboss-web>
Sample PicketLink Configuration
public void onInit(@Observes SecurityConfigurationEvent event) {
SecurityConfigurationBuilder builder = event.getBuilder();
builder
.http()
.forPath("/rest/*")
.authenticateWith()
.basic()
.realmName("security realm")
.idmConfig()
.named("default")
.stores()
.jpa()
.supportType(getSupportedTypes())
.supportGlobalRelationship(getSupportedRelationships())
.supportCredentials(true)
.supportPermissions(true);
}