On 01/05/13 16:50, Darran Lofthouse wrote:
Here is another scenario I would like to verify.

So far from what I have seen regarding the Credentials stored by 
PicketLink IDM my perception is that the stored Credential is very 
closely related to the authentication mechanism that will be used.

So for a set-up where we know that Digest authentication is going to be 
used we may store a couple of pre-prepared digests.

Is this stored Credential now available for username / plain text 
password authentication i.e. Could a web application be deployed with 
FORM auth and verify a credential with a plain text password even though 
it is a prepared digest stored?

Absolutely, the CredentialHandler is free to implement any logic you want it to.  The way it accesses the stored credential values is via the CredentialStore [1] interface, which is an interface that an IdentityStore may *optionally* implement if it wants to (both the JPA and File based identity stores in PicketLink implement it, but the LDAP store doesn't).  So a CredentialHandler is free to query whichever stored credential state it needs to.  This means you could use a combination of digest AND password based authentication in the same application, and even for the same users; there would simply be two separate CredentialHandlers which do the validation - one for digests, one for passwords.


[1] https://github.com/picketlink/picketlink/blob/master/idm/api/src/main/java/org/picketlink/idm/spi/CredentialStore.java


Regards,
Darran Lofthouse.

_______________________________________________
security-dev mailing list
security-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev