8 Replies Latest reply on Apr 14, 2013 4:01 PM by Paul Keogh

    PicketLink and web app security

    Anil Arora Newbie

      Hello, all

       

      Are there any existing examples out there on how, going forward, we should be using PicketLink in our JEE web applications, in the JBoss AS 7 environment?  Last week, we noticed that Seam 3 all but disappeared, and unfortunately, documentation has now been harder to find across all of the various projects now (PicketLink, DeltaSpike, etc.)  It has been extremely frustrating to just to figure out where things are going.

       

      What are the recommended practices here?  We'd like to take advantage of IDM to do all of our User management, using JPA storage.  We will be requiring a security model for our webservices as well as our UI.  Where do we go from here?

       

      I've been trying to translate what I've been able to find with Seam 3 configuration to PicketLink 3 configuration, but it still seems off.  But if anyone has any suggestions, that would be helpful.

       

      Thanks!

        • 1. Re: PicketLink and web app security
          Lorenzo Luconi Trombacchi Newbie

          Hello,

           

          We are in the same situation. We have a lot o projects based on Seam 2 and Seam 3 and now Seam 3 doesn't exist any more! So we are moving some project in JSF2/CDI world without Seam and the first thing we need is a good authentication/authorization layer.

          After some web searches we found picketlink/picketbox and we were happy becouse we found what we were looking for.

          But after some days spent to figure out how to use this API we are not longer happy:

          - extemely poor documentation

          - missing API documentation

          - few examples and most of them are old (based on old API)

          - the main projects page (PircketLink and PicketBox) reference old versions and no documentations for theese too.

           

          So at present I think Picket* is not usable. Security requires a well documented API!

          If you find a valid solution let me know. We examined also Apache Shiro and Spring Security, but we didn't like them.

          Until DeltaSpike will not be ready (or Picket*), we will probably try to extract some code from seam-security.

           

           

          Lorenzo

          • 2. Re: PicketLink and web app security
            Luca Becarelli Newbie

            Hello ,

             

            what do you think abut 3.0.0.Alpha1 ?

            Like you I am struggling with migrating some projects from seam2.2 / seam2.3 to cdi and however i think that PicketLink is the right way.

             

            Luca

            • 3. Re: PicketLink and web app security
              Lorenzo Luconi Trombacchi Newbie

              I agree with you PicketBox and PicketLink are the right way, but I need to know howto use them :-)

              If you find some more docs let me know.

               

              Lorenzo

              • 4. Re: PicketLink and web app security
                David Phan Newbie

                I checked out code from git://github.com/picketlink/picketlink-quickstarts.git to learn how to use PicketLink.  I also used information on this page https://docs.jboss.org/author/display/PLINK/Installation since I use JBoss AS 7.

                 

                What's disappointing is that it seems one has to specify the URL of IDP in picketlink.xml which gets compiled into .war file.  This makes it difficult to do configuration at deployment time.  If someone knows of an alternative please provide the information.

                 

                I do agree that there is not much useful information.  No matter how good the software is if no one knows how to use it, it's worthless.

                 

                It seems to me that in the OpenSource age, people intend not to provide the information so that they can sell their own books.

                • 5. Re: PicketLink and web app security
                  Anil Arora Newbie

                  I'm disappointed with the lack of activity from this project even though all signs point to this as being what we should be using. 

                  Anyone hear from the lead developers on this project?

                  • 6. Re: PicketLink and web app security
                    Anil Saldanha Master

                    Anil Arora wrote:

                     

                    Hello, all

                     

                    Are there any existing examples out there on how, going forward, we should be using PicketLink in our JEE web applications, in the JBoss AS 7 environment?  Last week, we noticed that Seam 3 all but disappeared, and unfortunately, documentation has now been harder to find across all of the various projects now (PicketLink, DeltaSpike, etc.)  It has been extremely frustrating to just to figure out where things are going.

                     

                    What are the recommended practices here?  We'd like to take advantage of IDM to do all of our User management, using JPA storage.  We will be requiring a security model for our webservices as well as our UI.  Where do we go from here?

                     

                    I've been trying to translate what I've been able to find with Seam 3 configuration to PicketLink 3 configuration, but it still seems off.  But if anyone has any suggestions, that would be helpful.

                     

                    Thanks!

                    Hi,

                       PicketLink3 is where you should be going. The project is moving smoothly toward a 3.0 Release in June (https://docs.jboss.org/author/display/PLINK/PicketLink3.0-Roadmap).  We did have a Beta1 release recently (http://www.jboss.org/picketlink/downloads).  The docs are at http://docs.jboss.org/picketlink/3/     We missed uploading the docs for Beta1 which should be coming today or so.

                     

                    Shane wrote a blog post for the Alpha1  (http://in.relation.to/Bloggers/PicketLink30Alpha1Released)

                     

                    Any other questions, please ask.

                    • 7. Re: PicketLink and web app security
                      Anil Saldanha Master

                      David Phan wrote:

                       

                      I checked out code from git://github.com/picketlink/picketlink-quickstarts.git to learn how to use PicketLink.  I also used information on this page https://docs.jboss.org/author/display/PLINK/Installation since I use JBoss AS 7.

                       

                      What's disappointing is that it seems one has to specify the URL of IDP in picketlink.xml which gets compiled into .war file.  This makes it difficult to do configuration at deployment time.  If someone knows of an alternative please provide the information.

                       

                      I do agree that there is not much useful information.  No matter how good the software is if no one knows how to use it, it's worthless.

                       

                      It seems to me that in the OpenSource age, people intend not to provide the information so that they can sell their own books.

                      Quickstarts is the best way to learn to use the technology.  We are still updating the quickstarts for PicketLink v3.

                      • 8. Re: PicketLink and web app security
                        Paul Keogh Novice

                        Hi,

                         

                        Just come across PicketLink and it is exactly what I want !...

                         

                        I've built a JEE/JPA/JSF2 application with JBoss Forge and now I want to add role based access control to it.

                         

                        From reading the documentation, I *think* I can do this with PL but I need some examples/tutorial/guidance - can someone point me at the appropriate resources ?

                         

                        Thanks,