...
| Code Block |
|---|
public interface Identity extends Serializable
{
public enum AuthenticationResult
{
SUCCESS, FAILED
}
AuthenticationResult login();
void logout();
boolean isLoggedIn();
User getUser();
}
|
...
| Code Block |
|---|
public interface AuthenticatorSelector
{
Class<? extends Authenticator> getAuthenticatorClass();
void setAuthenticatorClass(Class<? extends Authenticator> authenticatorClass);
String getAuthenticatorName();
void setAuthenticatorName(String authenticatorName);
Authenticator getSelectedAuthenticator();
}
|
...
| Code Block |
|---|
public interface Authenticator
{
public enum AuthenticationStatus
{
SUCCESS, FAILURE, DEFERRED
}
void authenticate();
void postAuthenticate();
AuthenticationStatus getStatus();
User getUser();
}
|
| Code Block |
|---|
public abstract class BaseAuthenticator implements Authenticator
{
private AuthenticationStatus status;
public AuthenticationStatus getStatus()
{
return status;
}
protected void setStatus(AuthenticationStatus status)
{
this.status = status;
}
public void postAuthenticate()
{
// No-op, override if any post-authentication processing is required.
}
}
|
...
Feature | Comments | Objections | Discussion finished |
|---|---|---|---|
Login via Username/Password |
|
| |
Logout |
|
| |
Authentication API and SPI | Credentials vs Credential (one of it needs a better name) |
| |
Basic User/Identity API |
|
| |
Duration of a valid authentication | ExpirationEvaluator SPI |
|
|
Password-Hash-Service |
|
|
|
Part 2
Feature | Comments | Objections | Discussion finished |
|---|---|---|---|
Object level permission |
|
|
|
Grant or revoke permissions |
|
|
|
Basic Roles and groups API | optional type-safe (-> static) groups (and roles) |
|
|
@SecurityMethodBinding |
|
|
|
Super-users |
|
|
|
User/Identity management |
|
|
|
Password-Hash-Service |
|
|
|
Group management | optional support for typ-safe groups/group-types |
|
|
...
Feature | Comments | Objections | Discussion finished | |||
|---|---|---|---|---|---|---|
Support for deputies (see Impersonalization) |
|
|
| |||
Privileges concept |
|
| Grant or revoke permissions |
|
|
|
UI SPI (Component based authorization) | add optional type-safe authorization; integration with JSF |
|
| |||
Permissions of resources | Merge with CODI view-configs,... |
|
| |||
Persistence SPI | integration with JPA |
|
| |||
Identity Store SPI |
|
|
| |||
Query API |
|
|
| |||
Application roles |
|
|
|
...
Example JSF code:
| Code Block | ||||
|---|---|---|---|---|
| ||||
Username: <h:inputText value="#{credentials.username}"/>
Password: <h:inputSecret id="password" value="#{credentials.password}"/>
<h:commandButton value="LOGIN" action="#{identity.login}"/>
|
...
| Code Block |
|---|
public class SimpleAuthenticator extends BaseAuthenticator implements Authenticator {
@Inject Credentials credentials;
@Override
public void authenticate() {
if ("demo".equals(credentials.getUsername()) &&
credentials.getCredential() instanceof PasswordCredential &&
"demo".equals(((PasswordCredential) credentials.getCredential()).getValue())) {
setStatus(AuthenticationStatus.SUCCESS);
setUser(new SimpleUser("demo"));
} else {
setStatus(AuthenticationStatus.FAILURE);
}
}
}
|
Scenario
It should be possible to provide an optional password service to create a password-hash based on the given password which will be stored instead of the real password.
Maybe there should be different default implementations (provided via qualifiers).
...
| Code Block |
|---|
Group itsec = identityManager.createGroup(“itsec”, “/organization/engineering/security”);
itsec.addRole(“manager”, “johnDoe”);
Group hr = identityManager.createGroup(“hr”, “/organization”);
hr.addRole(“supervisor”, “aliceDoe”);
hr.addRole(“headhunter”, “chrisDoe”);
aliceDoe.hasRole(“headhunter”);
List<User> headHunters = identityManager.createUserQuery().setRole(“headhunter”).sort(true).setRange(Range.of(0,50).execute();
|
Scenario
Application needs to expose capabilities to associate authenticated user with specific roles in application context.
...