[jboss-jira] [JBoss JIRA] (ELY-369) SecurityIdentity-based self-service

[ https://issues.jboss.org/browse/ELY-369?page=com.atlassian.jira.plugin.sy... ] David Lloyd commented on ELY-369: --------------------------------- For this to work, realms (modifiable or non-modifiable) need to return a modifiable authorization identity which includes credential update methods - _or_ alternatively a modifiable realm needs to return an authorization identity which knows how to re-create the (necessarily modifiable) realm identity to perform the credential update. The latter option is probably better because an AuthorizationIdentity deliberately releases all possible resources; there's no dispose() to call after the change is complete. Therefore if the AuthorizationIdentity gets back the ModifiableRealmIdentity, that realm identity can be used to perform the update and then be disposed (to release the database or LDAP connection for example). Re-finding the RealmIdentity is a non-starter because only the realm can make the guarantee that you are either finding the original identity or that you cannot perform the update. If this guarantee isn't made, there is a risk of updating credentials that the caller does not actually own, which at worst could cause an access breach. -- This message was sent by Atlassian JIRA (v7.2.2#72004)