[jboss-jira] [JBoss JIRA] (ELY-249) verifyCredential method(s) misleading

[Darran Lofthouse (JIRA)]

    [ https://issues.jboss.org/browse/ELY-249?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13095355#comment-13095355 ] 

Darran Lofthouse commented on ELY-249:
--------------------------------------

Just flagging as critical as this is going to be in sensitive API so can't let it just drift by to be forgotten.

One point of caution however, the description here is based on the mechanisms we support now and the credential types that relate to those.  This method also needs to support other token based mechanisms.  In that situation an alternative name is also possibly justified but the main point is that there are cases where we have something that is not a clear password.

> verifyCredential method(s) misleading
> -------------------------------------
>
>                 Key: ELY-249
>                 URL: https://issues.jboss.org/browse/ELY-249
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: API / SPI, Realms
>            Reporter: David Lloyd
>            Priority: Critical
>             Fix For: 1.0.0.Alpha5
>
>
> The {{verifyCredential(Object credential)}} method is misleading.  It is in fact not generally possible or practical to verify a credential; rather what is being done is verifying a guess.
> I propose a couple changes.  First, the argument to the method should be renamed "guess" to indicate that the object being passed in isn't a credential, but rather a credential-specific guess.
> Second, I propose that Password no longer be considered a valid argument to this method.  The only use that serves is to extract a clear password guess anyway.
> Finally, I think we should consider renaming the method to something else, like:
> * verifyCredentialGuess
> * verifyGuess
> * checkCredentialGuess
> * etc.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)