[security-dev] Credentials API redesign

Bill Burke bburke at redhat.com
Thu Dec 6 10:46:16 EST 2012



On 12/6/2012 10:40 AM, Bill Burke wrote:
>
>
> On 12/6/2012 10:37 AM, Anil Saldhana wrote:
>> On 12/06/2012 09:00 AM, Darran Lofthouse wrote:
>>> I can see that there are cases where we know the User so it is desirable
>>> to supply it but there are still the cases where we don't know the user
>>> until after the credential has been verified.
>> This actually is valid when integrating with proprietary 3rd party
>> security systems.
>> Assume a proprietary token coming into the authentication system and
>> the auth system needs to pass this to the 3rd party system for
>> deciphering and authentication. Once the 3rd party system validates and
>> releases the user details, the auth system can perform its security
>> context initialization etc.  This has been seen in the domain of the App
>> Server with 3rd party sec systems.
>>
>
> This is protocol specific and should not be handled by the IDM API.
>

I'll elaborate.  For example, lets say the token solely establishes 
identity and role mappings/permissions are stored in the IDM.  A 
specific integration LoginModule for the 3rd party should be written 
that interacts with the server.  The user identity should be transformed 
into a username/userid that can be used to lookup role mappings within 
the IDM.

Understanding and verifying the token with a third-party is beyond the 
scope of the IDM API IMO.  The IDM API should focus on storing and 
federating securitiy metadata.  It should not be worried about security 
protocols.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the security-dev mailing list