Table of Contents
PicketLink is an Application Security Framework for Java EE applications. It provides features for authenticating users, authorizing access to the business methods of your application, managing your application's users, groups, roles and permissions, plus much more. The following diagram presents a high level overview of the PicketLink modules and the main features provided by those modules:
Depending on exactly which PicketLink features you'd like to use, getting started can be as simple as adding the PicketLink jar libraries to your project (see Section 1.5, “Maven Dependencies” below for more info) and writing a few lines of code. To get started using PicketLink Identity Management to manage the users and other identity objects in your application, you can head straight to Section 3.2, “Getting Started - The 5 Minute Guide”. If you don't wish to use PicketLink IDM but would like to use PicketLink for authentication in your Java EE application but control the authentication process yourself then head to Section 2.3.1, “A Basic Authenticator” for simplistic example which you may adapt for your own application. If you wish to use SAML SSO then you can head to Chapter 12, Federation.
Here's some additional resources also to help you get started:
Please head to Chapter 14, PicketLink Quickstarts for more information about our quickstarts, covering some useful usecases and most of PicketLink features.
The latest version of the PicketLink API documentation can be found at http://docs.jboss.org/picketlink/2/latest/api/. This handy reference describes the user-facing classes and methods provided by the PicketLink libraries.
The base module provides the integration framework required to use PicketLink within a Java EE application. It defines a flexible authentication API that allows pluggable authentication mechanisms to be easy configured, with a sensible default authentication policy that delegates to the identity management subsystem. It provides session-scoped authentication tracking for web applications and other session-capable clients, plus a customisable permissions SPI that supports a flexible range of authorization mechanisms for object-level security. It is the "glue" that integrates all of the PicketLink modules together to provide a cohesive API, and also provides CDI producers to allow you to inject the PicketLink API objects directly into your application's beans.
The base module libraries are as follows:
-
picketlink-api- API for PicketLink's base module. -
picketlink-impl- Internal implementation classes for the base API.
The Identity Management module defines the base identity model; a collection of interfaces and classes that represent the identity constructs (such as users, groups and roles) used throughout PicketLink (see the Identity Management chapter for more details). As such, it is a required module and must always be included in any application deployments that use PicketLink for security. It also provides a uniform API for managing the identity objects within your application. The Identity Management module has been designed with minimal dependencies and may be used in a Java SE environment, however the recommended environment is Java EE in conjunction with the base module.
Libraries are as follows:
-
picketlink-idm-api- PicketLink's Identity Management (IDM) API. This library defines the Identity Model central to all of PicketLink, and all of the identity management-related interfaces. -
picketlink-idm-impl- Internal implementation classes for the IDM API.
PicketLink is licensed under the Apache License Version 2, the terms and conditions of which can be found at apache.org.
The PicketLink libraries are available from the Maven Central Repository. The dependencies can be easily configured in your Maven-based project by using the PicketLink Bill of Materials(BOM). A BOM is a very handy tool to properly manage your dependencies, their versions and keep your project in sync with the libraries supported and distributed by a specific PicketLink version.
For most applications using Java EE 6.0, the picketlink-javaee-6.0 BOM can be used to define the PicketLink and Java EE 6.0 specification APIs dependencies to your project.
<properties>
<!-- PicketLink dependency versions -->
<version.picketlink.javaee.bom>2.6.0.CR1</version.picketlink.javaee.bom>
</properties>
<dependencyManagement>
<dependencies>
<!-- Dependency Management for PicketLink and Java EE 6.0. -->
<dependency>
<groupId>org.picketlink</groupId>
<artifactId>picketlink-javaee-6.0</artifactId>
<version>${version.picketlink.javaee.bom}</version>
<scope>import</scope>
<type>pom</type>
</dependency>
</dependencies>
</dependencyManagement>
Once the BOM is included, required PicketLink dependencies may be added to the section of your pom.xml. When using a BOM you don't need to specify their versions because this is automatically managed, the version in use depends on the BOM's version. For example, the configuration above is defining a version 2.6.0.CR1 of the picketlink-javaee-6.0 BOM, which means you'll be using version 2.6.0.CR1 of the PicketLink libraries.
For a typical application, it is suggested that you include the following PicketLink dependencies:
<dependencies>
<!-- Import the PicketLink API, we deploy this as library with the application,
and can compile against it -->
<dependency>
<groupId>org.picketlink</groupId>
<artifactId>picketlink-api</artifactId>
</dependency>
<!-- Import the PicketLink implementation, we deploy this as library with the application,
but don't compile against it -->
<dependency>
<groupId>org.picketlink</groupId>
<artifactId>picketlink-impl</artifactId>
<scope>runtime</scope>
</dependency>
</dependencies>
PicketLink also provides a specific BOM with the Apache Deltaspike(core and security modules) dependencies if you want to use it in conjunction with PicketLink.
<properties>
<!-- PicketLink dependency versions -->
<version.picketlink.javaee.bom>2.6.0.CR1</version.picketlink.javaee.bom>
</properties>
<dependencyManagement>
<dependencies>
<!-- Dependency Management for PicketLink and Apache Deltaspike. -->
<dependency>
<groupId>org.picketlink</groupId>
<artifactId>picketlink-javaee-6.0-with-deltaspike</artifactId>
<version>${version.picketlink.javaee.bom}</version>
<scope>import</scope>
<type>pom</type>
</dependency>
</dependencies>
</dependencyManagement>
The identity management library is a required dependency of the base module and so will be automatically included. If you don't wish to use the base module and want to use the PicketLink IDM library on its own, then only add the following dependencies:
<dependencies>
<dependency>
<groupId>org.picketlink</groupId>
<artifactId>picketlink-idm-api</artifactId>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.picketlink</groupId>
<artifactId>picketlink-idm-impl</artifactId>
<scope>runtime</scope>
</dependency>
If you wish to use PicketLink's Identity Management features and want to include the default database schema (see the Identity Management chapter for more details) then configure the following dependency also:
<dependency>
<groupId>org.picketlink</groupId>
<artifactId>picketlink-idm-simple-schema</artifactId>
</dependency>
Another way to configure the PicketLink dependencies (without using the PicketLink BOM) is to manually define them in your project's pom.xml file like so:
<properties>
<picketlink.version>2.6.0.CR1</picketlink.version>
</properties>
<dependencies>
<dependency>
<groupId>org.picketlink</groupId>
<artifactId>picketlink-idm-api</artifactId>
<scope>compile</scope>
<version>${picketlink.version}</version>
</dependency>
<dependency>
<groupId>org.picketlink</groupId>
<artifactId>picketlink-idm-impl</artifactId>
<scope>runtime</scope>
<version>${picketlink.version}</version>
</dependency>
</dependencies>
This last option may be more suitable for projects that don't use Java EE (for example in a Java SE environment).
Note
We strongly recommend using a BOM to configure your project with the PicketLink dependencies. This can avoid some very common and tricky issues like keep the versions in the project using the artifacts in sync with the versions distributed in a release.
The PicketLink Installer is a simple Apache Ant script that applies all the necessary changes to your JBoss Enterprise Application Platform 6.1 installation, including:
-
Updates the PicketLink module with the latest libraries.
-
Installs the PicketLink Subsystem.
-
Configures some of the PicketLink Quickstarts. Specially the PicketLink Federation examples. What means you can start using them to get a picture of the SAML Single Sign-On and other features provided by PicketLink Federation. !
Important
The installer is not a required step in order to get you started with PicketLink. But if you want the PicketLink Subsystem installed and the PicketLink module updated (in order to avoid ship the libraries inside your deployment) in your JBoss Enterprise Application Platform installation, it can be very useful.
The installer can be obtained from http://downloads.jboss.org/picketlink/2/2.5.3.Beta1/picketlink-1.1.4.Final-installer.zip. Once you've downloaded, extract the ZIP file, enter the directory that was created and execute the following command:
user@host picketlink-installer-1.1.4.Final]$ ant
Now you should be prompted for the full path of your JBoss Application Server installation.
prepare:
[echo]
[echo] ####################################################################################
[echo] Welcome to the PicketLink Installer
[echo]
[echo] This installer will update your JBoss Enterprise Application Platform 6 installation with the
[echo] following libraries and their dependencies:
[echo]
[echo] - PicketLink Core 2.6.0.CR1
[echo] - PicketLink Identity Management 2.6.0.CR1
[echo] - PicketLink Federation 2.6.0.CR1
[echo] - PicketLink Federation Quickstarts 2.1.8.Final
[echo] - PicketLink Subsystem 1.1.1.Final
[echo]
[echo] New modules will be added to your installation.
[echo] ####################################################################################
[echo]
[input] Please enter the path to your JBoss Enterprise Application Platform 6 installation:
And it is done !
Note
There is also a specific installer for JBoss Enterprise Application Platform 6.2. You can download it from http://downloads.jboss.org/picketlink/2/2.5.3.Beta1/picketlink-1.2.2.Final-installer.zip
We're always looking for ways to improve this documentation. If you think that we can enhance the way that any of PicketLink's features or concepts are explained, or even if you just spot a typo or grammatical error then please let us know on the PicketLink forums (you can find a link to the forums at www.picketlink.org). We appreciate any and all feedback that is provided.