Package jakarta.security.enterprise.identitystore

Interface IdentityStore

public interface IdentityStore
IdentityStore is a mechanism for validating a caller's credentials and accessing a caller's identity attributes. It can be used by an authentication mechanism, such as a Jakarta Security HttpAuthenticationMechanism or a Jakarta Authentication ServerAuthModule.

Stores which do only validation or only group lookup are allowed.

An IdentityStore obtains identity data from a persistent store, such as a database, LDAP server, or file.

  • Field Details

    • DEFAULT_VALIDATION_TYPES

      static final Set<IdentityStore.ValidationType> DEFAULT_VALIDATION_TYPES
      Default set of validation types. Contains VALIDATE and PROVIDE_GROUPS.

  • Method Details

    • validate

      default CredentialValidationResult validate(Credential credential)
      Validates the given credential.

      As a convenience, a default implementation is provided that looks up an overload of this method that has, as its one and only parameter, a subclass of Credential. Here is an example of what an implementation of this interface looks like with such an overloaded method: 

      
public class ExampleIdentityStore implements IdentityStore {

    public CredentialValidationResult validate(UsernamePasswordCredential usernamePasswordCredential) {
        // Implementation ...
        return INVALID_RESULT;
    }

}

      Note that the overloaded method is only called when the actual type passed into this method will exactly match the parameter type of the overloaded method. There's no attempt being done to find the most specific overloaded method such as specified in JLS 15.2.

      This method returns a CredentialValidationResult representing the result of the validation attempt: whether it succeeded or failed, and, for a successful validation, the CallerPrincipal, and possibly groups or other attributes, of the caller.

      Parameters:
      credential - The credential to validate.
      Returns:
      The validation result.

    • getCallerGroups

      default Set<String> getCallerGroups(CredentialValidationResult validationResult)
      Returns groups for the caller, who is identified by the CallerPrincipal (and potentially other values) found in the validationResult parameter.

      Callers (i.e., IdentityStoreHandlers) should have IdentityStorePermission permission to invoke this method. Implementations should check for this permission before doing any work: 

      
SecurityManager security = System.getSecurityManager();
if (security != null) {
    security.checkPermission(new IdentityStorePermission("getGroups");
}
      Parameters:
      validationResult - The CredentialValidationResult returned by a previous call to validate(Credential).
      Returns:
      The Set of groups found for the caller, if any, or an empty Set otherwise.
      Throws:
      SecurityException - May be thrown if the calling code does not have IdentityStorePermission.

    • priority

      default int priority()
      Determines the order of invocation for multiple IdentityStores. Stores with a lower priority value are consulted first.
      Returns:
      The priority value. Lower values indicate higher priorities.

    • validationTypes

      default Set<IdentityStore.ValidationType> validationTypes()
      Determines the type of validation the IdentityStore should be used for. By default, its used for credential validation AND providing groups.

      Implementations of this API should not return a direct reference to a Set used internally to represent an IdentityStore's validation types, unless it is an immutable Set. Callers of the API should be aware that the returned Set may be immutable, or a copy, and that, in any case, it should not be modified by the caller.

      Returns:
      Set containing the validation types enabled for the IdentityStore.