[jboss-jira] [JBoss JIRA] (ELY-369) SecurityIdentity-based self-service

[David Lloyd (JIRA)]

    [ https://issues.jboss.org/browse/ELY-369?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13313577#comment-13313577 ] 

David Lloyd commented on ELY-369:
---------------------------------

For this to work, realms (modifiable or non-modifiable) need to return a modifiable authorization identity which includes credential update methods - _or_ alternatively a modifiable realm needs to return an authorization identity which knows how to re-create the (necessarily modifiable) realm identity to perform the credential update.

The latter option is probably better because an AuthorizationIdentity deliberately releases all possible resources; there's no dispose() to call after the change is complete.  Therefore if the AuthorizationIdentity gets back the ModifiableRealmIdentity, that realm identity can be used to perform the update and then be disposed (to release the database or LDAP connection for example).

Re-finding the RealmIdentity is a non-starter because only the realm can make the guarantee that you are either finding the original identity or that you cannot perform the update.  If this guarantee isn't made, there is a risk of updating credentials that the caller does not actually own, which at worst could cause an access breach.

> SecurityIdentity-based self-service
> -----------------------------------
>
>                 Key: ELY-369
>                 URL: https://issues.jboss.org/browse/ELY-369
>             Project: WildFly Elytron
>          Issue Type: Feature Request
>          Components: API / SPI
>            Reporter: David Lloyd
>
> We may need to provide the ability to allow users to manage their accounts in various ways.
> * Password reset



--
This message was sent by Atlassian JIRA
(v7.2.2#72004)