Formalize multiple credential support ------------------------------------- Key: ELY-282 URL: https://issues.jboss.org/browse/ELY-282 Project: WildFly Elytron Issue Type: Task Components: API / SPI, Realms Reporter: David Lloyd Assignee: Jan Kalina Priority: Critical Fix For: 1.1.0.Alpha1 Tackle the multiple credential problem directly rather than work around it. This requires multiple steps: # In {{org.wildfly.security.auth.server.RealmIdentity}}, the credential access methods should drop {{credentialType}} and {{algorithmName}} and replace them with a single {{credentialName}}. The sole exception should be the {{getCredential}} method, which can retain the {{credentialType}} parameter in order to perform a soft cast-or-null operation for convenience. The {{verifyCredential}} method will need a {{credentialName}} parameter added. # -Add a method to {{RealmIdentity}} which can be used to query for the existence of a credential with the given label, e.g. {{hasCredential(String)}}.- # Modify {{org.wildfly.security.auth.server.ModifiableRealmIdentity}} to add a {{credentialName}} parameter to {{setCredential}}. # Add a method to {{ModifiableRealmIdentity}} to delete a single named credential. # Modify the {{setCredentials}} method of {{ModifiableRealmIdentity}} to accept a {{Map<String,Object>}} instead of a {{List<Object>}}. # Add a credential selection mapper mechanism which can consume authentication process information and use it to yield a credential label. Some implementation ideas: #* A functional interface which accepts the (mapped) name, authentication mechanism type (e.g. SASL vs HTTP vs ???), optional protocol type (e.g. SASL field), actual mechanism name (e.g. "DIGEST-MD5") and yields the label name or a list (in descending order of preference) of label names #* Note that the approach must be forwards-compatible if we need to add more criteria to the mapping process # Provide a default setting which selects a label from a simple predefined scheme based on the kind of authentication being performed (e.g. SASL "DIGEST-MD5" could prefer "sasl-digest" and then "clear-password", SASL "CLEAR" could prefer "password" and then "clear-password", etc.).