[security-dev] [PicketBox 5] - Authentication API

[Pedro Igor Silva]

Hi All,

    I would like to know your opinion about the authentication API that is being used by PicketBox 5.You can check an initial documentation here: https://docs.jboss.org/author/display/SECURITY/PicketBox+Authentication+API.

    We are considering some requirements during the construction of this API. They are as follows:

            - Easy-to-use and fast to get started;
            - Flexible architecture providing ways to use different mechanisms like Username/Password, Digest, Certificates, SASL, etc;
            - Unified authentication API.  Although you can use different mechanisms, the API usage is the same;
            - Allow authentication using multiple stores: properties, databases, ldap, etc;
            - Hide mechanism`s complexity from users. Users do not need to be aware of the complexities behind a specific mechanism;
            - Environment agnostic. You can use it in a pure Java SE application and in a JEE/CDI environment as well;
            - Challenge/Response design;
            - Authentication Events. Users should be able to observe specific authentication events like pre/pos authentication, failures, etc.
            - Auditing.    

Regards,
Pedro Igor