[security-dev] IdentityManager interface

Anil Saldhana Anil.Saldhana at redhat.com
Thu Sep 27 10:46:09 EDT 2012

On 09/26/2012 02:24 PM, Jason Porter wrote:
> Hey all,
> I'm going through the API again as I've seen some changes since I last 
> went through it. I may be the only one in this boat, but I feel like 
> this interface is starting to become too crowded. Should some of the 
> methods be moved over to their respective objects (Identity, User, 
> Role, Group, etc)? Should we split things off into a different 
> interface? I'm also becoming concerned with the password and 
> certificate methods on there.
For each user/application, there can be multiple things that need to be 
- passwords
- oauth consumer secret
- certificates

As you later say, we probably need another class to manage these, rather 
than being in IdentityManager and IdentityStore.

> It seems to me these are essentially authentication challenges. 
> Eventually I'm sure we'll add more like OAuth or OpenId, two-factor 
> auth, etc. Will each of these be their own methods? Could it be a 
> configuration option to build up a chain of authentication challenge 
> providers? I had initially thought of a challenge object which would 
> allow input and provide a simple response: pass, fail, move to next 
> challenge. Maybe that's too broad or a bad idea, I don't really know, 
> just throwing out ideas.
I have already used PL IDM in my oauth project.  The biggest question I 
had was how do we represent applications that need to have a consumer 
key and consumer secret along with app name, app description, app icon 
and app redirect URL.  Right now, I just modeled the application as an User.

> Just looking to make this easy to use and make sure it makes sense to 
> users (who I think would be coming from a Java EE background).
Users will deal with IdentityManager interface alone.  IdentityStore 
interface is used by implementers of data store bridges - JPA, LDAP, 
file etc etc.

More information about the security-dev mailing list