2 Replies Latest reply on Mar 11, 2011 8:14 AM by Darran Lofthouse

    Would PicketLink STS help for securing AS7 management APIs?

    Darran Lofthouse Master

      As anyone who has ever worked with login modules that connect to a remote store of users is aware this can be a slow process and to optimise this process we make use of an authentication cache to minimise the required interaction with the remote system.

       

      For JBoss AS 7 when deployed in domain mode we now have a situation were we have many nodes sharing a domain controller but with each node able to recieve connections from clients independently, this means that any form of authentication caching is now potentially replicated across each node.  Once we introduce authentication caches we then need to be able to handle scenarios where there is a need to remove a cached identity - sometimes just to allow the roles to be loaded again but other times if it is believed a password has been compromised.

       

      I am considering for AS7 domain management if a security token may be a better solution so this thread is to check what PicketLink STS could or could not help with.

       

      I anticipate for AS7 that we would need a security token that would contain the following information as a minimum: -

      • User Identifier
      • List of Roles
      • Created Time
      • Expiration Time

       

      This would then be signed by the master domain controller.  Clients would then submit this on future requests so instead of communicating with the remote store the signature would be verified and the contents of the token used instead.  Where many different nodes could be called with this token all they need is the ability to verify that the token was signed by the master domain controller.

       

      These invocations would now be using the detyped APIs so either our Native API or the HTTP API but there wouldn't be any web service calls.

       

      In this scenario the token itself becomes the authentication cache, this does mean for scenarios where a user needs their roles re-loading they can just request a new token so one point to consider is if we still need a cross domain list of revoked tokens but this would only need to hold the details up to the expiration time of the revoked token.