In a Spring deployment with principal-based security (Security.Authentication.Mode = principal), you might like to validate the passed principal on server side. For that purpose you can implement the interface org.eclipse.stardust.engine.core.spi.security.PrincipalValidator.
The interace allows to validate the given principal:
@SPI(status = Status.Stable, useRestriction = UseRestriction.Public)
public interface PrincipalValidator
{
boolean isValid(Principal principal);
}
By default, the principal validator org.eclipse.stardust.engine.core.spi.security.AlwaysValidPrincipalValidator is configured whose validation outcome always returns true, i.e. the principal is valid.
public class AlwaysValidPrincipalValidator implements PrincipalValidator
{
@Override
public boolean isValid(Principal ignored)
{
return true;
}
}
Another principal validator may be specified by setting the server-side property Security.Principal.Validator in your carnot.properties file to the fully qualified class name of the class which should be used as principal validator.
In a clustured environment, it is recommended to generate a signature for authenticated principals to prevent that each node will generate its own value which is incompatible with the other nodes. You can set this signature via a property Security.Principal.Secret in your server-side carnot.properties. Principals with invalid signatures will be denied. If this property is not set, a randomized value will be generated.