Removing PicketLink Quickstarts. Adding git submodule to https://github.com/picketlink/picketlink-quickstarts.

[pedroigor]

No description provided.

[sgilda]

@pedroigor : Should we close the other picketlink quickstart pulls?

[pedroigor]

Yes. We can close all of them.

[sgilda]

@pedroigor : There was feedback for these quickstarts in the separate URLs that were closed. Were those addressed with this pull? Thought I would ask to save time before I go through them all again

Also, I navigated to the picketlink-authentication-form quickstart and am not able to run the QS Tools utility. This is the log:

[ERROR] The project org.jboss.as.quickstarts:jboss-as-picketlink-authentication-form:7.1.2-SNAPSHOT (/home/sgilda/GitRepos/quickstart-jdf/picketlink-quickstarts/picketlink-authentication-form/pom.xml) has 7 errors
[ERROR] Non-resolvable import POM: Could not find artifact org.jboss.bom:jboss-javaee-6.0-with-security:pom:1.0.7.CR9 in central (http://repo.maven.apache.org/maven2) @ line 71, column 19 -> [Help 2]
[ERROR] 'dependencies.dependency.version' for org.jboss.spec.javax.ejb:jboss-ejb-api_3.1_spec:jar is missing. @ line 85, column 17
[ERROR] 'dependencies.dependency.version' for javax.enterprise:cdi-api:jar is missing. @ line 93, column 17
[ERROR] 'dependencies.dependency.version' for org.jboss.spec.javax.annotation:jboss-annotations-api_1.1_spec:jar is missing. @ line 101, column 17
[ERROR] 'dependencies.dependency.version' for org.jboss.spec.javax.faces:jboss-jsf-api_2.1_spec:jar is missing. @ line 109, column 17
[ERROR] 'dependencies.dependency.version' for org.picketlink:picketlink-api:jar is missing. @ line 117, column 17
[ERROR] 'dependencies.dependency.version' for org.picketlink:picketlink-impl:jar is missing. @ line 124, column 17

Is version 1.0.7.CR9 of the JBoss BOM in Maven Central?

[pedroigor]

@sgilda : I have sent a PR to jboss-boms to get them updated with the latest PicketLink version. In this case, 2.5.0.CR1. I'm going to talk with @rafabene what is the status.

[pedroigor]

@sgilda : jboss-bom 1.0.7.CR9 is already available on Maven Central. Can you check it out ?

[sgilda]

@PedroIgo: Just to clarify.

The following are new quickstarts that need review:

• picketlink-authentication-form
• picketlink-authentication-http-client-cert
• picketlink-authentication-recaptcha
• picketlink-authorization-idm-ldap

The rest are existing quickstarts that were just been moved to the extenal repository:

• picketlink-authentication-http-basic
• picketlink-authentication-http-digest
• picketlink-authentication-idm-jsf
• picketlink-authentication-idm-multi-tenancy
• picketlink-authentication-jsf
• picketlink-authentication-rs-endpoint
• picketlink-authentication-two-factor
• picketlink-authorization-idm-jpa
• picketlink-authorization-rs-rbac
• picketlink-deltaspike-authorization

Correct?

[pedroigor]

Yes.

[sgilda]

I get a few QS tools BOM errors on picketlink-authentication-recaptcha. There's also an issue with the license in src/main/java/org/jboss/as/quickstarts/picketlink/authentication/recaptcha/jsf/ReCaptchaService.java,

[sgilda]

QS tools checker reports quite a few violations for the picketlink-authorization-idm-ldap quickstart:

BomVersionChecker Check and verify if all quickstarts are using the recommended BOM version 2
DependencyChecker Checks if all dependencies are using a BOM (not declare a version) and suggest what BOMs to use 3
DuplicateDependencyChecker Checks if the POM has any duplicate dependency 1
DuplicatePropertiesChecker
FileHeaderChecker Verifies if project files contains license header 5

[sgilda]

Minor typo: There's a space in the middle of the word "authenticated" in the picketlink-authentication-form/src/main/webapp/protected/private.xhtml, line 21-22:

Hi <b>#{identity.account.loginName}</b>, this resource is protected. If you reach this page is because you're auth
enticated.

Other than that, the picketlink-authentication-form quickstart looks good to me.

[sgilda]

In the README for the picketlink-authentication-http-client-cert, I have a couple of suggestions:

• Replace the 'Now let's create the...' with 'Now create the ...'
• Provide CLI scripts to configure the web subsystem and to later remove it. We try to provide both scripts and the manual XML to make it easier. See sections in the README for the servlet-security and other quickstarts that provide configure-.cli and remove-.cli scripts.
• Since this one requires more extensive setup, I think the README metadata Level should be "Intermediate"

I ran into a problem testing this one. I created the certificates as described and configured the server. The server does respond on https://localhost:8443.

However, when I "Click here here to access the protected resources." , I get:

    HTTP Status 403 - The requested resource requires a valid certificate.

I will go back through the certificate steps. I think they could be laid out in steps to make it easier.

@pedroigor : I will make some modifications to the README file for this one and send them to you via email.

[sgilda]

@pedroigor : I sent you a modified README.md file for the picketlink-authentication-http-client-cert quickstart.
When I modified it, I noticed this section:

    Before you access the application, you must import the *client.cer*, which holds the client certificate, into your browser. 
    When you access the application, the browser should ask you which certificate to use to authenticate with the server. Select it and you’re ready to go.

This didn't happen for me. I am not prompted to import the certificate. It just goes directly to the HTTP Status 403.

[sgilda]

In picketlink-authentication-recaptcha, there is a typo when you access the page.
s/bellow/below

Other than that, this quickstart works great!

[sgilda]

In the picketlink-authorization-idm-ldap quickstart README file,
Could you change line 64 from:
3. The prompt does not return, but you should see the following messages:
to:
3. The prompt does not return and you should see the following messages indicating the embedded LDAP server has has started successfully

Change line 72 from:
If you get the output above is because the embedded LDAP server is now running. To terminate the server you can hit CTRL-C anytime.

To:
To terminate the embedded LDAP serve, hit CTRL-C.

This quickstart works great!

[pedroigor]

sgilda: Two main things were done:

1. Updated the quickstarts to reflect the latest changes from PicketLink. We had a specific change to the API that requires 2.5.0.CR2, which will be released this week. That said, the quickstarts won't compile for you.

2. Fixed all QS validation errors (license, README, etc). Only those about the pom dependencies are happening.

Thanks.

[pedroigor]

We going to release 2.5.0.CR2 tomorrow, update the BOMs and send another commit to change the quickstart BOM dependency.

[sgilda]

@pedroigor : I just tried running QS Tools against the updated picketlink-authentication-recaptcha quickstart and get these errors. Any idea what I did wrong?

[ERROR] The project org.jboss.as.quickstarts:jboss-as-picketlink-authentication-recaptcha:7.1.2-SNAPSHOT (/home/sgilda/GitRepos/quickstart-jdf/picketlink-quickstarts/picketlink-authentication-recaptcha/pom.xml) has 9 errors
[ERROR] Non-resolvable import POM: Could not find artifact org.jboss.bom:jboss-javaee-6.0-with-security:pom:1.0.7-SNAPSHOT @ line 74, column 19 -> [Help 2]
[ERROR] Non-resolvable import POM: Could not find artifact org.jboss.bom:jboss-javaee-6.0-with-resteasy:pom:1.0.7-SNAPSHOT @ line 81, column 19 -> [Help 2]
[ERROR] 'dependencies.dependency.version' for org.jboss.spec.javax.ejb:jboss-ejb-api_3.1_spec:jar is missing. @ line 95, column 17
[ERROR] 'dependencies.dependency.version' for javax.enterprise:cdi-api:jar is missing. @ line 103, column 17
[ERROR] 'dependencies.dependency.version' for org.jboss.spec.javax.annotation:jboss-annotations-api_1.1_spec:jar is missing. @ line 111, column 17
[ERROR] 'dependencies.dependency.version' for org.jboss.spec.javax.faces:jboss-jsf-api_2.1_spec:jar is missing. @ line 119, column 17
[ERROR] 'dependencies.dependency.version' for org.picketlink:picketlink-api:jar is missing. @ line 127, column 17
[ERROR] 'dependencies.dependency.version' for org.picketlink:picketlink-impl:jar is missing. @ line 134, column 17
[ERROR] 'dependencies.dependency.version' for org.jboss.resteasy:resteasy-jaxrs:jar is missing. @ line 140, column 17
[

[pedroigor]

@sgilda : I need to update the BOM and ask @rafabene to release with PicketLink 2.5.0.CR2.

I'll keep you informed once everything is ok.

[sgilda]

@pedroigor : The BOMs aren't available yet, so I can't run QS Tools or test the quickstarts, but the other changes look great! Thanks!

[sgilda]

@pedroigor : In the picketlink-authentication-http-client-cert README file, we should add a note telling them to back up the server configuration. It is also misleading and not obvious they can choose between the configuration options. Could you mofify the README as follows:

Configure the Server to Use SSL

Now that the certificates and keystores are properly configured, you must enable SSL in the server configuration.

NOTE - Before you begin:

1. If it is running, stop the JBoss Enterprise Application Platform 6.1 server.
2. Backup the file: JBOSS_HOME/standalone/configuration/domain.xml
3. After you have completed testing this quickstart, you can replace this file to restore the server to its original configuration.

You can configure the server by running the install-https.cli script provided in the root directory of this quickstart, by using the JBoss CLI interactively, or by manually editing the configuration file.

Configure the HTTPS Connector in the Web Subsystem by Running the JBoss CLI Script

[sgilda]

@pedroigor : I am still getting an HTTP Status 403 - The requested resource requires a valid certificate. when I access 'Click here here to access the protected resources.'

https://localhost:8443/jboss-as-picketlink-authentication-http-client-cert/protected/private.jsf

I will try once again with a new server.

[sgilda]

@pedroigor: Also, in the picketlink-authentication-http-client-cert README file, could you move the 'System Requirements' and 'Configure Maven' sections up after 'What is it?' and before 'Create the Client Certicates'?

[sgilda]

@pedroigor :

I created the certificates and imported the client.keystore into Google Chrome.
I configured the server.
I accessd the server at https://localhost:8443/jboss-as-picketlink-authentication-http-client-cert, I see:

    This site has requested that you identify yourself with a certificate: localhost:8443
    Choose a certificate to present as identification:
    client[62:43:9D:E8]
    Details of selected certificate:
    Issued to: CN = Sande Gilda
    OU = Red Hat
    O = Doc
    L = Raleigh
    ST = NC
    C = US

    Serial Number: 62:43:9D:E8
    Valid from 8/21/13 11:27:50 AM to 8/21/14 11:27:50 AM
    Issued by: CN = Sande Gilda
    OU = Red Hat
    O = Doc
    L = Raleigh
    ST = NC
    C = US

    Stored in: NSS Certificate DB

I click OK, then see: The site's security certificate is not trusted!
I click "Proceed anyway" and get the unprotected page that says "This is a public resource"
I click 'here' to access the protected resource (BTW, here is in the sentence twice: 'Click here here to access the protected resources.')
That takes me here: https://localhost:8443/jboss-as-picketlink-authentication-http-client-cert/protected/private.jsf
And I see: HTTP Status 403 - The requested resource requires a valid certificate.

Any idea what I am doing wrong?

[sgilda]

@pedroigor : Also, when I import the certificate into Firefox, it displays the 'client.cer', not the 'client.keystore'. It says the 'client.cer' is not valid. I choose the 'client.keystory', and I'm not prompted to enter a password. It doesn't appear to do anything and I don't see a new entry in the list.

When I access the secured site, I'm prompted with a "Certificate Viewer" dialog that says "Could not verify this certificate for unknown reasons" and lists all the data I entered when I created the certificate (as in my previous comment). I continue and get the same 'HTTP Status 403 - The requested resource requires a valid certificate.'

[sgilda]

These all work now and the instructions are clear.

@pmuir: These are ready for code review.

[pmuir]

For the recpatcha one, I'm wondering if we can't bind the recaptcha fields to a CDI bean, and then push that through to Google? This would remove some nasty boilerplate code.

Also, can we check we support the RestEasy client api in eap?

[pmuir]

Otherwise these look excellent. No issues I saw. Ready for merge I think @sgilda.

[sgilda]

Mertged!