...
- @Secured
- @SecurityBindingType
- AccessDecisionVoter
- SecurityStrategy
Agreed API
...
and SPI
...
of Part 1
Feature | Comments | Objections | Discussion finished |
---|---|---|---|
Login via Username/Password |
|
|
|
Password-Hash-Service |
|
|
|
Logout |
|
|
|
Authentication API and SPI | Credentials vs Credential (one of it needs a better name) |
|
|
Duration of a valid authentication | ExpirationEvaluator SPI |
|
|
Basic User/Identity API |
|
|
|
Part 2
Feature | Comments | Objections | Discussion finished |
---|---|---|---|
Object level permission |
|
|
|
Basic Roles and groups API | optional type-safe (-> static) groups (and roles) |
|
|
@SecurityMethodBinding |
|
|
|
Super-users |
|
|
|
User/Identity management |
|
|
|
Group management | optional support for typ-safe groups/group-types |
|
|
Part 3
Feature | Comments | Objections | Discussion finished |
---|---|---|---|
Support for deputies (see Impersonalization) |
|
|
|
Privileges concept |
|
|
|
Grant or revoke permissions |
|
|
|
UI SPI (Component based authorization) | add optional type-safe authorization; integration with JSF |
|
|
Permissions of resources | Merge with CODI view-configs,... |
|
|
Persistence SPI | integration with JPA |
|
|
Identity Store SPI |
|
|
|
Query API |
|
|
|
Application roles |
|
|
|
Part 4
Feature | Comments | Objections | Discussion finished |
---|---|---|---|
Support of alternative authentication concepts | Extend the Authentication SPI |
|
|
Integration with authentication concepts of (application-) servers | Extend the Authentication SPI |
|
|
Personalization |
|
|
|
Alternatives for roles/groups |
|
|
|
Permission for external applications |
|
|
|
Ongoing discussions
API
1. draft: http://s.apache.org/Vyg
Identity
Session scoped result of the authentication process.
API
1. draft: http://s.apache.org/Vyg
Identity
Session scoped result of the authentication process.
Code Block |
---|
public interface Identity extends Serializable
{
public enum AuthenticationResult
{
SUCCESS, FAILED, EXCEPTION
}
boolean isLoggedIn();
User getUser();
AuthenticationResult login();
void logout();
}
|
User
Depending on further use-cases it can be refactored to an interface
Code Block |
---|
@Typed()
public class User implements Serializable
{
private static final long serialVersionUID = -2234530384311026364L;
private String id;
public User()
{
}
public User(String id)
{
this.id = id;
}
public String getId()
{
return id;
}
public void setId(String id)
{
this.id = id;
}
}
|
Credential
Code Block |
---|
public interface Credential<T>
{
T getValue();
}
|
LoginCredential (former Credentials)
Request scoped holder for the authentication process.
TODO we need a better name for it
Code Block |
---|
public interface LoginCredential
{
String getUserId();
void setUserId(String userId);
Credential getCredential();
void setCredential(Credential credential);
void invalidate();
}
|
AuthenticatorSelector
Code Block |
---|
public interface AuthenticatorSelector
{
Class<? extends Authenticator> getAuthenticatorClass();
void setAuthenticatorClass(Class<? extends Authenticator> authenticatorClass);
String getAuthenticatorName();
void setAuthenticatorName(String authenticatorName);
Authenticator getSelectedAuthenticator();
}
|
Authenticator
Code Block |
---|
public interface Authenticator |
Code Block |
public interface Identity extends Serializable { public enum AuthenticationResultAuthenticationStatus { SUCCESS, FAILED FAILURE, EXCEPTION }DEFERRED } booleanvoid isLoggedInauthenticate(); Uservoid getUserpostAuthenticate(); AuthenticationResultAuthenticationStatus logingetStatus(); voidUser logoutgetUser(); } |
...
Code Block |
---|
@Typed() public abstract class UserBaseAuthenticator implements SerializableAuthenticator { private static final long serialVersionUID = -2234530384311026364LAuthenticationStatus status; private String id; public UserAuthenticationStatus getStatus() { } public User(String id) { this.id = idreturn status; } publicprotected Stringvoid getIdsetStatus(AuthenticationStatus status) { return idthis.status = status; } public void setIdpostAuthenticate(String id) { // No-op, this.id = id;override if any post-authentication processing is required. } } |
Credential
Code Block |
---|
public interface Credential<T>
{
T getValue();
}
|
LoginCredential (former Credentials)
Request scoped holder for the authentication process.
Code Block |
---|
public interface LoginCredential
{
String getUserId();
void setUserId(String userId);
Credential getCredential();
void setCredential(Credential credential);
void invalidate();
}
|
AuthenticatorSelector
Code Block |
---|
public interface AuthenticatorSelector
{
Class<? extends Authenticator> getAuthenticatorClass();
void setAuthenticatorClass(Class<? extends Authenticator> authenticatorClass);
String getAuthenticatorName();
void setAuthenticatorName(String authenticatorName);
Authenticator getSelectedAuthenticator();
}
|
Authenticator
Code Block |
---|
public interface Authenticator
{
public enum AuthenticationStatus
{
SUCCESS,
FAILURE,
DEFERRED
}
void authenticate();
void postAuthenticate();
AuthenticationStatus getStatus();
User getUser();
}
|
...
API/SPI under discussion
Part 1
Feature | Comments | Objections | Discussion finished |
---|---|---|---|
Login via Username/Password |
|
|
|
Password-Hash-Service |
|
|
|
Logout |
|
|
|
Authentication API and SPI | Credentials vs Credential (one of it needs a better name) |
|
|
Duration of a valid authentication | ExpirationEvaluator SPI |
|
|
Basic User/Identity API |
|
|
|
Part 2
Feature | Comments | Objections | Discussion finished |
---|---|---|---|
Object level permission |
|
|
|
Basic Roles and groups API | optional type-safe (-> static) groups (and roles) |
|
|
@SecurityMethodBinding |
|
|
|
Super-users |
|
|
|
User/Identity management |
|
|
|
Group management | optional support for typ-safe groups/group-types |
|
|
Part 3
Feature | Comments | Objections | Discussion finished |
---|---|---|---|
Support for deputies (see Impersonalization) |
|
|
|
Privileges concept |
|
|
|
Grant or revoke permissions |
|
|
|
UI SPI (Component based authorization) | add optional type-safe authorization; integration with JSF |
|
|
Permissions of resources | Merge with CODI view-configs,... |
|
|
Persistence SPI | integration with JPA |
|
|
Identity Store SPI |
|
|
|
Query API |
|
|
|
Application roles |
|
|
|
Part 4
Feature | Comments | Objections | Discussion finished |
---|---|---|---|
Support of alternative authentication concepts | Extend the Authentication SPI |
|
|
Integration with authentication concepts of (application-) servers | Extend the Authentication SPI |
|
|
Personalization |
|
|
|
Alternatives for roles/groups |
|
|
|
Permission for external applications |
|
|
|
Ongoing discussions
Use-cases
Authentication
Scenario
...