...
Code Block |
---|
public interface Identity extends Serializable
{
public enum AuthenticationResult
{
SUCCESS, FAILED
}
AuthenticationResult login();
void logout();
boolean isLoggedIn();
User getUser();
}
|
...
Code Block |
---|
public interface AuthenticatorSelector
{
Class<? extends Authenticator> getAuthenticatorClass();
void setAuthenticatorClass(Class<? extends Authenticator> authenticatorClass);
String getAuthenticatorName();
void setAuthenticatorName(String authenticatorName);
Authenticator getSelectedAuthenticator();
}
|
...
Code Block |
---|
public interface Authenticator
{
public enum AuthenticationStatus
{
SUCCESS, FAILURE, DEFERRED
}
void authenticate();
void postAuthenticate();
AuthenticationStatus getStatus();
User getUser();
}
|
Code Block |
---|
public abstract class BaseAuthenticator implements Authenticator
{
private AuthenticationStatus status;
public AuthenticationStatus getStatus()
{
return status;
}
protected void setStatus(AuthenticationStatus status)
{
this.status = status;
}
public void postAuthenticate()
{
// No-op, override if any post-authentication processing is required.
}
}
|
...
Feature | Comments | Objections | Discussion finished | ||||
---|---|---|---|---|---|---|---|
Login via Username/Password |
|
|
| ||||
Logout |
|
|
| ||||
Authentication API and SPI | Credentials vs Credential (one of it needs a better name) |
|
| ||||
Basic User/Identity API |
|
|
| ||||
Duration of a valid authentication | ExpirationEvaluator SPI |
|
| Password-Hash-Service |
|
|
|
Part 2
Feature | Comments | Objections | Discussion finished |
---|---|---|---|
Object level permission |
|
|
|
Grant or revoke permissions |
|
|
|
Basic Roles and groups API | optional type-safe (-> static) groups (and roles) |
|
|
@SecurityMethodBinding |
|
|
|
Super-users |
|
|
|
User/Identity management |
|
|
|
Password-Hash-Service |
|
|
|
Group management | optional support for typ-safe groups/group-types |
|
|
...
Feature | Comments | Objections | Discussion finished | |||
---|---|---|---|---|---|---|
Support for deputies (see Impersonalization) |
|
|
| |||
Privileges concept |
|
| Grant or revoke permissions |
|
|
|
UI SPI (Component based authorization) | add optional type-safe authorization; integration with JSF |
|
| |||
Permissions of resources | Merge with CODI view-configs,... |
|
| |||
Persistence SPI | integration with JPA |
|
| |||
Identity Store SPI |
|
|
| |||
Query API |
|
|
| |||
Application roles |
|
|
|
...
Feature | Comments | Objections | Discussion finished |
---|---|---|---|
Support of alternative authentication concepts | Extend the Authentication SPI |
|
|
Integration with authentication concepts of (application-) servers | Extend the Authentication SPI |
|
|
Personalization |
|
|
|
Alternatives for roles/groups |
|
|
|
Permission for external applications |
|
|
|
...
Use-cases
Authentication
Scenario
...
Example JSF code:
Code Block | ||||
---|---|---|---|---|
| ||||
Username: <h:inputText value="#{credentials.username}"/>
Password: <h:inputSecret id="password" value="#{credentials.password}"/>
<h:commandButton value="LOGIN" action="#{identity.login}"/>
|
...
Code Block |
---|
public class SimpleAuthenticator extends BaseAuthenticator implements Authenticator { @Inject Credentials credentials; @Override public void authenticate() { if ("demo".equals(credentials.getUsername()) && credentials.getCredential() instanceof PasswordCredential && "demo".equals(((PasswordCredential) credentials.getCredential()).getValue())) { setStatus(AuthenticationStatus.SUCCESS); setUser(new SimpleUser("demo")); } else { setStatus(AuthenticationStatus.FAILURE); } } } |
Scenario
It should be possible to provide an optional password service to create a password-hash based on the given password which will be stored instead of the real password.
Maybe there should be different default implementations (provided via qualifiers).
...
Code Block |
---|
Group itsec = identityManager.createGroup(“itsec”, “/organization/engineering/security”);
itsec.addRole(“manager”, “johnDoe”);
Group hr = identityManager.createGroup(“hr”, “/organization”);
hr.addRole(“supervisor”, “aliceDoe”);
hr.addRole(“headhunter”, “chrisDoe”);
aliceDoe.hasRole(“headhunter”);
List<User> headHunters = identityManager.createUserQuery().setRole(“headhunter”).sort(true).setRange(Range.of(0,50).execute();
|
Scenario
Application needs to expose capabilities to associate authenticated user with specific roles in application context.
...