Re: [security-dev] PicketLink 3 - IDM API - Credential Management
On 12/02/2012 11:09 PM, Shane Bryzak wrote:
On 12/01/2012 09:55 PM, Darran Lofthouse wrote:
> * Multiple Credentials *
>
> The validateCredential method potentially allows many different types of
> Credential to be used - however the updateCredential method seems to
> apply a 1:1 mapping of User and Credential.
>
> I can see situations where a user would have multiple Credentials, an
> immediate example being both a Password and a X509Certificate.
This is an implementation detail - all IdentityStore implementations
should support the storing of multiple credential types. Out of the box
we support PasswordCredential, DigestCredential and
X509CertificateCredential and two separate calls to updateCredential()
with different credential types should persist both credentials.
I would suggest if reviewing the Credential APIs one thing that we would
need to be sure of it that we can operate on the individual Credentials
- we may need to be choosing which one to update or remove.
Also for Certificates we may want the ability to have a new Certificate
set before an old one expires possibly with or without an overlap.