[security-dev] Credential validation and storage
Shane Bryzak
sbryzak at redhat.com
Thu Oct 18 02:58:03 EDT 2012
Absolutely, that's still a problem we need to solve.
On 18/10/12 14:16, Jason Porter wrote:
> Fair enough. We will need a method or something to sync what comes
> back from SSO, OAuth etc with what is being stored locally though,
> which is something we don't have currently.
>
> Sent from my iPhone
>
> On Oct 17, 2012, at 21:29, Shane Bryzak <sbryzak at redhat.com
> <mailto:sbryzak at redhat.com>> wrote:
>
>> Ok I've thought about this now ;) I think that the only use cases it
>> is relevant for is those where the credentials are actually stored by
>> the application. In the SSO, OAuth etc use cases the authentication
>> path doesn't touch identity management beyond the possible
>> synchronization of User attributes. For standard IDM based
>> authentication (anything where the application manages credentials
>> itself) I think it really is a responsibility of the IdentityStore.
>> Take LDAP for example - authentication is performed by binding to the
>> directory (see the validatePassword() method in [1]), which requires
>> a tight coupling with the IdentityStore configuration. This
>> requirement is also shared by JPAIdentityStore, which may be
>> configured to store user credentials in the same table as the User
>> record itself.
>>
>> I think that partitioning is a valid point (i.e. being able to mix
>> and match identities as you suggested) however we can do that by
>> providing something like the Features metadata feature from
>> PicketLink 1.x (see [2]) which allows us to configure multiple
>> IdentityStore implementations in a single application, each providing
>> a certain subset of features.
>>
>> [1]
>> https://github.com/picketlink/picketlink/blob/master/idm/impl/src/main/java/org/picketlink/idm/ldap/internal/LDAPIdentityStore.java
>> [2]
>> https://github.com/picketlink/picketlink-idm/blob/1.1.0/picketlink-idm-spi/src/main/java/org/picketlink/idm/spi/store/FeaturesMetaData.java
>>
>> Shane
>>
>> On 18/10/12 12:07, Jason Porter wrote:
>>> I was thinking it would be a composition idea. Probably require some
>>> config, but may be worth it.
>>>
>>> Sent from my iPhone
>>>
>>> On Oct 17, 2012, at 19:35, Shane Bryzak <sbryzak at redhat.com
>>> <mailto:sbryzak at redhat.com>> wrote:
>>>
>>>> That's an interesting idea, I don't know if it would have
>>>> limitations (my first reaction is to think that we require tight
>>>> coupling with IdentityStore) however it certainly has some merit.
>>>> Let me think about it for a bit.
>>>>
>>>>
>>>> On 18/10/12 11:21, Jason Porter wrote:
>>>>> This sounds good, but I'm wondering if we should have this
>>>>> extracted completely from the IdentityStore and have it be its own
>>>>> interface. The main reason being it would make it easier to mix
>>>>> and match identities (users, rolls and groups) and authentication.
>>>>>
>>>>> You could have an sso solution, multi-factor, oauth, etc but still
>>>>> keep the rest of the data in your RDBMS, ldap, jcr etc. Yes I
>>>>> understand they'd simply have to create their own impl and many
>>>>> probably will, but if we ship with reasonable implementations they
>>>>> can more easily mix and match and keep things DRY.
>>>>>
>>>>> Sent from my iPhone
>>>>>
>>>>> On Oct 17, 2012, at 16:17, Shane Bryzak <sbryzak at redhat.com
>>>>> <mailto:sbryzak at redhat.com>> wrote:
>>>>>
>>>>>> Hi guys,
>>>>>>
>>>>>> I'd like to simplify the Identity Management API a bit where
>>>>>> credentials are concerned. At the moment we have the following
>>>>>> methods defined by the IdentityManager interface:
>>>>>>
>>>>>> // Password Management
>>>>>> boolean validatePassword(User user, String password);
>>>>>>
>>>>>> void updatePassword(User user, String password);
>>>>>>
>>>>>> void setPasswordEncoder(PasswordEncoder encoder);
>>>>>>
>>>>>> // Certificate Management
>>>>>> boolean validateCertificate(User user, X509Certificate
>>>>>> certificate);
>>>>>>
>>>>>> boolean updateCertificate(User user, X509Certificate
>>>>>> certificate);
>>>>>>
>>>>>> Furthermore, in IdentityStore we have these methods which are
>>>>>> essentially identical:
>>>>>>
>>>>>> boolean validatePassword(User user, String password);
>>>>>>
>>>>>> void updatePassword(User user, String password);
>>>>>>
>>>>>> // Certificate Management
>>>>>> boolean validateCertificate(User user, X509Certificate
>>>>>> certificate);
>>>>>>
>>>>>> boolean updateCertificate(User user, X509Certificate
>>>>>> certificate);
>>>>>>
>>>>>>
>>>>>> What I'd like to do is make this a little more abstract (and more
>>>>>> future proof) by replacing these methods (in both interfaces)
>>>>>> with the following two methods:
>>>>>>
>>>>>> boolean validateCredential(User user, Credential credential);
>>>>>>
>>>>>> void updateCredential(User user, Credential credential);
>>>>>>
>>>>>> Once the method invocation hits the IdentityStore implementation,
>>>>>> we have a choice as to what we want to do here. I think the best
>>>>>> option is to go with a credential encoding API based on the work
>>>>>> that Pedro has already done (see [1] and [2]). My only
>>>>>> suggestion would be to:
>>>>>>
>>>>>> a) make it a little more generic (we should use a factory object
>>>>>> or something to provide the IdentityStore implementation with the
>>>>>> correct encoder based on the type of credential)
>>>>>> b) provide the encoder implementation with an invocation context
>>>>>> containing a reference back to the calling IdentityStore to allow
>>>>>> access to its internal methods and/or other state, and
>>>>>> c) provide pluggable access to the encoding process, to allow the
>>>>>> developer to provide custom behaviour for the encoding.
>>>>>>
>>>>>> Does anyone have any suggestions or thoughts on this?
>>>>>>
>>>>>> Shane
>>>>>>
>>>>>>
>>>>>> [1]
>>>>>> https://github.com/picketlink/picketlink/blob/master/idm/api/src/main/java/org/picketlink/idm/password/PasswordEncoder.java
>>>>>> [2]
>>>>>> https://github.com/picketlink/picketlink/blob/master/idm/impl/src/main/java/org/picketlink/idm/password/internal/SHASaltedPasswordEncoder.java
>>>>>>
>>>>>> _______________________________________________
>>>>>> security-dev mailing list
>>>>>> security-dev at lists.jboss.org <mailto:security-dev at lists.jboss.org>
>>>>>> https://lists.jboss.org/mailman/listinfo/security-dev
>>>>
>>>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/security-dev/attachments/20121018/a28000e1/attachment-0001.html
More information about the security-dev
mailing list