Re: [security-dev] Credentials API redesign

On 12/06/2012 09:00 AM, Darran Lofthouse wrote: > I can see that there are cases where we know the User so it is desirable > to supply it but there are still the cases where we don't know the user > until after the credential has been verified. This actually is valid when integrating with proprietary 3rd party security systems. Assume a proprietary token coming into the authentication system and the auth system needs to pass this to the 3rd party system for deciphering and authentication. Once the 3rd party system validates and releases the user details, the auth system can perform its security context initialization etc. This has been seen in the domain of the App Server with 3rd party sec systems.