...
Agreed API and SPI of Part 1
commit: 1a2c7ffd0d0a1ad3dea34515a54958f0a6ce2932
API
first draft at: http://s.apache.org/Vyg
Identity
Session scoped result of the authentication process.
Code Block |
---|
public interface Identity extends Serializable { public enum AuthenticationResult { SUCCESS, FAILED, EXCEPTION } AuthenticationResult login(); void logout(); boolean isLoggedIn(); User getUser(); } |
...
Code Block |
---|
@Typed() public class User implements Serializable { private static final long serialVersionUID = -2234530384311026364L; private final String id; public User(String id) { this.id = id; } public String getId() { return id; } } |
Credential
Credential is a holder for the "secret key" like a password.
Code Block |
---|
public interface Credential<T> { T getValue(); } |
...
TODO we need a better name for it
- LoginCredentialState
- LoginCredentialHolder
- LoginCredentialProvider
Code Block |
---|
public interface LoginCredential { String getUserId(); void setUserId(String userId); Credential getCredential(); void setCredential(Credential credential); void invalidate(); } |
Events
- LoggedInEvent
- LoginFailedEvent
- AlreadyLoggedInEvent
- PreLoggedOutEvent
- PostLoggedOutEvent
- PreAuthenticateEvent
- PostAuthenticateEvent
SPI
AuthenticatorSelector
Request scoped bean used to find the current Authenticator
for the authentication process - e.g. to provide different login-types used by the same client (e.g. a component in an UI).
TODO discuss default (internal) Authenticator if there is no custom implementation.
Code Block |
---|
public interface AuthenticatorSelector
{
Class<? extends Authenticator> getAuthenticatorClass();
void setAuthenticatorClass(Class<? extends Authenticator> authenticatorClass);
String getAuthenticatorName();
void setAuthenticatorName(String authenticatorName);
Authenticator getSelectedAuthenticator();
}
|
Authenticator
Called by Identity
and performs the final authentication based on the information in LoginCredential
.
Code Block |
---|
public interface Authenticator { public enum AuthenticationStatus { SUCCESS, FAILURE, DEFERRED } void authenticate(); void postAuthenticate(); AuthenticationStatus getStatus(); User getUser(); } |
Code Block |
---|
public abstract class BaseAuthenticator implements Authenticator
{
private AuthenticationStatus status;
public AuthenticationStatus getStatus()
{
return status;
}
protected void setStatus(AuthenticationStatus status)
{
this.status = status;
}
public void postAuthenticate()
{
// No-op, override if any post-authentication processing is required.
}
}
|
...
Feature | Comments | Objections | Discussion finished | ||||
---|---|---|---|---|---|---|---|
Login via Username/Password |
|
|
| ||||
Password-Hash-Service |
|
|
| ||||
| |||||||
Logout |
|
|
| ||||
Authentication API and SPI | Credentials vs Credential (one of it needs a better name) |
|
| ||||
Basic User/Identity API |
|
|
| ||||
Duration of a valid authentication | ExpirationEvaluator SPI |
|
| Basic User/Identity API |
|
|
|
Part 2
Feature | Comments | Objections | Discussion finished |
---|---|---|---|
Object level permission |
|
|
|
Grant or revoke permissions |
|
|
|
Basic Roles and groups API | optional type-safe (-> static) groups (and roles) |
|
|
@SecurityMethodBinding |
|
|
|
Super-users |
|
|
|
User/Identity management |
|
|
|
Password-Hash-Service |
|
|
|
Group management | optional support for typ-safe groups/group-types |
|
|
...
Feature | Comments | Objections | Discussion finished |
---|---|---|---|
Support for deputies (see Impersonalization) |
|
|
|
Privileges concept |
|
|
|
Grant or revoke permissions |
|
|
|
UI SPI (Component based authorization) | add optional type-safe authorization; integration with JSF |
|
|
Permissions of resources | Merge with CODI view-configs,... |
|
|
Persistence SPI | integration with JPA |
|
|
Identity Store SPI |
|
|
|
Query API |
|
|
|
Application roles |
|
|
|
...
Feature | Comments | Objections | Discussion finished |
---|---|---|---|
Support of alternative authentication concepts | Extend the Authentication SPI |
|
|
Integration with authentication concepts of (application-) servers | Extend the Authentication SPI |
|
|
Personalization |
|
|
|
Alternatives for roles/groups |
|
|
|
Permission for external applications |
|
|
|
...
Use-cases
Authentication
Scenario
...
Example JSF code:
Code Block | ||||
---|---|---|---|---|
| ||||
Username: <h:inputText value="#{credentials.username}"/>
Password: <h:inputSecret id="password" value="#{credentials.password}"/>
<h:commandButton value="LOGIN" action="#{identity.login}"/>
|
...
Code Block |
---|
public class SimpleAuthenticator extends BaseAuthenticator implements Authenticator { @Inject Credentials credentials; @Override public void authenticate() { if ("demo".equals(credentials.getUsername()) && credentials.getCredential() instanceof PasswordCredential && "demo".equals(((PasswordCredential) credentials.getCredential()).getValue())) { setStatus(AuthenticationStatus.SUCCESS); setUser(new SimpleUser("demo")); } else { setStatus(AuthenticationStatus.FAILURE); } } } |
Scenario
It should be possible to provide an optional password service to create a password-hash based on the given password which will be stored instead of the real password.
Maybe there should be different default implementations (provided via qualifiers).
...
Code Block |
---|
Group itsec = identityManager.createGroup(“itsec”, “/organization/engineering/security”);
itsec.addRole(“manager”, “johnDoe”);
Group hr = identityManager.createGroup(“hr”, “/organization”);
hr.addRole(“supervisor”, “aliceDoe”);
hr.addRole(“headhunter”, “chrisDoe”);
aliceDoe.hasRole(“headhunter”);
List<User> headHunters = identityManager.createUserQuery().setRole(“headhunter”).sort(true).setRange(Range.of(0,50).execute();
|
Scenario
Application needs to expose capabilities to associate authenticated user with specific roles in application context.
...
Code Block |
---|
identityManager.getSupportedFeatures().isUserSortSupported(); identityManager.getSupportedFeatures().isUserQueryPaginationSupported(); |
Events
Scenario
Application developer needs to add specific hooks for common IDM or Security operations
...