[security-dev] PicketLink IDM - Replace Default Credential Handler

Darran Lofthouse darran.lofthouse at jboss.com
Fri Jun 21 11:02:27 EDT 2013

Investigating SASL integration with PicketLink IDM shows the Plain 
mechanism working fine with a fairly default set up - however as I am 
adding support for the Digest based mechanism I seem to need to be able 
to replace the default CredentialHandler for UsernamePasswordCredentials.

On validating a request I don't believe that the code making use of the 
IDM should be aware of any of the storage details, so now I have users 
that could be stores with a plain text password or a pre-prepared ha1 hash.

What I would like is to add one CredentialHandler that can handle 
requests to validate both plain text passwords and digest credentials 
and decide internally how to handle them based on which one is currently 
associated with the agent.

My credential handler is registered as it allows me to add my new custom 
DigestPassword credential but it is not being used for the validation of 
a UsernamePasswordCredentials object.

Is there anything else I need to do to disable the default implementation?

Darran Lofthouse.

More information about the security-dev mailing list