[security-dev] Undertow / IdentityManager and Digest Authentication

Shane Bryzak sbryzak at redhat.com
Wed May 1 20:32:58 EDT 2013


Bill, I'm going to concede defeat on this one, so congrats on a 
well-fought victory ;)  The one saving grace with the IdentityManager is 
that in an EE environment it is actually wrapped by a 
SecuredIdentityManager, which allows for permission checks to be defined 
for every single IDM operation.  With this in mind, it should be trivial 
to implement a permission check for credential retrieval that restricts 
it to only allow the reading of credentials for the currently 
authenticated user (or whatever other permission logic the developer wants).

So, with that in mind I propose the following additional methods for 
IdentityManager:

     <T extends CredentialStorage> T retrieveCurrentCredential(Agent 
agent, Class<T> storageClass);
     <T extends CredentialStorage> List<T> retrieveCredentials(Agent 
agent, Class<T> storageClass);

These will essentially delegate to the underlying CredentialStore, and 
if there is none (which will be the case in an LDAP-only configuration) 
you'll get an OperationNotSupportedException.

Will this be sufficient for your requirements?

Shane


More information about the security-dev mailing list