6 Replies Latest reply on Apr 3, 2014 4:06 AM by Maximos Sapranidis

    Picketlink public token restfull web service

    Maximos Sapranidis Newbie

      Hello, let me start by saying sorry if those questions seems stupid, I tried my best to resolve those questions from the documentation.

      I am new to picket link and to security in general and I would like some guidance.

      I would like to start working on a project that uses a restfull web service in the back-end and supports different clients to authenticate and interact with it, using different authentication methods.

      Currently I have implemented a sample that is based on the RBAC and ticket-monster examples so its using username and password to authenticate a user, by default when a user is created he is assigned a role that is then used for the role filtering.

      The ideal scenario would be:

      • User signs up on the service using username password
      • he is assigned a public token which he can also use to authenticate
      • when using the public token instead of using a cookie the clients are served with a digest that they need to include in every call.


      I would like to offer a service where the user can use his public token to programatically interact with my service, but also can log-in from a web interface using username password pairs.

      So my questions are:


      • Does picket link supports something like that?
      • Is there a way for picketlink to identify the session not from cookies but for example from a custom header or path parameter? I have tried setting the authentication digest as param on the filter in the web.xml but this didn't do the trick.
      • how can I generate a token with limited expiration time? I know that this is possible with SAML but I would like something simpler, like most APIs do where you get a token and authenticate on each call.
      • Is is possible to authenticate on each call and not create sessions?


      Sorry for the length of my questions, I have been searching for a week through the documentation and on the web but did't find the any hint.