Conditionally skip identity store processing during a web authentication workflow #33536
Description
Overview
Currently, for feature appSecurity-6.0 or greater, if one or more identity stores are configured within a Liberty application, then authentication workflows will unconditionally use the identity stores during the username/password validation and group authorization. An operator cannot disable the use of application configured identity stores.
For example, if in your main program, you had the following:
@InMemoryIdentityStoreDefinition(
value = {
@Credentials(callerName = "jasmine", password = "secret1", groups = { "caller", "user" } ),
}
)
and also defined a custom identity store via:
@ApplicationScoped
public class CustomIdentityStore implements IdentityStore {
// custom code here
}
then the authentication of a username and password will always involve the identity stores (which will be searched for group information also) - unless the application has also coded a custom identity store handler which alters this usage.
The Issue
An operator may want to not use application defined identity stores, even if there is a custom identity store handler, and they may want to instead fall back on the externally configured user registry.
The Request
To allow all identity stores to be conditionally excluded from the authentiation and authorization process during an Http authentication workflow.
Acceptance Criteria
Given I am running a Liberty application which has configured one or more identity stores
And those identity stores have been configured via annotations or by custom classes
And I have explicitly configured Liberty to skip identity store processing
When I perform an action which triggers the web authentication flow
Then the identity stores are not involved in the web authentication process at all.
(new behaviour when a new configuration variable is explicitly set to skip identity store processing)
Given I am running a Liberty application which has configured one or more identity stores
And those identity stores have been configured via annotations or by custom classes
And I have explicitly configured Liberty to NOT SKIP skip identity store processing
When I perform an action which triggers the web authentication flow
Then the identity stores are involved in the web authentication process as "per usual".
(old behaviour when a new configuration variable is explicitly set to not skip identity store processing)
Given I am running a Liberty application which has configured one or more identity stores
And those identity stores have been configured via annotations or by custom classes
And I have NOT configured Liberty in any way to skip identity store processing (i.e. not added any new variables or attributes in server.xml)
When I perform an action which triggers the web authentication flow
Then the identity stores are involved in the web authentication process as "per usual".
(regression testing the old behaviour when the new configuration variable is not set at all)
Given I am running a Liberty application which has configured one or more identity stores
And those identity stores have been configured via annotations or by custom classes
And I have also configured a custom identity store handler
And I have explicitly configured Liberty to skip identity store processing
When I perform an action which triggers the web authentication flow
Then the identity stores are not involved in the web authentication process at all.
(new behaviour when a new configuration variable is explicitly set to skip identity store processing AND also to ignore a custom identity store handler)
Given I am browsing the Open Liberty server configuration docs
When I look for information on how to skip identity store processing
Then a variable exists which documents name, description, type, possible values, default value and location
And the documentation makes it clear that this applies to all applications.
Notes
As the acceptance criteria states, this configuration variable being set applies at the Liberty server level, i.e. for all applications. It cannot be conditionally set per application.
This conditional applies to all identity stores, both in-built (in memory, database and ldap) and custom ones.
This conditional cannot be overridden by a custom identity store. If the conditional is set, the custom identity store is not used.
As this is for appSecurity-6.0, this involves the Jaspi workflow, therefore by skipping identity store processing, the authentication flow behaves exactly as if there were no identity stores configured whatsoever - fall back on a user registry.