@Secured
@SecurityBindingType
AccessDecisionVoter
SecurityStrategy

Agreed API

...

and SPI

...

of Part 1

Feature	Comments	Objections	Discussion finished
Login via Username/Password
Password-Hash-Service
Logout
Authentication API and SPI	Credentials vs Credential (one of it needs a better name)
Duration of a valid authentication	ExpirationEvaluator SPI
Basic User/Identity API

Part 2

Feature	Comments	Objections	Discussion finished
Object level permission
Basic Roles and groups API	optional type-safe (-> static) groups (and roles)
@SecurityMethodBinding
Super-users
User/Identity management
Group management	optional support for typ-safe groups/group-types

Part 3

Feature	Comments	Objections	Discussion finished
Support for deputies (see Impersonalization)
Privileges concept
Grant or revoke permissions
UI SPI (Component based authorization)	add optional type-safe authorization; integration with JSF
Permissions of resources	Merge with CODI view-configs,...
Persistence SPI	integration with JPA
Identity Store SPI
Query API
Application roles

Part 4

Feature	Comments	Objections	Discussion finished
Support of alternative authentication concepts	Extend the Authentication SPI
Integration with authentication concepts of (application-) servers	Extend the Authentication SPI
Personalization
Alternatives for roles/groups
Permission for external applications

Ongoing discussions

API

1. draft: http://s.apache.org/Vyg^{Image Removed}

Identity

Session scoped result of the authentication process.

API

1. draft: http://s.apache.org/Vyg^{Image Added}

Identity

Session scoped result of the authentication process.

Code Block
public interface Identity extends Serializable { public enum AuthenticationResult { SUCCESS, FAILED, EXCEPTION } boolean isLoggedIn(); User getUser(); AuthenticationResult login(); void logout(); }

User

Depending on further use-cases it can be refactored to an interface

Code Block


@Typed()
public class User implements Serializable
{
    private static final long serialVersionUID = -2234530384311026364L;

    private String id;

    public User()
    {
    }

    public User(String id)
    {
        this.id = id;
    }

    public String getId()
    {
        return id;
    }

    public void setId(String id)
    {
        this.id = id;
    }
}

Credential

Code Block
public interface Credential<T> { T getValue(); }

LoginCredential (former Credentials)

Request scoped holder for the authentication process.

TODO we need a better name for it

Code Block
public interface LoginCredential { String getUserId(); void setUserId(String userId); Credential getCredential(); void setCredential(Credential credential); void invalidate(); }

AuthenticatorSelector

Code Block


public interface AuthenticatorSelector
{
    Class<? extends Authenticator> getAuthenticatorClass();

    void setAuthenticatorClass(Class<? extends Authenticator> authenticatorClass);

    String getAuthenticatorName();

    void setAuthenticatorName(String authenticatorName);
    
    Authenticator getSelectedAuthenticator();
}

Authenticator

Code Block


public interface Authenticator

Code Block


public interface Identity extends Serializable
{
    public enum AuthenticationResultAuthenticationStatus 
    {
        SUCCESS, FAILED
        FAILURE, EXCEPTION
        }DEFERRED
    }

    booleanvoid isLoggedInauthenticate();

    Uservoid getUserpostAuthenticate();

    AuthenticationResultAuthenticationStatus logingetStatus();

    voidUser logoutgetUser();
}

...

Code Block

@Typed()
public abstract class UserBaseAuthenticator implements SerializableAuthenticator
{
    private static final long serialVersionUID = -2234530384311026364LAuthenticationStatus status;

    private String id;

    public UserAuthenticationStatus getStatus()
    {
    }

    public User(String id)
    {
        this.id = idreturn status;
    }

    publicprotected Stringvoid getIdsetStatus(AuthenticationStatus status)
    {
        return idthis.status = status;
    }

    public void setIdpostAuthenticate(String id)
    {
        // No-op,  this.id = id;override if any post-authentication processing is required.
    }
}

Credential

Code Block
public interface Credential<T> { T getValue(); }

LoginCredential (former Credentials)

Request scoped holder for the authentication process.

Code Block
public interface LoginCredential { String getUserId(); void setUserId(String userId); Credential getCredential(); void setCredential(Credential credential); void invalidate(); }

AuthenticatorSelector

Code Block


public interface AuthenticatorSelector
{
    Class<? extends Authenticator> getAuthenticatorClass();

    void setAuthenticatorClass(Class<? extends Authenticator> authenticatorClass);

    String getAuthenticatorName();

    void setAuthenticatorName(String authenticatorName);
    
    Authenticator getSelectedAuthenticator();
}

Authenticator

Code Block
public interface Authenticator { public enum AuthenticationStatus { SUCCESS, FAILURE, DEFERRED } void authenticate(); void postAuthenticate(); AuthenticationStatus getStatus(); User getUser(); }

...

API/SPI under discussion

Part 1

Feature	Comments	Objections	Discussion finished
Login via Username/Password
Password-Hash-Service
Logout
Authentication API and SPI	Credentials vs Credential (one of it needs a better name)
Duration of a valid authentication	ExpirationEvaluator SPI
Basic User/Identity API

Part 2

Feature	Comments	Objections	Discussion finished
Object level permission
Basic Roles and groups API	optional type-safe (-> static) groups (and roles)
@SecurityMethodBinding
Super-users
User/Identity management
Group management	optional support for typ-safe groups/group-types

Part 3

Feature	Comments	Objections	Discussion finished
Support for deputies (see Impersonalization)
Privileges concept
Grant or revoke permissions
UI SPI (Component based authorization)	add optional type-safe authorization; integration with JSF
Permissions of resources	Merge with CODI view-configs,...
Persistence SPI	integration with JPA
Identity Store SPI
Query API
Application roles

Part 4

Feature	Comments	Objections	Discussion finished
Support of alternative authentication concepts	Extend the Authentication SPI
Integration with authentication concepts of (application-) servers	Extend the Authentication SPI
Personalization
Alternatives for roles/groups
Permission for external applications

Child pages

Versions Compared

Old Version 11

New Version 12

Key

Agreed API

and SPI

of Part 1

Part 2

Part 3

Part 4

Ongoing discussions

API

Identity

API

Identity

User

Credential

LoginCredential (former Credentials)

AuthenticatorSelector

Authenticator

Credential

LoginCredential (former Credentials)

AuthenticatorSelector

Authenticator

API/SPI under discussion

Part 1

Part 2

Part 3

Part 4

Ongoing discussions

Use-cases

Authentication

Scenario

Child pages

Page History

Versions Compared

Old Version 11

New Version 12

Key

Agreed API

and SPI

of Part 1

Part 2

Part 3

Part 4

Ongoing discussions

API

Identity

API

Identity

User

Credential

LoginCredential (former Credentials)

AuthenticatorSelector

Authenticator

Credential

LoginCredential (former Credentials)

AuthenticatorSelector

Authenticator

API/SPI under discussion

Part 1

Part 2

Part 3

Part 4

Ongoing discussions

Use-cases

Authentication

Scenario