[security-dev] Credentials API redesign

Bill Burke bburke at redhat.com
Thu Dec 6 10:46:16 EST 2012

On 12/6/2012 10:40 AM, Bill Burke wrote:
> On 12/6/2012 10:37 AM, Anil Saldhana wrote:
>> On 12/06/2012 09:00 AM, Darran Lofthouse wrote:
>>> I can see that there are cases where we know the User so it is desirable
>>> to supply it but there are still the cases where we don't know the user
>>> until after the credential has been verified.
>> This actually is valid when integrating with proprietary 3rd party
>> security systems.
>> Assume a proprietary token coming into the authentication system and
>> the auth system needs to pass this to the 3rd party system for
>> deciphering and authentication. Once the 3rd party system validates and
>> releases the user details, the auth system can perform its security
>> context initialization etc.  This has been seen in the domain of the App
>> Server with 3rd party sec systems.
> This is protocol specific and should not be handled by the IDM API.

I'll elaborate.  For example, lets say the token solely establishes 
identity and role mappings/permissions are stored in the IDM.  A 
specific integration LoginModule for the 3rd party should be written 
that interacts with the server.  The user identity should be transformed 
into a username/userid that can be used to lookup role mappings within 
the IDM.

Understanding and verifying the token with a third-party is beyond the 
scope of the IDM API IMO.  The IDM API should focus on storing and 
federating securitiy metadata.  It should not be worried about security 

Bill Burke
JBoss, a division of Red Hat

More information about the security-dev mailing list