Hi Pedro,
Thanks for your comments. Please see inline.
With Regards,
Alex
On 9/29/15 5:18 PM, Pedro Igor Silva wrote:
> Hi Alex,
>
> Regarding the javax.security.identitystore.IdentityStore interface.
>
> From the comments, I understand that this interface is an entry-point for validating credentials and obtaining the attributes for a given identity or caller. However, it seems that I can only obtain roles and groups from it. Even javax.security.identitystore.CredentialValidationResult, which is a result of javax.security.identitystore.IdentityStore#validate, only provides the roles and groups of the caller.
[Alex] My understanding is that it is the Expert Group's view that we
should initially standardize the simplest IdentityStore. One that is
read only and only serves as needed for the authentication mechanism.
That is the javax.security.identitystore.IdentityStore interface.
The javax.security.identitystore.query package expands the query
capability of the IdentityStore, if the optional interfaces are
implemented.
>
> I've noticed that there is a javax.security.identitystore.query.CallerStore, which does provide a javax.security.identitystore.query.CallerStore#getCallerAttributes that I can use to obtain other attributes or claims for a given caller. What makes me think that I need to use an instance of this interface in order to obtain other attributes, is that it ?
[Alex] Yes, but the interface is optional, so the implementation is only
available if the IdentityStore implements it. My understanding was that
we wanted these sort of "administrative" interfaces optional, because an
application developer would already be using standard database or LDAP
interfaces to administer this identity data.
I think the thought was to first standardize the most basic, but useful,
IdentityStore.
>
> Regards.
> Pedro Igor
>
> ----- Original Message -----
> From: "Alex Kosowski"<alex.kosowski_at_oracle.com>
> To: jsr375-experts_at_javaee-security-spec.java.net
> Sent: Tuesday, September 29, 2015 2:42:21 AM
> Subject: [jsr375-experts] Read-Only Identity Store Proposal
>
> Hi Volunteers,
>
> I would like to submit for your review a third iteration of the JSR 375
> Identity Store. I think this version is simpler than the previous
> iterations, and incorporates the latest comments.
>
> Features:
> 1. Follows the simple model: Credentials in -> Caller, groups, roles out
> 2. The IdentityStore is read only, no create/update/delete for callers,
> groups, roles or credentials
> 3. Caller, Groups and Roles are just Strings, and are searchable by
> regular expression
> 4. Credential support is extendable by using CDI Qualifiers to annotate
> a CredentialValidator implementation
> 5. Standardized support for credentials, including Username/Password,
> Basic Authentication, Token
> 6. Standardized support for persistence mechanisms, including file,
> LDAP, database, and a JAAS adapter
>
> Here is a usage case example:
>
> @Inject
> IdentityStore idStore;
>
> // For example, in a JASPIC SAM...
> String caller = null;
> List<String> groups = null;
> List<String> roles = null;
> CredentialValidationResult result;
> Credential cred;
>
> cred = new UsernamePasswordCredential("john",new Password("secret"));
> result = idStore.validate(cred);
> if (Status.VALID == result.getStatus()) {
> // authentication was successful
> caller = result.getCallerName();
> groups = result.getCallerGroups();
> roles = result.getCallerRoles();
>
> // Callback JASPIC
> } else {
> // Invalid or not validated
> }
>
> I completely rewrote the Proof of Concept (POC) from the previous
> iteration and updated the proposal design doc. Let's discuss any issues
> you may have with this design.
>
> Please comment on this proposal Google doc:
> https://docs.google.com/document/d/1xMa32W73gPYYo53wRX60WasDDTuC7YFlI0XBm3dRym8/edit?usp=sharing
>
> The proposal Google doc should be open for comments by anyone on the
> jsr375-experts_at_googlegroups.com Google group. If you are having trouble
> commenting, please let me know. To comment, click the Comments button on
> the top right of the document.
>
> Here is the POC in the GitHub Proposal Repo:
> https://github.com/javaee-security-spec/javaee-security-proposals/tree/master/identity-store-readonly
>
> Note that the DatabaseIdentityStore in the POC is without an
> implementation because I ran out of time.
>
> Here is the generated JavaDoc:
> https://javaee-security-spec.java.net/
>
> What do you think? Once we come to a consensus for an acceptable
> Identity Store API design, the proposal will become the basis for the
> Identity Store section of the spec.
>
> With regards,
> Alex
>