Need to resolve outstanding issues with LdapIdentityStore
Will Hopkins
I've been looking at the pile of bugs currently filed against the
default LdapIdentityStore in Soteria, and have noticed a couple
broad themes. I'd appreciate some feedback on these ASAP, as we need
to decide on a consistent approach so we don't end up with wildly
inconsistent behavior for different scenarios.
I'm compiling a list in issue #165, but want to call your attention to a couple items in particular:
My understanding to date has been that NOT_VALIDATED has a very specific meaning -- i.e., the identity store didn't attempt to validate the credential, because it doesn't handle that credential type. Errors -- network errors, config errors, etc. -- always result in a runtime exception being thrown.
There's no default searchFilter for caller lookup, but there is one for group lookup. We should probably handle both the same way -- either provide a default, or don't. The right way to provide defaults would probably be on the annotation attributes, rather than buried in internal code, but it's too late for that change.Thanks for any thoughts you may have, Will -- Will Hopkins | WebLogic Security Architect | +1.781.442.0310 Oracle Application Development 35 Network Drive, Burlington, MA 01803
|
|