[security-dev] PicketLink 3 - IDM API - Credential Management

Darran Lofthouse darran.lofthouse at jboss.com
Mon Dec 3 04:23:47 EST 2012


On 12/02/2012 11:09 PM, Shane Bryzak wrote:
> On 12/01/2012 09:55 PM, Darran Lofthouse wrote:
>> * Multiple Credentials *
>>
>> The validateCredential method potentially allows many different types of
>> Credential to be used - however the updateCredential method seems to
>> apply a 1:1 mapping of User and Credential.
>>
>> I can see situations where a user would have multiple Credentials, an
>> immediate example being both a Password and a X509Certificate.
>
> This is an implementation detail - all IdentityStore implementations
> should support the storing of multiple credential types.  Out of the box
> we support PasswordCredential, DigestCredential and
> X509CertificateCredential and two separate calls to updateCredential()
> with different credential types should persist both credentials.

I would suggest if reviewing the Credential APIs one thing that we would 
need to be sure of it that we can operate on the individual Credentials 
- we may need to be choosing which one to update or remove.

Also for Certificates we may want the ability to have a new Certificate 
set before an old one expires possibly with or without an overlap.



More information about the security-dev mailing list