users@javaee-security-spec.java.net

[javaee-security-spec users] [jsr375-experts] Named identity stores or have only one activated?

From: arjan tijms <arjan.tijms_at_gmail.com>
Date: Mon, 12 Oct 2015 01:35:57 +0200

Hi,

In order to select a specific identity store to be used in an
application for a specific authentication mechanism, some kind of
approach has to be thought of. Given that this approach should
preferably be based on CDI, there are at least the following 2
options:

1. Identity stores are named. Authentication mechanisms (e.g. FORM)
are configured with such name and when they execute look up the
identity store by this configured name. This is roughly equivalent to
how some servers now use the <realm> element in web.xml.

2. Identity stores are always @Alternative. The alternative identity
store to be used has to be selected in beans.xml. Authentication
mechanisms (e.g. FORM) look up the one and only identity store
implementation that's active for the application.

3. Identity stores are NOT @Alternative. The standard identity stores
are not added by the runtime (via a CDI extension) as beans by
default, but only conditionally if a metadata annotation is present on
a "random class" (e.g. just like @DataSourceDefinition works today).
Applications can instead define one implementation directly.
Authentication mechanisms again look up the one and only
implementation.

Do note that:

* The approach has to handle default identity store implementations
shipped with Java EE as well as custom implementations provided by the
user.


Thoughts?

Kind regards,
Arjan Tijms