Product SiteDocumentation Site

Chapter 4. Identity Management - Credential Validation and Management

4.1. Authentication


While the IDM module of PicketLink provides authentication features, for common use cases involving standard username and password based authentication in a Java EE environment, PicketLink provides a more streamlined method of authentication. Please refer to Chapter 2, Authentication for more information.
PicketLink IDM provides an authentication subsystem that allows user credentials to be validated thereby confirming that an authenticating user is who they claim to be. The IdentityManager interface provides a single method for performing credential validation, as follows:
void validateCredentials(Credentials credentials);
The validateCredentials() method accepts a single Credentials parameter, which should contain all of the state required to determine who is attempting to authenticate, and the credential (such as a password, certificate, etc) that they are authenticating with. Let's take a look at the Credentials interface:
public interface Credentials {
    public enum Status {

   Account getValidatedAccount();
   Status getStatus();
   void invalidate();
  • The Status enum defines the following values, which reflect the various credential states:
    • UNVALIDATED - The credential is yet to be validated.
    • IN_PROGRESS - The credential is in the process of being validated.
    • INVALID - The credential has been validated unsuccessfully
    • VALID - The credential has been validated successfully
    • EXPIRED - The credential has expired
  • getValidatedAccount() - If the credential was successfully validated, this method returns the Account object representing the validated user.
  • getStatus() - Returns the current status of the credential, i.e. one of the above enum values.
  • invalidate() - Invalidate the credential. Implementations of Credential should use this method to clean up internal credential state.
Let's take a look at a concrete example - UsernamePasswordCredentials is a Credentials implementation that supports traditional username/password-based authentication:
public class UsernamePasswordCredentials extends AbstractBaseCredentials {

    private String username;

    private Password password;

    public UsernamePasswordCredentials() { }

    public UsernamePasswordCredentials(String userName, Password password) {
        this.username = userName;
        this.password = password;

    public String getUsername() {
        return username;

    public UsernamePasswordCredentials setUsername(String username) {
        this.username = username;
        return this;

    public Password getPassword() {
        return password;

    public UsernamePasswordCredentials setPassword(Password password) {
        this.password = password;
        return this;

    public void invalidate() {
The first thing we may notice about the above code is that the UsernamePasswordCredentials class extends AbstractBaseCredentials. This abstract base class implements the basic functionality required by the Credentials interface. Next, we can see that two fields are defined; username and password. These fields are used to hold the username and password state, and can be set either via the constructor, or by their associated setter methods. Finally, we can also see that the invalidate() method sets the status to INVALID, and also clears the password value.
Let's take a look at an example of the above classes in action. The following code demonstrates how we would authenticate a user with a username of "john" and a password of "abcde":
Credentials creds = new UsernamePasswordCredentials("john",
    new Password("abcde"));
if (Status.VALID.equals(creds.getStatus())) {
  // authentication was successful
We can also test if the credentials that were provided have expired (if an expiry date was set). In this case we might redirect the user to a form where they can enter a new password.
Credentials creds = new UsernamePasswordCredentials("john",
    new Password("abcde"));
if (Status.EXPIRED.equals(creds.getStatus())) {
  // password has expired, redirect the user to a password change screen