Product SiteDocumentation Site

4.4. Built-in Credential Handlers

PicketLink provides built-in support for the following credential types:


Not all built-in IdentityStore implementations support all credential types. For example, since the LDAPIdentityStore is backed by an LDAP directory server, only password credentials are supported. The following table lists the built-in IdentityStore implementations that support each credential type.

Table 4.1. Built-in credential types

Credential type Description Supported by
org.picketlink.idm.credential.UsernamePasswordCredentials A standard username and text-based password JPAIdentityStore FileBasedIdentityStore LDAPIdentityStore
org.picketlink.idm.credential.DigestCredentials Used for digest-based authentication JPAIdentityStore FileBasedIdentityStore
org.picketlink.idm.credential.X509CertificateCredentials Used for X509 certificate based authentication JPAIdentityStore FileBasedIdentityStore
org.picketlink.idm.credential.TOTPCredentials Used for Time-based One-time Password authentication JPAIdentityStore FileBasedIdentityStore
org.picketlink.idm.credential.TokenCredential Used for Token-based authentication JPAIdentityStore FileBasedIdentityStore
The next sections will describe each of these built-in types individually. Configuration parameters are set at initialization time - see Section, “Passing parameters to Credential Handlers” for details.

4.4.1. Username/Password-based Credential Handler

This credential handlers supports a username/password based authentication.
Credentials can be updated as follows:
User user = BasicModel.getUser(identityManager, "jsmith");
identityManager.updateCredential(user, new Password("abcd1234"));
In order to validate a credential you need to the following code:
UsernamePasswordCredentials credential = new UsernamePasswordCredentials();

Password password = new Password("abcd1234");



if (Status.VALID.equals(credential.getStatus()) {
  // successful validation
} else {
  // invalid credential
} Configuration Parameters

The following table describes all configuration parameters supported by this credential handler:

Table 4.2. Configuration Parameters

Parameter Description
PasswordCredentialHandler. PASSWORD_ENCODER It must be a org.picketlink.idm.credential.encoder.PasswordEncoder sub-type. It defines how passwords are encoded. Defaults to SHA-512.
PasswordCredentialHandler. SECURE_RANDOM_PROVIDER It must be a org.picketlink.common.random.SecureRandomProvider sub-type. It defines how SecureRandom are created in order to be used to generate random numbers to salt passwords. Defaults to SHA1PRNG with a default seed.
PasswordCredentialHandler. RENEW_RANDOM_NUMBER_GENERATOR_INTERVAL To increase the security of generated salted passwords, SecureRandom instances can be renewed from time to time. This option defines the time in milliseconds. Defaults to disabled, what means that a single instance is used during the life-time of the application.
PasswordCredentialHandler. ALGORITHM_RANDOM_NUMBER Defines the algorithm to be used by the default SecureRandomProvider. Defaults to SHA1PRNG.
PasswordCredentialHandler. KEY_LENGTH_RANDOM_NUMBER Defines the key length of seeds when using the default SecureRandomProvider. Defaults to 0, which means it is disabled.
PasswordCredentialHandler. LOGIN_NAME_PROPERTY This option defines the name of the property used to lookup the Account object using the provided login name. It has a default value of loginName and can be overridden if the credential handler is to be used to authenticate an Account type that uses a different property name.
PasswordCredentialHandler. SUPPORTED_ACCOUNT_TYPES This option defines any additional Account types that are supported by the credential handler. If no value is specified and/or no identity instances of the specified types are found then the credential handler's fall back behaviour is to attempt to lookup either an Agent or User (from the org.picketlink.idm.model.basic package) identity. The property value is expected to be an array of Class<? extends Account> objects.