JBoss Community Archive (Read Only)

PicketBox

Java Application Security

(Some of the feature set is under development). Please start with the final releases.

Requirements Document: https://docs.google.com/document/pub?id=15kEFSBAaHp8maIoecj5FzYKAVoUD6nEoMDbDFqtQ4rE

Why do I need application security support from PicketBox when I can use EE container security?

Let us answer this question by looking at some of the use cases, application developers usually encounter.

  1. Use case from Bill Burke.  You have a web application that is accessed from a browser as well as mobile clients. From the browser, you may want to do regular FORM authentication but for mobile clients, you may have to do token based and/or OAUTH style access control.  With servlet specification security, this is not possible.

  2. I want to lock out users after failed password attempts.

  3. I want to email password reminders to users when they forget their passwords.

  4. I want to step up authentication or have secondary authentication based on some rules.

  5. I need security for JSON objects.

These are just some of the use cases that application developers may have, that requires the need for an application security framework.

What does PicketBox Application Security support look like?

PicketBox is a project that works wonders for application security.

It provides the following features:

  1. Choice of HTTP Authentication Schemes (BASIC, DIGEST, FORM, CLIENT-CERT or you write your own authentication scheme).

  2. Choice of Authentication Managers. (File Based, Ldap Based, Database Based etc)

  3. Choice of Authorization Managers.  (Drools based authorization, XACML based authorization, Deltaspike Security based authorization or write your own authorization mechanism).

    1. Drools gives you powerful rule based capabilities that allows powerful yet simple access control rules.

    2. XACML is a Oasis Standard that allows standards based access control.

  4. Audit Capabilities.

  5. Use your favorite Dependency Injection Framework: Seam Solder, Spring etc.

  6. Password Masking.

  7. Infinispan based distributed cache support.

  8. User Model based on Deltaspike IDM.

  9. Decouple applications from security code.

    1. You will use filters or interceptors.

  10. JSON security.

  11. Application Session Management.

In addition, the features provided include:

  • Account Lockout Facility.

  • Password Reminders.

  • Changing Password Functionality.

  • One Time Password Support. (For those marketing emails, you send)

    • Includes OTP Tokens.

In addition, the PicketLink family of projects will provide you Single Sign On, OpenID, OAuth, SAML2 support.

TODO

  • Enrich exception hierarchy: UserNotFoundException, InvalidCredentialsException, LockedUserException, etc

  • Account locking

  • Password resetting

  • Users provisioning/deprovisioning

  • Rember-me authentication

  • Auditing and Intrusion Detection

  • Concurrent Session Configuration

JBoss.org Content Archive (Read Only), exported from JBoss Community Documentation Editor at 2020-03-11 12:16:05 UTC, last content change 2013-02-08 22:21:23 UTC.