JBoss.orgCommunity Documentation
While the IDM module of PicketLink provides authentication features, for common use cases involving standard username and password based authentication in a Java EE environment, PicketLink provides a more streamlined method of authentication. Please refer to Chapter 2, Authentication for more information.
PicketLink IDM provides an authentication subsystem that allows user credentials to be validated thereby confirming
that an authenticating user is who they claim to be. The IdentityManager
interface provides a single
method for performing credential validation, as follows:
void validateCredentials(Credentials credentials);
The validateCredentials()
method accepts a single Credentials
parameter, which should
contain all of the state required to determine who is attempting to authenticate, and the credential (such as a
password, certificate, etc) that they are authenticating with. Let's take a look at the Credentials
interface:
public interface Credentials {
public enum Status {
UNVALIDATED, IN_PROGRESS, INVALID, VALID, EXPIRED
};
Agent getValidatedAgent();
Status getStatus();
void invalidate();
}
The Status
enum defines the following values, which reflect the various credential states:
UNVALIDATED
- The credential is yet to be validated.
IN_PROGRESS
- The credential is in the process of being validated.
INVALID
- The credential has been validated unsuccessfully
VALID
- The credential has been validated successfully
EXPIRED
- The credential has expired
getValidatedAgent()
- If the credential was successfully validated, this method returns the
Agent
object representing the validated user.
getStatus()
- Returns the current status of the credential, i.e. one of the above enum values.
invalidate()
- Invalidate the credential. Implementations of Credential
should use
this method to clean up internal credential state.
Let's take a look at a concrete example - UsernamePasswordCredentials
is a Credentials
implementation that supports traditional username/password-based authentication:
public class UsernamePasswordCredentials extends AbstractBaseCredentials {
private String username;
private Password password;
public UsernamePasswordCredentials() { }
public UsernamePasswordCredentials(String userName, Password password) {
this.username = userName;
this.password = password;
}
public String getUsername() {
return username;
}
public UsernamePasswordCredentials setUsername(String username) {
this.username = username;
return this;
}
public Password getPassword() {
return password;
}
public UsernamePasswordCredentials setPassword(Password password) {
this.password = password;
return this;
}
@Override
public void invalidate() {
setStatus(Status.INVALID);
password.clear();
}
}
The first thing we may notice about the above code is that the UsernamePasswordCredentials
class extends
AbstractBaseCredentials
. This abstract base class implements the basic functionality required by the
Credentials
interface. Next, we can see that two fields are defined; username
and password
.
These fields are used to hold the username and password state, and can be set either via the constructor,
or by their associated setter methods. Finally, we can also see that the invalidate()
method sets the status to
INVALID
, and also clears the password value.
Let's take a look at an example of the above classes in action. The following code demonstrates how we would authenticate a user with a username of "john" and a password of "abcde":
Credentials creds = new UsernamePasswordCredentials("john",
new Password("abcde"));
identityManager.validate(creds);
if (Status.VALID.equals(creds.getStatus())) {
// authentication was successful
}
We can also test if the credentials that were provided have expired (if an expiry date was set). In this case we might redirect the user to a form where they can enter a new password.
Credentials creds = new UsernamePasswordCredentials("john",
new Password("abcde"));
identityManager.validate(creds);
if (Status.EXPIRED.equals(creds.getStatus())) {
// password has expired, redirect the user to a password change screen
}
Updating user credentials is even easier than validating them. The IdentityManager
interface provides the following
two methods for updating credentials:
void updateCredential(Agent agent, Object credential);
void updateCredential(Agent agent, Object credential, Date effectiveDate, Date expiryDate);
Both of these methods essentially do the same thing; they update a credential value for a specified Agent
(or User
). The second overloaded method however also accepts effectiveDate
and expiryDate
parameters, which allow some temporal control over when the credential will be valid. Use cases for this feature
include implementing a strict password expiry policy (by providing an expiry date), or creating a new account that might not
become active until a date in the future (by providing an effective date). Invoking the first overloaded method will
store the credential with an effective date of the current date and time, and no expiry date.
One important point to note is that the credential
parameter is of type java.lang.Object
. Since
credentials can come in all shapes and sizes (and may even be defined by third party libraries), there is no common base
interface for credential implementations to extend. To support this type of flexibility in an extensible way, PicketLink
provides an SPI that allows custom credential handlers to be configured that override or extend the default credential
handling logic. Please see the next section for more information on how this SPI may be used.
PicketLink provides built-in support for the following credential types:
Not all built-in IdentityStore
implementations support all credential types. For example, since the
LDAPIdentityStore
is backed by an LDAP directory server, only password credentials are supported. The
following table lists the built-in IdentityStore
implementations that support each credential type.
Table 4.1. Built-in credential types
Credential type | Description | Supported by |
---|---|---|
org.picketlink.idm.credential.Digest | Used for digest-based authentication |
JPAIdentityStore
FileBasedIdentityStore
|
org.picketlink.idm.credential.Password | A standard text-based password |
JPAIdentityStore
FileBasedIdentityStore
LDAPIdentityStore
|
java.security.cert.X509Certificate | Used for X509 certificate based authentication |
JPAIdentityStore
FileBasedIdentityStore
|
Let's take a look at a couple of examples. Here's some code demonstrating how a password can be assigned to user "jsmith":
User user = identityManager.getUser("jsmith");
identityManager.updateCredential(user, new Password("abcd1234"));
This example creates a digest and assigns it to user "jdoe":
User user = identityManager.getUser("jdoe");
Digest digest = new Digest();
digest.setRealm("default");
digest.setUsername(user.getLoginName());
digest.setPassword("abcd1234");
identityManager.updateCredential(user, digest);
For IdentityStore
implementations that support multiple credential types, PicketLink provides
an optional SPI to allow the default credential handling logic to be easily customized and extended. To get
a better picture of the overall workings of the Credential Handler SPI, let's take a look at the sequence
of events during the credential validation process when validating a username and password against
JPAIdentityStore
:
1 -
The user (or some other code) first invokes the validateCredentials()
method on IdentityManager
,
passing in the Credentials
instance to validate.
1.1 -
After looking up the correct IdentityStore
(i.e. the one that has been configured to validate credentials)
the IdentityManager
invokes the store's validateCredentials()
method, passing in the
SecurityContext
and the credentials to validate.
1.1.1 -
In JPAIdentityStore
's implementation of the validateCredentials()
method, the
SecurityContext
is used to look up the CredentialHandler
implementation that has been
configured to process validation requests for usernames and passwords, which is then stored in a local variable
called handler
.
1.1.2 -
The validate()
method is invoked on the CredentialHandler
, passing in the security context,
the credentials value and a reference back to the identity store. The reference to the identity store is important
as the credential handler may require it to invoke certain methods upon the store to validate the credentials.
The CredentialHandler
interface declares three methods, as follows:
public interface CredentialHandler {
void setup(IdentityStore<?> identityStore);
void validate(SecurityContext context, Credentials credentials,
IdentityStore<?> identityStore);
void update(SecurityContext context, Agent agent, Object credential,
IdentityStore<?> identityStore, Date effectiveDate, Date expiryDate);
}
The setup()
method is called once, when the CredentialHandler
instance is first created.
Credential handler instantiation is controlled by the CredentialHandlerFactory
, which creates a single
instance of each CredentialHandler
implementation to service all credential requests for that handler.
Each CredentialHandler
implementation must declare the types of credentials that it is capable of supporting,
which is done by annotating the implementation class with the @SupportsCredentials
annotation like so:
@SupportsCredentials({ UsernamePasswordCredentials.class, Password.class })
public class PasswordCredentialHandler implements CredentialHandler {
Since the validate()
and update()
methods receive different parameter types (validate()
takes a Credentials
parameter value while update()
takes an Object
that represents
a single credential value), the @SupportsCredentials
annotation must contain a complete list of all types supported
by that handler.
Similarly, if the IdentityStore
implementation makes use of the credential handler SPI then it also must declare
which credential handlers support that identity store. This is done using the @CredentialHandlers
annotation;
for example, the following code shows how JPAIdentityStore
is configured to be capable of handling credential
requests for usernames and passwords, X509 certificates and digest-based authentication:
@CredentialHandlers({ PasswordCredentialHandler.class,
X509CertificateCredentialHandler.class, DigestCredentialHandler.class })
public class JPAIdentityStore implements IdentityStore<JPAIdentityStoreConfiguration>,
CredentialStore {
For IdentityStore
implementations that support multiple credential types (such as JPAIdentityStore
and FileBasedIdentityStore
), the implementation may choose to also implement the CredentialStore
interface to simplify the interaction between the CredentialHandler
and the IdentityStore
. The
CredentialStore
interface declares methods for storing and retrieving credential values within an identity
store, as follows:
public interface CredentialStore {
void storeCredential(SecurityContext context, Agent agent,
CredentialStorage storage);
<T extends CredentialStorage> T retrieveCurrentCredential(SecurityContext context,
Agent agent, Class<T> storageClass);
<T extends CredentialStorage> List<T> retrieveCredentials(SecurityContext context,
Agent agent, Class<T> storageClass);
}
The CredentialStorage
interface is quite simple and only declares two methods, getEffectiveDate()
and getExpiryDate()
:
public interface CredentialStorage {
@Stored Date getEffectiveDate();
@Stored Date getExpiryDate();
}
The most important thing to note above is the usage of the @Stored
annotation. This annotation is used to
mark the properties of the CredentialStorage
implementation that should be persisted. The only requirement
for any property values that are marked as @Stored
is that they are serializable (i.e. they implement the
java.io.Serializable
interface). The @Stored
annotation may be placed on either the getter
method or the field variable itself. Here's an example of one of a CredentialStorage
implementation that
is built into PicketLink - EncodedPasswordStorage
is used to store a password hash and salt value:
public class EncodedPasswordStorage implements CredentialStorage {
private Date effectiveDate;
private Date expiryDate;
private String encodedHash;
private String salt;
@Override @Stored
public Date getEffectiveDate() {
return effectiveDate;
}
public void setEffectiveDate(Date effectiveDate) {
this.effectiveDate = effectiveDate;
}
@Override @Stored
public Date getExpiryDate() {
return expiryDate;
}
public void setExpiryDate(Date expiryDate) {
this.expiryDate = expiryDate;
}
@Stored
public String getEncodedHash() {
return encodedHash;
}
public void setEncodedHash(String encodedHash) {
this.encodedHash = encodedHash;
}
@Stored
public String getSalt() {
return this.salt;
}
public void setSalt(String salt) {
this.salt = salt;
}
}
This section describes each of the built-in credential handlers, and any configuration parameters that may be set for them.
Specific credential handler options can be set when creating a new IdentityConfiguration
. Configured options
are always specific to a particular identity store configuration, allowing different options to be specified between two or
more identity stores. The IdentityStoreConfiguration
interface provides a method called
getCredentialHandlersConfig()
that provides access to a Map
which allows configuration options
to be set for the identity store's credential handlers:
public interface IdentityStoreConfiguration {
Map<String, Object> getCredentialHandlerProperties();
}
To gain access to the IdentityStoreConfiguration
object before PicketLink is initialized, there are a couple of
options. The first option is to provide an IdentityConfiguration
object itself via a producer method.