users@javaee-security-spec.java.net

[javaee-security-spec users] [jsr375-experts] Some corner cases for IdentityStoreHander

From: Rudy De Busscher <rdebusscher_at_gmail.com>
Date: Tue, 15 Nov 2016 21:44:30 +0100

Hi all,

When I was preparing my talk for Java2Days around JSR-375 and Soteria, I
came across the following corner cases.

1) When there are no (Authenticating) IdentityStores defined (No
IdentityStore with ValidationType.BOTH or ValidationType.AUTHENTICATION)
what should be done in that situation?

When the system has no way of validating the credentials, this is clearly
an error I guess. Probably the best thing is that during the deployment
(CDI Extension AfterBeanDiscovery method execution) of the application an
error is thrown. Or should we log only a warning?

For the moment I implemented in Soteria that during the execution of the
IdentityStoreHandler, CredentialValidationResult.INVALID_RESULT is
returned. (Fixing the NullpointerException in this situation)

2) When there is no HttpAuthenticationMechanism available (by means of a
'CDI definition annotation' or by implementing the interface), I guess we
can carry on as usual. Because the developer can always start
authentication by calling the SecurityContext methods.

Probably this needs also to be mentioned in the spec docs.

Best regards
Rudy