[security-dev] Credential validation and storage

Anil Saldhana Anil.Saldhana at redhat.com
Thu Oct 18 09:19:06 EDT 2012


On 10/17/2012 05:17 PM, Shane Bryzak wrote:
> Hi guys,
>
> I'd like to simplify the Identity Management API a bit where 
> credentials are concerned.  At the moment we have the following 
> methods defined by the IdentityManager interface:
>
>     // Password Management
>     boolean validatePassword(User user, String password);
>
>     void updatePassword(User user, String password);
>
>     void setPasswordEncoder(PasswordEncoder encoder);
>
>     // Certificate Management
>     boolean validateCertificate(User user, X509Certificate certificate);
>
>     boolean updateCertificate(User user, X509Certificate certificate);
>
> Furthermore, in IdentityStore we have these methods which are 
> essentially identical:
>
>     boolean validatePassword(User user, String password);
>
>     void updatePassword(User user, String password);
>
>     // Certificate Management
>     boolean validateCertificate(User user, X509Certificate certificate);
>
>     boolean updateCertificate(User user, X509Certificate certificate);
>
>
> What I'd like to do is make this a little more abstract (and more 
> future proof) by replacing these methods (in both interfaces) with the 
> following two methods:
>
>     boolean validateCredential(User user, Credential credential);
>
>     void updateCredential(User user, Credential credential);
This should be fine.  We just need Credental objects wrapping password, 
certificate etc.

Actually Darran, Pedro and I were discussing IDM for AS and we felt that 
the presence of events and event handlers is needed for the credential 
process. This will allow setting additional hashes as attributes on the 
User object.

>
> Once the method invocation hits the IdentityStore implementation, we 
> have a choice as to what we want to do here.  I think the best option 
> is to go with a credential encoding API based on the work that Pedro 
> has already done (see [1] and [2]).  My only suggestion would be to:
>
> a) make it a little more generic (we should use a factory object or 
> something to provide the IdentityStore implementation with the correct 
> encoder based on the type of credential)
> b) provide the encoder implementation with an invocation context 
> containing a reference back to the calling IdentityStore to allow 
> access to its internal methods and/or other state, and
> c) provide pluggable access to the encoding process, to allow the 
> developer to provide custom behaviour for the encoding.

> Does anyone have any suggestions or thoughts on this?
>
> Shane
>
>
> [1] 
> https://github.com/picketlink/picketlink/blob/master/idm/api/src/main/java/org/picketlink/idm/password/PasswordEncoder.java
> [2] 
> https://github.com/picketlink/picketlink/blob/master/idm/impl/src/main/java/org/picketlink/idm/password/internal/SHASaltedPasswordEncoder.java 
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/security-dev/attachments/20121018/541df225/attachment.html 


More information about the security-dev mailing list