Hi Alex,
Regarding the javax.security.identitystore.IdentityStore interface.
From the comments, I understand that this interface is an entry-point for validating credentials and obtaining the attributes for a given identity or caller. However, it seems that I can only obtain roles and groups from it. Even javax.security.identitystore.CredentialValidationResult, which is a result of javax.security.identitystore.IdentityStore#validate, only provides the roles and groups of the caller.
I've noticed that there is a javax.security.identitystore.query.CallerStore, which does provide a javax.security.identitystore.query.CallerStore#getCallerAttributes that I can use to obtain other attributes or claims for a given caller. What makes me think that I need to use an instance of this interface in order to obtain other attributes, is that it ?
Regards.
Pedro Igor
----- Original Message -----
From: "Alex Kosowski" <alex.kosowski_at_oracle.com>
To: jsr375-experts_at_javaee-security-spec.java.net
Sent: Tuesday, September 29, 2015 2:42:21 AM
Subject: [jsr375-experts] Read-Only Identity Store Proposal
Hi Volunteers,
I would like to submit for your review a third iteration of the JSR 375
Identity Store. I think this version is simpler than the previous
iterations, and incorporates the latest comments.
Features:
1. Follows the simple model: Credentials in -> Caller, groups, roles out
2. The IdentityStore is read only, no create/update/delete for callers,
groups, roles or credentials
3. Caller, Groups and Roles are just Strings, and are searchable by
regular expression
4. Credential support is extendable by using CDI Qualifiers to annotate
a CredentialValidator implementation
5. Standardized support for credentials, including Username/Password,
Basic Authentication, Token
6. Standardized support for persistence mechanisms, including file,
LDAP, database, and a JAAS adapter
Here is a usage case example:
@Inject
IdentityStore idStore;
// For example, in a JASPIC SAM...
String caller = null;
List<String> groups = null;
List<String> roles = null;
CredentialValidationResult result;
Credential cred;
cred = new UsernamePasswordCredential("john",new Password("secret"));
result = idStore.validate(cred);
if (Status.VALID == result.getStatus()) {
// authentication was successful
caller = result.getCallerName();
groups = result.getCallerGroups();
roles = result.getCallerRoles();
// Callback JASPIC
} else {
// Invalid or not validated
}
I completely rewrote the Proof of Concept (POC) from the previous
iteration and updated the proposal design doc. Let's discuss any issues
you may have with this design.
Please comment on this proposal Google doc:
https://docs.google.com/document/d/1xMa32W73gPYYo53wRX60WasDDTuC7YFlI0XBm3dRym8/edit?usp=sharing
The proposal Google doc should be open for comments by anyone on the
jsr375-experts_at_googlegroups.com Google group. If you are having trouble
commenting, please let me know. To comment, click the Comments button on
the top right of the document.
Here is the POC in the GitHub Proposal Repo:
https://github.com/javaee-security-spec/javaee-security-proposals/tree/master/identity-store-readonly
Note that the DatabaseIdentityStore in the POC is without an
implementation because I ran out of time.
Here is the generated JavaDoc:
https://javaee-security-spec.java.net/
What do you think? Once we come to a consensus for an acceptable
Identity Store API design, the proposal will become the basis for the
Identity Store section of the spec.
With regards,
Alex