[security-dev] [PicketBox 5] - Authentication API

Pete Muir pmuir at redhat.com
Tue Jul 31 17:22:54 EDT 2012 

* In the first example, what is "authenticate" that you assert is not null? Without this, the example doesn't make much sense :-)
* You should show some usage of the handler in this example as well.
* In fact, looking at those examples I'm not sure how it is a callb, and not just a struct
* You gone for a pattern half-way towards fluent configuration with the configuration, which I've found is normally a really bad place to be. I would go the whole way:
** Have a mutable builder class, ConfigurationBuilder, which has the fluent methods to configure all of PicketBox, which has a build() method
** Have a Configuration class, which is immutable, and emitted by the build method
** Have a constructor or static factory method on PicketBoxManager which takes a Configuration object
  This means that we can now easily create immutable (thread safe) configuration objects which can be passed around. This scheme will also work very well with CDI producers.
* If mechanism, managers can be configured, then make sure you offer these as first class options on the Configuration e.g.
    configuration.authentication().userNamePasswordMechanism().allowBeavers() <-- works really nicely in IDEs
* What you've called an observer, I think is actually a callback
* You have an error in the SASL example, authenticate is not a local variable, and it's not complete (add javadoc to discuss missing methods?)

On 31 Jul 2012, at 21:01, Pedro Igor Silva wrote:

> Hi All,
> 
>    I would like to know your opinion about the authentication API that is being used by PicketBox 5.You can check an initial documentation here: https://docs.jboss.org/author/display/SECURITY/PicketBox+Authentication+API.
> 
>    We are considering some requirements during the construction of this API. They are as follows:
> 
>            - Easy-to-use and fast to get started;
>            - Flexible architecture providing ways to use different mechanisms like Username/Password, Digest, Certificates, SASL, etc;
>            - Unified authentication API.  Although you can use different mechanisms, the API usage is the same;
>            - Allow authentication using multiple stores: properties, databases, ldap, etc;
>            - Hide mechanism`s complexity from users. Users do not need to be aware of the complexities behind a specific mechanism;
>            - Environment agnostic. You can use it in a pure Java SE application and in a JEE/CDI environment as well;
>            - Challenge/Response design;
>            - Authentication Events. Users should be able to observe specific authentication events like pre/pos authentication, failures, etc.
>            - Auditing.    
> 
> Regards,
> Pedro Igor
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev

More information about the security-dev mailing list