⁠Chapter 1. Overview

What's the best way to add security to the application?

PicketLink provides an easy way to enable security to an application. With a minimal configuration you are able to authenticate(Section 2.1, “Overview”), authorize(Section 11.1, “Overview”) and perform identity management(Section 3.1, “Introduction”) operations using a database or a LDAP identity store.

How do I authenticate and authorize users?

If you're already faimilar with JBoss Seam 2, you'll find PicketLink very familiar. PicketLink provides a Identity bean(Section 2.2, “Authentication API - The Identity Bean”) to represent your users with useful methods for authentication, logout and authorization. PicketLink also provides a bunch of authorization annotations(Section 11.1, “Overview”) that you can use to easily protect your beans and their methods.

How do I add Identity and Access Management(IAM) to my application ?

Identity Management is one of the core features provided by PicketLink. With a minimal setup you are able to manage users, roles, groups and relationships between them. It supports identity partitioning, useful for multi-tenancy architectures. You can even store your identity data using different repositories such as databases or LDAP servers.

How can I create a secure multi-tenancy architecture for my SaaS (Software as a Service) application ?

PicketLink supports identity partitioning. This means that you can logically separate your identity data into partitions. You can use a single repository or even use a different repository for each partition. For instance, using different database servers for each partition.

How can I enable Single Sign-On for my applications?

PicketLink provides an easy way to configure Single Sign-On based on the SAML specification. Enable your application as an Identity Provider or Service Provider requires only a few configuration.

How do I add authentication and authorization to my REST layer and API ?

PicketLink provides several features to secure REST-based applications. Regarding authentication, it supports both stateful and stateless authentication models, depending on your requirements. When using a steteless model user is re-authenticated on every single request, ideal when you have a huge load of requests. It also provides a simple API to manage JSON Web Token(JWT) and Javascript Object Signing and Encryption(JOSE), which you can use to create your own tokens or consume tokens following the format defined by these specifications. Authorization can also be done by using the different annotations provided by PicketLink. You can even define your own authorization annotations.

How do I protect my application HTTP resources and pages ?

PicketLink provides an easy, simple and powerful API for Http Security fully integrated with the Java Servlet API. It allows you to configure your aplication resources or paths to enable authentication and authorization. With a minimal setup you can enforce security policies such as authentication and authorization based on roles, groups, realms or even use EL expressions.

How can my application authenticate users using their Facebook, Twitter, or Google accounts ?

PicketLink provides support for Social Authentication using the most common providers such as Facebook, Twitter and Google. Please, take a look at the quickstarts(Section 1.3.1, “QuickStarts”) for some examples.