Siddhartha De

Recent Posts

Role-based access control behind a proxy in an OAuth access delegation

Role-based access control behind a proxy in an OAuth access delegation

In my previous article, I demonstrated the complete implementation for enabling OAuth-based authorization in NGINX with Keycloak, where NGINX acts as a relaying party for the authorization code grant. NGNIX can also act as a reverse proxy server for back-end applications (e.g., Tomcat, Open Liberty, WildFly, etc.), which can be hosted on an enterprise application server.

Continue reading “Role-based access control behind a proxy in an OAuth access delegation”

Share
Using Keycloak instead of Picketlink for SAML-based authentication

Using Keycloak instead of Picketlink for SAML-based authentication

The Picketlink project is now a deprecated module in Red Hat JBoss Enterprise Application Platform (EAP), so there’s a chance that Picketlink will no longer ship with the next release of EAP/Wildfly and that there will not be any fixes in the near future for the picketlink module.

Picketlink, however, is now merged with Keycloak, an open source identity and access management solution developed by Red Hat’s JBoss Community. In this article, we’ll present an alternative solution to the picketlink module. Some organizations use picketlink as the service provider to enable SAML-based authentication with a third-party identity provider (i.e., Active Directory Federated Services (AD FS), OKTA, PingFederate, etc.). In this, article, we’ll see how the keycloak-saml adapter can be configured in the place of Picketlink to enable SAML-based authentication with a third-party identity provider.

Continue reading “Using Keycloak instead of Picketlink for SAML-based authentication”

Share
Configuring NGINX for OAuth/OpenID Connect SSO with Keycloak/Red Hat SSO

Configuring NGINX for OAuth/OpenID Connect SSO with Keycloak/Red Hat SSO

In this article I cover configuring NGINX for OAuth-based Single Sign-On (SSO) using Keycloak/Red Hat SSO. This allows the use of OpenID Connect (OIDC) for federated identity. This configuration is helpful when NGINX is acting as a reverse-proxy server for a backend application server, for example, Tomcat or JBoss, where the authentication is to be performed by the web server.

In this setup, Keycloak will act as an authorization server in OAuth-based SSO and NGINX will be the relaying party.  We will be using lua-resty-openidc, which is a library for NGINX implementing the OpenID Connect relying party (RP) and/or the OAuth 2.0 resource server (RS) functionality.

Continue reading “Configuring NGINX for OAuth/OpenID Connect SSO with Keycloak/Red Hat SSO”

Share
Elytron: A New Security Framework in WildFly/JBoss EAP

Elytron: A New Security Framework in WildFly/JBoss EAP

Elytron is a new security framework that ships with WildFly version 10 and Red Hat JBoss Enterprise Application Platform (EAP) 7.1. This project is a complete replacement of PicketBox and JAAS. Elytron is a single security framework that will be usable for securing management access to the server and for securing applications deployed in WildFly. You can still use the legacy security framework, which is PicketBox, but it is a deprecated module; hence, there is no guarantee that PicketBox will be included in future releases of WildFly. In this article, we will explore the components of Elytron and how to configure them in Wildfly.

The Elytron project covers the following: 

  • SSL/TLS
  • Secure credential storage
  • Authentication
  • Authorization

In this article, we are going to explore using SSL/TLS in WildFly with Elytron.

Continue reading “Elytron: A New Security Framework in WildFly/JBoss EAP”

Share
Enabling SAML-based SSO with Remote EJB through Picketlink

Enabling SAML-based SSO with Remote EJB through Picketlink

Lets suppose that you have a remote Enterprise JavaBeans (EJB) application where the EJB client is a service pack (SP) application in a Security Assertion Markup Language (SAML) architecture. You would like your remote EJB to be authenticated using same assertion which was used for SP.

Before proceeding with this tutorial, you should have a basic understanding of EJB and Picketlink.

Continue reading “Enabling SAML-based SSO with Remote EJB through Picketlink”

Share
SSL Testing Tool

SSL Testing Tool

If you have a large number of servers, which are configured with SSL/TLS and you are out of track on their certificate validity, now all of sudden you are worried if some of the certificates are expired.

Or if I think in some other scenario where you are required to understand underlying SSL/TLS configuration of your servers e.g. CipherSuits, Protocols, etc.

Yes, in the traditional way, you can get all the information of your SSL/TLS configuration by login into an individual server and check the certificates but it is very difficult if your environment size is very high.

To overcome this problem, I have to build a tool, which will give you all required details.

Continue reading “SSL Testing Tool”

Share
Integrating WebSphere MQ with JBoss Enterprise Application Server

Integrating WebSphere MQ with JBoss Enterprise Application Server

Once I worked on a project where in the existing environment I needed to configure the JBoss Enterprise Application Server to communicate with WebSphere MQ where the WebSphere MQ was supposed to be communicating with Mainframe system using cluster queue of WebSphere.  Initially I was blind, as I was not able to understand how I could configure JBoss to communicate with MQ. But after some research, I came to learn that it is possible to integrate JBoss with WebSphere MQ and an application deployed in JBoss can directly put the message in WebSphere MQ.

If you’re very familiar with JBoss and it’s architecture, you can complete this task by creating new subsystem and corresponding extension. Before you start configuring JBoss, you need to install the adaptor of WebSphere MQ in JBoss. One can find the JBoss adaptor from WebSphere MQ library, the file name is wmq.jmsra.rar.

Here are the steps for configuring an application to put the message in WebSphere MQ via JBoss Enterprise Application Server.

Continue reading “Integrating WebSphere MQ with JBoss Enterprise Application Server”

Share