Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-282

Formalize multiple credential support

    XMLWordPrintable

    Details

      Description

      Tackle the multiple credential problem directly rather than work around it. This requires multiple steps:

      1. In org.wildfly.security.auth.server.RealmIdentity, the credential access methods should drop credentialType and algorithmName and replace them with a single credentialName. The sole exception should be the getCredential method, which can retain the credentialType parameter in order to perform a soft cast-or-null operation for convenience. The verifyCredential method will need a credentialName parameter added.
      2. Add a method to RealmIdentity which can be used to query for the existence of a credential with the given label, e.g. hasCredential(String).
      3. Modify org.wildfly.security.auth.server.ModifiableRealmIdentity to add a credentialName parameter to setCredential.
      4. Add a method to ModifiableRealmIdentity to delete a single named credential.
      5. Modify the setCredentials method of ModifiableRealmIdentity to accept a Map<String,Object> instead of a List<Object>.
      6. Add a credential selection mapper mechanism which can consume authentication process information and use it to yield a credential label. Some implementation ideas:
        • A functional interface which accepts the (mapped) name, authentication mechanism type (e.g. SASL vs HTTP vs ???), optional protocol type (e.g. SASL field), actual mechanism name (e.g. "DIGEST-MD5") and yields the label name or a list (in descending order of preference) of label names
        • Note that the approach must be forwards-compatible if we need to add more criteria to the mapping process
      7. Provide a default setting which selects a label from a simple predefined scheme based on the kind of authentication being performed (e.g. SASL "DIGEST-MD5" could prefer "sasl-digest" and then "clear-password", SASL "CLEAR" could prefer "password" and then "clear-password", etc.).

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              honza889 Jan Kalina (Inactive)
              Reporter:
              dmlloyd David Lloyd
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: