Introduction to IdentityStore and Authentication Mechanism
Learn more about the details of IdentityStore, AuthenticationMechanism, SecurityContext, and Logout.
We'll cover the following
Overview
The official definition of the IdentityStore is as follows:
IdentityStore is a mechanism for validating a caller’s credentials and accessing a caller’s identity attributes. It can be used as an authentication mechanism.
The IdentityStore
is responsible for determining whether user credentials are correct. We declared a custom class that implements the javax.security.enterprise.identitystore.IdentityStore
interface as a CDI bean in the lesson "Callback Handlers." Since the IdentityStore
is also responsible for retrieving the user’s attributes, such as the groups to which they are assigned, we have two main methods in the interface.
CredentialValidationResult validate(Credential credential);
Set<String> getCallerGroups(CredentialValidationResult validationResult);
By default, both actions are performed by an IdentityStore
, validating the credentials and retrieving the groups. In a user implementation of the interface. We can specify which action is performed by returning the desired action by the method validationTypes()
within a user implementation of the interface.
The specification defines that multiple stores can be defined and sorted based on the return value of the priority()
method. A default IdentityStoreHandler
performs the following actions:
Loop over all known
IdentityStore
until a store returns as a result INVALID or VALID.A NOT_VALIDATED result means the store can’t handle the credentials type, and other stores get the chance to determine if the credentials are valid.
You can customize the IdentityStoreHandler
by defining an alternative CDI bean that implements the interface. This way, you can implement any logic you need.
Note: The
IdentityStore
defined for the OpenID Connect integration doesn’t do anything. It assumes that authentication is successful when a valid authorization code is received and the store accepts the credentials.
Authentication mechanism
We started by explaining that IdentityStore
was related to the naming issue, but the AuthenticationMechanism
of the Security API actually comes first. This component is responsible for retrieving the user credentials from the request.
HttpAuthenticationMechanism
is a mechanism for obtaining a caller’s credentials, using the HTTP protocol where necessary.
In the case of Basic authentication, this might be the retrieval of a username and password from the header. When using form authentication, the parameters containing username and password may be retrieved from the body of the request. OpenID Connect support does the hard work of retrieving and validating the tokens.
We also used a custom mechanism in the example where we looked at the URL parameters of the call.
The authentication mechanism can also be annotated by @RememberMe
or @AutoApplySession
. In these cases, a cookie or usage of HTTP session is automatically applied to preserve the authentication information in case of a stateful scenario.
In contrast to the IdentityStore
, you can only define one mechanism for each application. This might be improved in a future version of the Security API specification.
SecurityContext
Get hands-on with 1400+ tech skills courses.