(Some of the feature set is under development). Please start with the final releases.
Requirements Document: https://docs.google.com/document/pub?id=15kEFSBAaHp8maIoecj5FzYKAVoUD6nEoMDbDFqtQ4rE
Let us answer this question by looking at some of the use cases, application developers usually encounter.
- Use case from Bill Burke. You have a web application that is accessed from a browser as well as mobile clients. From the browser, you may want to do regular FORM authentication but for mobile clients, you may have to do token based and/or OAUTH style access control. With servlet specification security, this is not possible.
- I want to lock out users after failed password attempts.
- I want to email password reminders to users when they forget their passwords.
- I want to step up authentication or have secondary authentication based on some rules.
- I need security for JSON objects.
These are just some of the use cases that application developers may have, that requires the need for an application security framework.
PicketBox is a project that works wonders for application security.
It provides the following features:
- Choice of HTTP Authentication Schemes (BASIC, DIGEST, FORM, CLIENT-CERT or you write your own authentication scheme).
- Choice of Authentication Managers. (File Based, Ldap Based, Database Based etc)
- Choice of Authorization Managers. (Drools based authorization, XACML based authorization, Deltaspike Security based authorization or write your own authorization mechanism).
- Drools gives you powerful rule based capabilities that allows powerful yet simple access control rules.
- XACML is a Oasis Standard that allows standards based access control.
- Audit Capabilities.
- Use your favorite Dependency Injection Framework: Seam Solder, Spring etc.
- Password Masking.
- Infinispan based distributed cache support.
- User Model based on Deltaspike IDM.
- Decouple applications from security code.
- You will use filters or interceptors.
- JSON security.
- Application Session Management.
In addition, the features provided include:
- Account Lockout Facility.
- Password Reminders.
- Changing Password Functionality.
- One Time Password Support. (For those marketing emails, you send)
- Includes OTP Tokens.
In addition, the PicketLink family of projects will provide you Single Sign On, OpenID, OAuth, SAML2 support.
- Enrich exception hierarchy: UserNotFoundException, InvalidCredentialsException, LockedUserException, etc
- Account locking
- Password resetting
- Users provisioning/deprovisioning
- Rember-me authentication
- Auditing and Intrusion Detection
- Concurrent Session Configuration