Versions Compared

Old Version 26

changes.mady.by.user Gerhard Petracek

Saved on

compared with

New Version Current

changes.mady.by.user Shane Bryzak

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

Code Block
public interface Identity extends Serializable
{
    public enum AuthenticationResult
    {
        SUCCESS, FAILED
    }
    
    AuthenticationResult login();

    void logout();

    boolean isLoggedIn();

    User getUser();
}

...

Code Block
public interface AuthenticatorSelector
{
    Class<? extends Authenticator> getAuthenticatorClass();

    void setAuthenticatorClass(Class<? extends Authenticator> authenticatorClass);

    String getAuthenticatorName();

    void setAuthenticatorName(String authenticatorName);
    
    Authenticator getSelectedAuthenticator();
}

...

Code Block
public interface Authenticator
{
    public enum AuthenticationStatus 
    {
        SUCCESS, FAILURE, DEFERRED
    }

    void authenticate();

    void postAuthenticate();

    AuthenticationStatus getStatus();

    User getUser();
}
Code Block
public abstract class BaseAuthenticator implements Authenticator
{
    private AuthenticationStatus status;
    
    public AuthenticationStatus getStatus()
    {
        return status;
    }

    protected void setStatus(AuthenticationStatus status)
    {
        this.status = status;
    }

    public void postAuthenticate()
    {
        // No-op, override if any post-authentication processing is required.
    }
}

...

Feature

Comments

Objections

Discussion finished

Login via Username/Password

 

  

(plus)

Logout

 

  

(plus)

Authentication API and SPI

Credentials vs Credential (one of it needs a better name)

  

(plus)

Basic User/Identity API

 

  

(plus)

Duration of a valid authentication

ExpirationEvaluator SPI

 

 

Password-Hash-Service

 

 

 

Part 2

Feature

Comments

Objections

Discussion finished

Object level permission

 

 

 

Grant or revoke permissions

 

 

 

Basic Roles and groups API

optional type-safe (-> static) groups (and roles)

 

 

@SecurityMethodBinding

 

 

 

Super-users

 

 

 

User/Identity management

 

 

 

Password-Hash-Service

 

 

 

Group management

optional support for typ-safe groups/group-types

 

 

...

Feature

Comments

Objections

Discussion finished

Support for deputies (see Impersonalization)

 

 

 

Privileges concept

 

 

  Grant or revoke permissions

 

 

 

UI SPI (Component based authorization)

add optional type-safe authorization; integration with JSF

 

 

Permissions of resources

Merge with CODI view-configs,...

 

 

Persistence SPI

integration with JPA

 

 

Identity Store SPI

 

 

 

Query API

 

 

 

Application roles

 

 

 

...

Feature

Comments

Objections

Discussion finished

Support of alternative authentication concepts

Extend the Authentication SPI

 

 

Integration with authentication concepts of (application-) servers

Extend the Authentication SPI

 

 

Personalization

 

 

 

Alternatives for roles/groups

 

 

 

Permission for external applications

 

 

 

...

Use-cases

Authentication

Scenario

...

Example JSF code:

Code Block
xml
xml
 
Username: <h:inputText value="#{credentials.username}"/>
Password: <h:inputSecret id="password" value="#{credentials.password}"/>
<h:commandButton value="LOGIN" action="#{identity.login}"/>

...

Code Block
public class SimpleAuthenticator extends BaseAuthenticator implements Authenticator {
    @Inject Credentials credentials;

    @Override
    public void authenticate() {
        if ("demo".equals(credentials.getUsername()) &&
                credentials.getCredential() instanceof PasswordCredential &&
                "demo".equals(((PasswordCredential) credentials.getCredential()).getValue())) {
            setStatus(AuthenticationStatus.SUCCESS);
            setUser(new SimpleUser("demo"));            
        } else {                    
            setStatus(AuthenticationStatus.FAILURE);            
        }
    }
}

Scenario

It should be possible to provide an optional password service to create a password-hash based on the given password which will be stored instead of the real password.
Maybe there should be different default implementations (provided via qualifiers).

...

Code Block
Group itsec = identityManager.createGroup(“itsec”, “/organization/engineering/security”);
itsec.addRole(“manager”, “johnDoe”);
Group hr = identityManager.createGroup(“hr”, “/organization”);
hr.addRole(“supervisor”, “aliceDoe”);
hr.addRole(“headhunter”, “chrisDoe”);
aliceDoe.hasRole(“headhunter”);
List<User> headHunters = identityManager.createUserQuery().setRole(“headhunter”).sort(true).setRange(Range.of(0,50).execute();

Scenario

Application needs to expose capabilities to associate authenticated user with specific roles in application context.

...