Package jakarta.security.enterprise.identitystore

Interface IdentityStore

public interface IdentityStore

IdentityStore is a mechanism for validating a caller's credentials and accessing a caller's identity attributes. It can be used by an authentication mechanism, such as a Jakarta Security HttpAuthenticationMechanism or a Jakarta Authentication ServerAuthModule.

Stores which do only validation or only group lookup are allowed.

An IdentityStore obtains identity data from a persistent store, such as a database, LDAP server, or file.

Nested Class Summary

Nested Classes

Modifier and Type	Interface	Description
static class	IdentityStore.ValidationType	Determines the type of validation (operations) that should be done by this store.

Field Summary

Fields

Modifier and Type	Field	Description
static Set<IdentityStore.ValidationType>	DEFAULT_VALIDATION_TYPES	Default set of validation types.

Method Summary

Modifier and Type	Method	Description
default Set<String>	getCallerGroups(CredentialValidationResult validationResult)	Returns groups for the caller, who is identified by the CallerPrincipal (and potentially other values) found in the validationResult parameter.
default int	priority()	Determines the order of invocation for multiple IdentityStores.
default CredentialValidationResult	validate(Credential credential)	Validates the given credential.
default Set<IdentityStore.ValidationType>	validationTypes()	Determines the type of validation the IdentityStore should be used for.

Field Detail

DEFAULT_VALIDATION_TYPES

static final Set<IdentityStore.ValidationType> DEFAULT_VALIDATION_TYPES

Default set of validation types. Contains VALIDATE and PROVIDE_GROUPS.

Method Detail

validate

default CredentialValidationResult validate(Credential credential)

Validates the given credential.

As a convenience, a default implementation is provided that looks up an overload of this method that has, as its one and only parameter, a subclass of Credential. Here is an example of what an implementation of this interface looks like with such an overloaded method:

public class ExampleIdentityStore implements IdentityStore {

    public CredentialValidationResult validate(UsernamePasswordCredential usernamePasswordCredential) {
        // Implementation ...
        return INVALID_RESULT;
    }

}
 

Note that the overloaded method is only called when the actual type passed into this method will exactly match the parameter type of the overloaded method. There's no attempt being done to find the most specific overloaded method such as specified in JLS 15.2.

This method returns a CredentialValidationResult representing the result of the validation attempt: whether it succeeded or failed, and, for a successful validation, the CallerPrincipal, and possibly groups or other attributes, of the caller.

Parameters:

credential - The credential to validate.

Returns:

The validation result.

getCallerGroups

default Set<String> getCallerGroups(CredentialValidationResult validationResult)

Returns groups for the caller, who is identified by the CallerPrincipal (and potentially other values) found in the validationResult parameter.

Callers (i.e., IdentityStoreHandlers) should have IdentityStorePermission permission to invoke this method. Implementations should check for this permission before doing any work:

SecurityManager security = System.getSecurityManager();
if (security != null) {
    security.checkPermission(new IdentityStorePermission("getGroups");
}
 

Parameters:

validationResult - The CredentialValidationResult returned by a previous call to validate(Credential).

Returns:

The Set of groups found for the caller, if any, or an empty Set otherwise.

Throws:

SecurityException - May be thrown if the calling code does not have IdentityStorePermission.

priority

default int priority()

Determines the order of invocation for multiple IdentityStores. Stores with a lower priority value are consulted first.

Returns:

The priority value. Lower values indicate higher priorities.

validationTypes

default Set<IdentityStore.ValidationType> validationTypes()

Determines the type of validation the IdentityStore should be used for. By default, its used for credential validation AND providing groups.

Implementations of this API should not return a direct reference to a Set used internally to represent an IdentityStore's validation types, unless it is an immutable Set. Callers of the API should be aware that the returned Set may be immutable, or a copy, and that, in any case, it should not be modified by the caller.

Returns:

Set containing the validation types enabled for the IdentityStore.