Re: [security-dev] Credential validation and storage
This sounds good, but I'm wondering if we should have this extracted completely from
the IdentityStore and have it be its own interface. The main reason being it would make it
easier to mix and match identities (users, rolls and groups) and authentication.
You could have an sso solution, multi-factor, oauth, etc but still keep the rest of the
data in your RDBMS, ldap, jcr etc. Yes I understand they'd simply have to create their
own impl and many probably will, but if we ship with reasonable implementations they can
more easily mix and match and keep things DRY.
Sent from my iPhone
On Oct 17, 2012, at 16:17, Shane Bryzak <sbryzak(a)redhat.com> wrote:
Hi guys,
I'd like to simplify the Identity Management API a bit where credentials are
concerned. At the moment we have the following methods defined by the IdentityManager
interface:
// Password Management
boolean validatePassword(User user, String password);
void updatePassword(User user, String password);
void setPasswordEncoder(PasswordEncoder encoder);
// Certificate Management
boolean validateCertificate(User user, X509Certificate certificate);
boolean updateCertificate(User user, X509Certificate certificate);
Furthermore, in IdentityStore we have these methods which are essentially identical:
boolean validatePassword(User user, String password);
void updatePassword(User user, String password);
// Certificate Management
boolean validateCertificate(User user, X509Certificate certificate);
boolean updateCertificate(User user, X509Certificate certificate);
What I'd like to do is make this a little more abstract (and more future proof) by
replacing these methods (in both interfaces) with the following two methods:
boolean validateCredential(User user, Credential credential);
void updateCredential(User user, Credential credential);
Once the method invocation hits the IdentityStore implementation, we have a choice as to
what we want to do here. I think the best option is to go with a credential encoding API
based on the work that Pedro has already done (see [1] and [2]). My only suggestion would
be to:
a) make it a little more generic (we should use a factory object or something to provide
the IdentityStore implementation with the correct encoder based on the type of credential)
b) provide the encoder implementation with an invocation context containing a reference
back to the calling IdentityStore to allow access to its internal methods and/or other
state, and
c) provide pluggable access to the encoding process, to allow the developer to provide
custom behaviour for the encoding.
Does anyone have any suggestions or thoughts on this?
Shane
[1]
https://github.com/picketlink/picketlink/blob/master/idm/api/src/main/jav...
[2]
https://github.com/picketlink/picketlink/blob/master/idm/impl/src/main/ja...
_______________________________________________
security-dev mailing list
security-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev
Attachments:
- attachment.html (text/html — 4.8 KB)