fe-authentication-api defines the core authentication data model used by protocol adapters,
handler orchestration, and plugins.
This module intentionally stays small and stable:
- No plugin loading logic
- No protocol-specific handshake logic
- No authorization model (
Subject/Identityare deprecated and removed)
Protocol-agnostic authentication input.
AuthenticationRequest request = AuthenticationRequest.builder()
.username("alice")
.credentialType(CredentialType.CLEAR_TEXT_PASSWORD)
.credential("password123".getBytes(StandardCharsets.UTF_8))
.remoteHost("192.168.1.100")
.remotePort(9030)
.clientType("mysql")
.property("trace_id", "req-123")
.build();Key fields:
usernamecredentialTypecredentialremoteHost/remotePortclientTypeproperties
Authentication output identity contract.
Principal principal = BasicPrincipal.builder()
.name("alice")
.authenticator("corp_ldap")
.externalPrincipal("uid=alice,ou=users,dc=example,dc=com")
.addExternalGroup("developers")
.attribute("email", "alice@example.com")
.build();Copy from existing principal:
Principal updated = BasicPrincipal.builder(principal)
.attribute("department", "data")
.build();Authentication result is state-driven:
SUCCESSCONTINUEFAILURE
AuthenticationResult ok = AuthenticationResult.success(principal);
AuthenticationResult okWithCredentialExpiration = AuthenticationResult.success(principal, expiresAtMillis);
AuthenticationResult okWithoutCredentialExpiration =
AuthenticationResult.success(principal, AuthenticationResult.NO_CREDENTIAL_EXPIRATION);
AuthenticationResult needMore = AuthenticationResult.continueWith(state, challenge);
AuthenticationResult failed = AuthenticationResult.failure("Invalid credential");A named auth configuration instance.
AuthenticationIntegration integration = AuthenticationIntegration.builder()
.name("corp_ldap")
.type("ldap")
.property("server", "ldap://ldap.example.com:389")
.property("base_dn", "dc=example,dc=com")
.comment("Corporate LDAP")
.build();User-to-integration binding model.
AuthenticationBinding binding = AuthenticationBinding.forUser("alice", "corp_ldap");Built-in credential type constants (string-based, extensible):
MYSQL_NATIVE_PASSWORDCLEAR_TEXT_PASSWORDKERBEROS_TOKENOAUTH_TOKENOIDC_ID_TOKENX509_CERTIFICATEJWT_TOKENSAML_ASSERTION
Authentication failure reason object.
Use it in two ways:
- Return expected auth failures via
AuthenticationResult.failure(...) - Throw only for internal/plugin errors
- API objects are immutable after construction.
byte[]fields are carried as-is by design; treat them as sensitive and short-lived.- Authorization-layer models are intentionally out of this module.
cd fe-authentication-api
mvn test