On 12/06/2012 09:20 PM, Marek Posolda wrote:
Hi,
I think it may be little confusing for people to have interface
"Credential" and interface "LoginCredentials". How about using little
different name like "LoginState" for the second one? As the main
purpose of the LoginCredentials is to encapsulate whole login state if
I understand it correctly (not only secret credentials).
You know what - after thinking about this for a bit, I've come to the
realization that we probably don't even need the Credential interface.
It's only a marker interface anyway, and I see no reason why we just
can't use any class as a credential (and besides, JAAS does it this way
also [1]). Removing the Credential interface would eliminate any
confusion, and in fact I would probably be inclined to just rename
LoginCredentials to simply Credentials to make things simpler.
[1]
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jaas/JAASR...
Also I may missed some details, but does it support the use-case when
authentication requires multiple steps (handshakes)? For those
use-cases, it seems to be more natural to me if CredentialHandler is
like this:
public interface CredentialHandler {
LoginResult validate(LoginState credentials, IdentityStore store);
void update(User user, Credential credential, IdentityStore store);
}
and returned LoginResult contains some additional info about state
(LOGIN_SUCCESS, LOGIN_FAILED, MORE_STEPS_REQUIRED) and possible wrapps
User if state is LOGIN_SUCCESS or wrapps other info if the state
result was MORE_STEPS_REQUIRED. Maybe LoginState and LoginResult could
be single interface... not sure.
We can support this by including the additional state within the
LoginCredentials instance, however this might not be immediately obvious
to most developers. I'll see if we can improve this in some way.