What is PicketBox?
PicketBox is a Java Security Framework that provides Java developers the following functionality:
Additionally, we provide an Oasis XACML v2.0 compliant engine.
PicketBox requires a Java Virtual Machine v1.5 and higher.
Learn all about PicketBox from the following wiki article:
- Authorization (Access Control) Best Practices
- May 17, 2013 1:35 AM by Anil Saldhana
- After the recent wrestling match in the blogosphere that included vendors and analysts on XACML, I want to provide some best practices for access con…
- Is XACML really dead? Should we all go OAUTH?
- May 8, 2013 5:48 PM by Anil Saldhana
- Andras Cser from Forrester has a blog entry titled "XACML is dead". That is a catchy title for the blog post. :) As a participant in the creation of…
- JAX-RS and HTTPOnly flag in Cookies
- Feb 1, 2013 2:23 PM by Anil Saldhana
- JAX-RS in Java JAX-RS is an important technology/standard/specification in the JavaEE family. Version 1.1 is included in Java EE 6. JAX-RS enables J…
- View more blog posts
Frequently Asked Questions
Q. Why the name "PicketBox"?
You are familiar with a Picket Fence that provides a sense of security. The individual pickets are used together to provide a secure set up. Since this project provides the pieces necessary to provide a secure system, it makes sense to be called "PicketBox" ( a box of pickets).
Q. Why does the version start from v3 rather than v1?
PicketBox is a project that has been derived out of JBoss Security which saw v1 and v2.
Q. Does it provide Federated Identity Support?
You will need to look at PicketLink for that.
Q. Is there a requirement for JBoss Application Server?
Not really. You should be able to get it to work in a regular JDK environment.
Q. How does it compare to Acegi (Spring Security)?
Acegi is a popular security framework that utilizes Spring extensively. The objectives of both Acegi and PicketBox are the same : make security easier for Java developers. But the philosophy behind is slightly different.
Most of the Java applications run in either Servlet container such as Apache Tomcat or a Java EE Application server such as JBoss or Glassfish. All these containers have security in- built into them via the Java EE security specifications. What Acegi does is that it provides an uniform security framework utilizing spring that runs on these containers, but without the use of any of the container security features. Honestly, we should really be utilizing the BASIC, FORM, DIGEST and CLIENT-CERT form of authentication provided by the servlet containers for web applications. The container developers have spent years on security response, patches etc to fix vulnerabilities that a generic security framework cannot embrace.
PicketBox tries to integrate with containers such as JBoss Application Server seamlessly such that applications using PicketBox can have seamless security into JavaEE components such as EJB3 or web applications running.
Q. I am a web developer, why would I choose PicketBox?
If you are a web developer, I strongly suggest looking at JBoss Seam for your web development. It makes web development easy. Seam 3 will utilize PicketBox as its security foundation.
If you are not using Seam, then you should certainly look at the container security provided by the Servlet specification. If your requirements are beyond that, then you need to augment it via PicketBox.
Security Jobs At Red Hat
The following are links to open positions at Red Hat Inc.
Project PicketBox is very useful for Seam 3.