PicketLink Federation Module with Wildfly

A Picket Fence is a secure system of pickets joined together via some type of links. Basically, the Pickets by themselves do not offer any security. But when they are brought together by linking them, they provide the necessary security. This project is that link for other security systems or systems to bring together or join, to finally provide the necessary secure system. PicketLink is an umbrella project for security and identity management for Java Applications. PicketLink is an important project under the security offerings from JBoss.

PicketLink Features:

  • Robust IDM feature
  • Build model from various data sources such as Databases, LDAP, File System and mix-n-match!
  • Simple API for Users, Roles, Groups and Attributes.
  • Suitable for JavaEE Applications
  • Use CDI based application programming.
  • Robust Authentication Support
  • Extensive Access Control/Authorization Support
  • PicketLink has a permission model that allows you to have robust access control for your Java Applications.
  • Permission implementations include ACL and Drools Rules based implementations.
  • Plug in your own access control
  • API allows custom authorization implementations.
  • SAML Web Browser Profile Single Sign-On
  • PicketLink provides SSO using SAML v1.1 and v2.0
  • PicketLink allows you to incorporate Social Login into your applications. You can build applications that allow sign in using Facebook, Google and Twitter.
  • PicketLink allows JavaEE applications to incorporate robust security. JavaEE constructs are supported.

You can have all api documentations over here

Federation Module and Concepts:

When using the PicketLink subsystem to configure and deploy your identity providers and service providers, all of them are grouped in a Federation. A Federation can be understood as a Circle of Trust (CoT) from which applications share common configurations (certificates, saml specific configurations, etc) and where each participating domain is trusted to accurately document the processes used to identify a user, the type of authentication system used, and any policies associated with the resulting authentication credentials. Each federation has one Identity Provider and many Service Providers. You do not need to specify for each SP the IDP that it trusts, because this is defined by the federation.

For testing federation we can use the picket link installer to update all the modules related to picket link in Jboss wildfly and then proceed on configurating the federation related details like below example:

Example:

PicketLink Installer

The PicketLink Installer is a simple Apache Ant script that applies all the necessary changes to your JBoss Enterprise Application Platform 6.1 installation, including:

• Updates the PicketLink module with the latest libraries.

• Installs the PicketLink Subsystem.

You can download the picket link installer from below link

http://downloads.jboss.org/picketlink/2/2.6.0.Final/picketlink-installer-2.6.0.Final.zip

Once you’ve downloaded, extract the ZIP file, enter the directory that was created and execute the following command:

ant

Now you should be prompted for the full path of your JBoss Application Server installation.

[input] Which JBoss Application Server are you using ? ([eap], wildfly)

Eap/wildfly

[input] Please enter the path to your JBoss Application Server installation:

Once done make sure you have below configurations in your configuration files of Jboss

All the necessary PicketLink libraries are available in your JBoss Application Server installation from JBoss Modules. To configure them in your deployment, just add a META-INF/jboss-deploymentstructure.xml file inside the root directory of your deployment to configure the dependencies as follows:

<jboss-deployment-structure>

<deployment>

<dependencies>

<!– This will enable PicketLink Federation to your deployment. –>

<module name=”org.picketlink” />

</dependencies>

</deployment>

</jboss-deployment-structure>

AND

<jboss-deployment-structure>

<deployment>

<dependencies>

<!– This will enable PicketLink Authentication/Authorization and IDM dependencies to your

deployment. –>

<module name=”org.picketlink.core” meta-inf=”import”/>

<module name=”org.picketlink.core.api” meta-inf=”import”/>

<module name=”org.picketlink.idm.api” meta-inf=”import”/>

</dependencies>

</deployment>

</jboss-deployment-structure>

AND

<jboss-deployment-structure>

<deployment>

<dependencies>

<!– This will enable only the IDM dependencies to your deployment. –>

<module name=”org.picketlink.idm” />

</dependencies>

</deployment>

</jboss-deployment-structure>

It is strongly recommended that you use the PicketLink libraries from your JBoss Application Server modules. You don’t need to add any additional library to your deployments and you can easily manage the PicketLink libraries without requiring changes to your deployments. Considering that you no longer need the PicketLink libraries inside your deployment, you must change your Maven dependencies to use the PicketLink dependencies with scope provided:

<dependency>

<groupId>org.picketlink</groupId>

<artifactId>picketlink-api</artifactId>

<scope>provided</scope>

</dependency>

<dependency>

<groupId>org.picketlink</groupId>

<artifactId>picketlink-idm-api</artifactId>

<scope>provided</scope>

</dependency>

Setting Up Federation Services:

Download ant tool from : http://apache.mirrors.lucidnetworks.net//ant/binaries/apache-ant-1.9.4-bin.zip

Download PicketLink From: http://downloads.jboss.org/picketlink/2/2.6.0.Final/picketlink-installer-2.6.0.Final.zip

Extract and copy the ant tool to some location in D drive and add it to the system variable to make it available in command line.

Setting Apache Ant Tool Path

Extract the picket link tool to some location in D drive and open command prompt and execute below steps to patch the picket link to wildfly

Cd to picketlink extract folder

Run “ant” and provide the input like below screenshot to configure and patch.

You shall see output like below:

D:\wildfly-8.1.0.CR1\picketlink-installer-2.6.0.Final>ant

Unable to locate tools.jar. Expected to find it in D:\lib\tools.jar

Buildfile: D:\wildfly-8.1.0.CR1\picketlink-installer-2.6.0.Final\build.xml

prepare:

[echo]

[echo] ####################################################################################

[echo] Welcome to the PicketLink Installer

[echo]

[echo] This installer will update your JBoss Application Server installation with the

[echo] following libraries and their dependencies:

[echo]

[echo] – PicketLink Core 2.6.0.Final

[echo] – PicketLink Identity Management 2.6.0.Final

[echo] – PicketLink Federation 2.6.0.Final

[echo]

[echo] New modules will be added to your installation.

[echo] ####################################################################################

[echo]

[input] Which JBoss Application Server are you using ? ([eap], wildfly)

wildfly

[input] Please enter the path to your JBoss Application Server installation:

D:\wildfly-8.1.0.CR1

re-install-check:

backup-as7-files:

eap.check.test:

pre-install-picketlink:

[echo] Updating PicketLink Modules …

[copydir] DEPRECATED – The copydir task is deprecated. Use copy instead.

[copydir] Copying 17 files to D:\wildfly-8.1.0.CR1\modules\system\layers\base\org\picketlink.bkp

[copy] Copying 1 file to D:\wildfly-8.1.0.CR1\standalone\configuration

[copydir] DEPRECATED – The copydir task is deprecated. Use copy instead.

[copydir] Copying 10 files to D:\wildfly-8.1.0.CR1\modules\system\layers\base\org\picketlink

[copy] Copying 1 file to D:\wildfly-8.1.0.CR1\modules\system\layers\base\org\picketlink\common\main

[copy] Copying 1 file to D:\wildfly-8.1.0.CR1\modules\system\layers\base\org\picketlink\config\main

[copy] Copying 1 file to D:\wildfly-8.1.0.CR1\modules\system\layers\base\org\picketlink\core\api\main

[copy] Copying 1 file to D:\wildfly-8.1.0.CR1\modules\system\layers\base\org\picketlink\core\main

[copy] Copying 1 file to D:\wildfly-8.1.0.CR1\modules\system\layers\base\org\picketlink\idm\api\main

[copy] Copying 1 file to D:\wildfly-8.1.0.CR1\modules\system\layers\base\org\picketlink\idm\main

[copy] Copying 1 file to D:\wildfly-8.1.0.CR1\modules\system\layers\base\org\picketlink\idm\schema\main

install-picketlink-eap:

wildfly.check.test:

install-picketlink-wildfly:

[echo] Updating PicketLink Module for Wildfly…

[copy] Copying 1 file to D:\wildfly-8.1.0.CR1\modules\system\layers\base\org\picketlink\federation\main

[copy] Copying 1 file to D:\wildfly-8.1.0.CR1\modules\system\layers\base\org\picketlink\federation\bindings\main

install:

[echo]

[echo] ################################################################

[echo] Thanks for using PicketLink.

[echo] ################################################################

[echo]

BUILD SUCCESSFUL

Total time: 26 seconds

D:\wildfly-8.1.0.CR1\picketlink-installer-2.6.0.Final>

PicketLink Installer on Wildfly

Download the below two example wars to configure and test federation services.

http://repository-picketlink.forge.cloudbees.com/snapshot/org/picketlink/quickstarts/picketlink-federation-saml-idp-basic/2.6.0-SNAPSHOT/picketlink-federation-saml-idp-basic-2.6.0-20140623.133201-19-wildfly.war

http://repository-picketlink.forge.cloudbees.com/snapshot/org/picketlink/quickstarts/picketlink-federation-saml-sp-post-basic/2.6.0-SNAPSHOT/picketlink-federation-saml-sp-post-basic-2.6.0-20140623.133204-19-wildfly.war

copy picketlink-federation-saml-idp-basic.war and picketlink-federation-saml-sp-post-basic.war to

${JBOSS.HOME.dir}/standalone/deployments folder.

Open both files and remove the following configuration files:

• WEB-INF/picketlink.xml

• META-INF/jboss-deployment-structure.xml

• WEB-INF/jboss-web.xml

You can extract the war files using winzip , delete the above war files and keep the wars as a exploded folders itself after removing the above mentioned xml files.

PicketLink Sample wars for IDP and SP testing

Add below subsystem to the standalone.xml file and start the wildfly

<subsystem xmlns="urn:jboss:domain:picketlink-federation:1.0">

<federation alias="example-federation">

<!-- Identity Provider configuration -->

<identity-provider alias="picketlink-federation-saml-idp-basic.war" securitydomain="idp" url="http://localhost:8080/idp/">

<trust>

<trust-domain name="localhost" />

</trust>

</identity-provider>

<!-- Service Provider configuration -->

<service-providers>

<service-provider alias="picketlink-federation-saml-sp-post-basic.war" securitydomain="sp" url="http://localhost:8080/sales-post/" />

</service-providers>

</federation>

</subsystem>

To make sure that everything is ok, please start JBoss AS and try to access the sales application. You should be redirected to the IdP application.

You can check below link for other apps SP and IDP configurations:

https://docs.jboss.org/author/display/PLINK/WildFly+Configuration

Note: You can check below link on picketlink current issues with jboss Wildfly.

https://issues.jboss.org/browse/PLINK/?selectedTab=com.atlassian.jira.jira-projects-plugin:issues-panel

In case of any ©Copyright or missing credits issue please check CopyRights page for faster resolutions.

Leave a Reply