4.4. Built-in Credential Handlers
PicketLink provides built-in support for the following credential types:
Warning
Not all built-in
IdentityStore
implementations support all credential types. For example, since the LDAPIdentityStore
is backed by an LDAP directory server, only password credentials are supported. The following table lists the built-in IdentityStore
implementations that support each credential type.
Table 4.1. Built-in credential types
Credential type | Description | Supported by |
---|---|---|
org.picketlink.idm.credential.UsernamePasswordCredentials | A standard username and text-based password | JPAIdentityStore FileBasedIdentityStore LDAPIdentityStore |
org.picketlink.idm.credential.DigestCredentials | Used for digest-based authentication | JPAIdentityStore FileBasedIdentityStore |
org.picketlink.idm.credential.X509CertificateCredentials | Used for X509 certificate based authentication | JPAIdentityStore FileBasedIdentityStore |
org.picketlink.idm.credential.TOTPCredentials | Used for Time-based One-time Password authentication | JPAIdentityStore FileBasedIdentityStore |
org.picketlink.idm.credential.TokenCredential | Used for Token-based authentication | JPAIdentityStore FileBasedIdentityStore |
The next sections will describe each of these built-in types individually. Configuration parameters are set at initialization time - see Section 7.1.8.1, “Passing parameters to Credential Handlers” for details.
4.4.1. Username/Password-based Credential Handler
This credential handlers supports a username/password based authentication.
Credentials can be updated as follows:
User user = BasicModel.getUser(identityManager, "jsmith"); identityManager.updateCredential(user, new Password("abcd1234"));
In order to validate a credential you need to the following code:
UsernamePasswordCredentials credential = new UsernamePasswordCredentials(); Password password = new Password("abcd1234"); credential.setUsername("jsmith"); credential.setPassword(password); identityManager.validateCredentials(credential); if (Status.VALID.equals(credential.getStatus()) { // successful validation } else { // invalid credential }
4.4.1.1. Configuration Parameters
The following table describes all configuration parameters supported by this credential handler:
Table 4.2. Configuration Parameters
Parameter | Description |
---|---|
PasswordCredentialHandler. PASSWORD_ENCODER | It must be a org.picketlink.idm.credential.encoder.PasswordEncoder sub-type. It defines how passwords are encoded. Defaults to SHA-512. |
PasswordCredentialHandler. SECURE_RANDOM_PROVIDER | It must be a org.picketlink.common.random.SecureRandomProvider sub-type. It defines how SecureRandom are created in order to be used to generate random numbers to salt passwords. Defaults to SHA1PRNG with a default seed. |
PasswordCredentialHandler. RENEW_RANDOM_NUMBER_GENERATOR_INTERVAL | To increase the security of generated salted passwords, SecureRandom instances can be renewed from time to time. This option defines the time in milliseconds. Defaults to disabled, what means that a single instance is used during the life-time of the application. |
PasswordCredentialHandler. ALGORITHM_RANDOM_NUMBER | Defines the algorithm to be used by the default SecureRandomProvider . Defaults to SHA1PRNG. |
PasswordCredentialHandler. KEY_LENGTH_RANDOM_NUMBER | Defines the key length of seeds when using the default SecureRandomProvider . Defaults to 0, which means it is disabled. |
PasswordCredentialHandler. LOGIN_NAME_PROPERTY | This option defines the name of the property used to lookup the Account object using the provided login name. It has a default value of loginName and can be overridden if the credential handler is to be used to authenticate an Account type that uses a different property name. |
PasswordCredentialHandler. SUPPORTED_ACCOUNT_TYPES | This option defines any additional Account types that are supported by the credential handler. If no value is specified and/or no identity instances of the specified types are found then the credential handler's fall back behaviour is to attempt to lookup either an Agent or User (from the org.picketlink.idm.model.basic package) identity. The property value is expected to be an array of Class<? extends Account> objects. |