[jboss-jira] [JBoss JIRA] (ELY-282) Formalize multiple credential support

Wed Sep 2 12:16:05 EDT 2015

    [ https://issues.jboss.org/browse/ELY-282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13104666#comment-13104666 ] 

Jan Kalina edited comment on ELY-282 at 9/2/15 12:15 PM:
---------------------------------------------------------

Mapper above solve situation when I am SASL server and I want to know which credential aquire from security realm.

But what if I am LDAP security realm and I see in LDAP entry few values of "userPassword" attribute? There would be same mapper, which would map attribute name + type of password (CRYPT for example) to labels?

was (Author: honza889):
Mapper above solve situation when I am SASL server and I want to know which credential aquire from security realm.

But what if I am LDAP security realm and I see in LDAP entry few values of "userPassword" attribute? There would be same mapper, which would map attribute name + type of password ({CRYPT} for example) to labels?

> Formalize multiple credential support
> -------------------------------------
>
>                 Key: ELY-282
>                 URL: https://issues.jboss.org/browse/ELY-282
>             Project: WildFly Elytron
>          Issue Type: Task
>          Components: API / SPI, Realms
>            Reporter: David Lloyd
>            Priority: Critical
>             Fix For: 1.1.0.Alpha1
>
>
> Tackle the multiple credential problem directly rather than work around it.  This requires multiple steps:
> # In {{org.wildfly.security.auth.server.RealmIdentity}}, the credential access methods should drop {{credentialType}} and {{algorithmName}} and replace them with a single {{credentialName}}.  The sole exception should be the {{getCredential}} method, which can retain the {{credentialType}} parameter in order to perform a soft cast-or-null operation for convenience.  The {{verifyCredential}} method will need a {{credentialName}} parameter added.
> # Add a method to {{RealmIdentity}} which can be used to query for the existence of a credential with the given label, e.g. {{hasCredential(String)}}.
> # Modify {{org.wildfly.security.auth.server.ModifiableRealmIdentity}} to add a {{credentialName}} parameter to {{setCredential}}.
> # Add a method to {{ModifiableRealmIdentity}} to delete a single named credential.
> # Modify the {{setCredentials}} method of {{ModifiableRealmIdentity}} to accept a {{Map<String,Object>}} instead of a {{List<Object>}}.
> # Add a credential selection mapper mechanism which can consume authentication process information and use it to yield a credential label.  Some implementation ideas:
> #* A functional interface which accepts the (mapped) name, authentication mechanism type (e.g. SASL vs HTTP vs ???), optional protocol type (e.g. SASL field), actual mechanism name (e.g. "DIGEST-MD5") and yields the label name or a list (in descending order of preference) of label names
> #* Note that the approach must be forwards-compatible if we need to add more criteria to the mapping process
> # Provide a default setting which selects a label from a simple predefined scheme based on the kind of authentication being performed (e.g. SASL "DIGEST-MD5" could prefer "sasl-digest" and then "clear-password", SASL "CLEAR" could prefer "password" and then "clear-password", etc.).

--
This message was sent by Atlassian JIRA
(v6.3.15#6346)