users@javaee-security-spec.java.net

[javaee-security-spec users] [jsr375-experts] Read-Only Identity Store Proposal

From: Alex Kosowski <alex.kosowski_at_oracle.com>
Date: Tue, 29 Sep 2015 01:42:21 -0400

Hi Volunteers,

I would like to submit for your review a third iteration of the JSR 375
Identity Store. I think this version is simpler than the previous
iterations, and incorporates the latest comments.

Features:
1. Follows the simple model: Credentials in -> Caller, groups, roles out
2. The IdentityStore is read only, no create/update/delete for callers,
groups, roles or credentials
3. Caller, Groups and Roles are just Strings, and are searchable by
regular expression
4. Credential support is extendable by using CDI Qualifiers to annotate
a CredentialValidator implementation
5. Standardized support for credentials, including Username/Password,
Basic Authentication, Token
6. Standardized support for persistence mechanisms, including file,
LDAP, database, and a JAAS adapter

Here is a usage case example:

@Inject
IdentityStore idStore;

// For example, in a JASPIC SAM...
String caller = null;
List<String> groups = null;
List<String> roles = null;
CredentialValidationResult result;
Credential cred;

cred = new UsernamePasswordCredential("john",new Password("secret"));
result = idStore.validate(cred);
if (Status.VALID == result.getStatus()) {
     // authentication was successful
     caller = result.getCallerName();
     groups = result.getCallerGroups();
     roles = result.getCallerRoles();

     // Callback JASPIC
} else {
     // Invalid or not validated
}

I completely rewrote the Proof of Concept (POC) from the previous
iteration and updated the proposal design doc. Let's discuss any issues
you may have with this design.

Please comment on this proposal Google doc:
https://docs.google.com/document/d/1xMa32W73gPYYo53wRX60WasDDTuC7YFlI0XBm3dRym8/edit?usp=sharing

The proposal Google doc should be open for comments by anyone on the
jsr375-experts_at_googlegroups.com Google group. If you are having trouble
commenting, please let me know. To comment, click the Comments button on
the top right of the document.

Here is the POC in the GitHub Proposal Repo:
https://github.com/javaee-security-spec/javaee-security-proposals/tree/master/identity-store-readonly

Note that the DatabaseIdentityStore in the POC is without an
implementation because I ran out of time.

Here is the generated JavaDoc:
https://javaee-security-spec.java.net/

What do you think? Once we come to a consensus for an acceptable
Identity Store API design, the proposal will become the basis for the
Identity Store section of the spec.

With regards,
Alex