Attention: Please visit our one stop website.
PicketLink is an umbrella project for security and identity management for Java Applications.

PicketLink is an important project under the security offerings from JBoss. The overall leadership of Security at JBoss is managed by Anil Saldhana.


What components are available under PicketLink projects?

For latest information, please refer to

  • IDM: Provide an object model for managing Identities (Users/Groups/Roles) and associated behavior using different identity store backends like LDAP and RDBMS.
  • Federated Identity:  Support SAMLv2, WS-Trust and OpenID.
  • XACML:  Oasis XACMLv2 implementation.
  • Negotiation: Provide SPNego/Kerberos based Desktop SSO.

Who are the developers on this project?

PicketLink is an important project under the security offerings from JBoss. The overall leadership of Security at JBoss is managed by Anil Saldhana.

Project sponsor is Dr.Mark Little, JBoss CTO.

All are welcome to contribute to this open source project.

Developers on this project (current and former):

  • Anil Saldhana
  • Boleslaw Dawidowicz
  • Stefan Guilhen
  • Sohil Shah
  • Pedro Igor
  • Shane Bryzak
  • Bruno Oliviera
  • Marek Posolda
  • Stian
  • Marko
  • Jeff Yu
  • Daniel Bevenius
  • Marcel Kolsteren (Seam Integration Lead - Community Volunteer)
  • Marcus Moyses
  • Darran Lofthouse
  • Babak Mozzafari

Is PicketLink Officially supported by JBoss/RedHat via Enterprise Platforms (EAP, SOA-P etc)?

PicketLink is a community project. It is slowly making its way into the Enterprise Platforms sold by Red Hat Inc.

  • PicketLink is available in EAP, EPP and SOA. Full support or Tech Preview depends on the platform and version.
  • As always, please contact your Red Hat sales person for more information.

Additional Reference:


PicketLink is a community project available from JBoss Community. Its support mechanism is the user forum listed in "community" menu item above.


  • "Picketlink is the simplest solution for Seam based apps". (From the forums)
  • Used in production at  (Seam based web application from Netherlands).

Why the name "PicketLink"?

A Picket Fence is a secure system of pickets joined together via some type of links.  Basically, the Pickets by themselves do not offer any security. But when they are brought together by linking them, they provide the necessary security.  This project is that link for other security systems or systems to bring together or join, to finally provide the necessary secure system.

What is the difference between PicketLink and PicketBox?

PicketLink is the Identity Management project from JBoss.  PicketBox acts as the foundation for PicketLink. PicketBox provides the authentication, authorization, audit and other security functionality needed for Java applications.

What about the road map?

Blog Posts

JBoss CommunityProjects (including WildFlyAs): OpenSSL HeartBleed Vulnerability
Apr 9, 2014 1:33 PM by Anil Saldhana
I want to take this post to summarize that "JBoss community projects including WildFly Application Server are not directly affected by the OpenSSL HeartBleed Vulnerability".

JBossWeb APR

JBossWeb APR functionality requires OpenSSL 0.9.7 or 0.9.8 which is not affected by this vulnerability.

I have consulted the Red Hat Security Response Team before posting this note. We continue to monitor the situation.
Feel free to report any anomalies using

We do recommend taking the appropriate precautions.

Please use the links in the references section for gauging indirect exposure to the HeartBleed vulnerability.

Indirect exposure may be possible:
  • Maybe you have a web server in front of JBoss/WildFly Application Server that may be affected.
  • Maybe your operating system on which the JBoss community projects are running may be affected.
  • Maybe you have OpenSSL v1.0.1 used by your application infrastructure. 


    Please refer to the following articles for more information:

    Official OpenSSL Official Advisory:
    HeartBleed Information:

    Red Hat Official Announcement:


    Amazon Web Services Advisory:

    Official Linux Distribution Pages 

    SAML vs OAuth: Which one to use?
    Nov 21, 2013 11:00 AM by Anil Saldhana
    Please follow my DZone article on this important topic:
    PicketBox XACML v2.0.9.Final Released
    Jun 17, 2013 12:49 PM by Anil Saldhana
    PicketBox XACML v2.0.9.Final has been released.

    You can download it from

    Information available at

    Mostly a bug fix release. Except that we have made the PDP evaluation configurable with locks.

    Release Notes - PicketBox - Version picketbox_xacml_2.0.9.Final


    • [SECURITY-738] - XACML DatabaseResourceAttributeLocator fails when used with Oracle 11g Driver
    • [SECURITY-742] - JBossPDP.evaluate() lock should be flexible


    • [SECURITY-734] - Slow policy evaluation with a large number of policy sets


    View more blog posts