Implementing a Provider for validating the passed Principal

In a Spring deployment with principal-based security (Security.Authentication.Mode = principal), you might like to validate the passed principal on server side. For that purpose you can implement the interface org.eclipse.stardust.engine.core.spi.security.PrincipalValidator.

Implementing the Interface

The interace allows to validate the given principal:

@SPI(status = Status.Stable, useRestriction = UseRestriction.Public)
public interface PrincipalValidator
{
   boolean isValid(Principal principal);
}

By default, the principal validator org.eclipse.stardust.engine.core.spi.security.AlwaysValidPrincipalValidator is configured whose validation outcome always returns true, i.e. the principal is valid.

public class AlwaysValidPrincipalValidator implements PrincipalValidator
{
   @Override
   public boolean isValid(Principal ignored)
   {
      return true;
   }
}

Specifying another Principal Validator

Another principal validator may be specified by setting the server-side property Security.Principal.Validator in your carnot.properties file to the fully qualified class name of the class which should be used as principal validator.

Generating a Signature in a clustered Environment

In a clustured environment, it is recommended to generate a signature for authenticated principals to prevent that each node will generate its own value which is incompatible with the other nodes. You can set this signature via a property Security.Principal.Secret in your server-side carnot.properties. Principals with invalid signatures will be denied. If this property is not set, a randomized value will be generated.