Authentication interface should return Optional< Principal>

[windbender]

Right now the Authentication interface assumes a username/password. If instead something like a JsonWebToken is used to authenticate (e.g. via web socket ), then there is not concept of a username, until after such time as the JWT is decoded. Therefore it makes most sense to me to change the return values of the authentication interface to something like Optional<java.security.Principal> In this way we can indicate LACK of authentication as as Optional.absent() while a successful authentication would be indicated with a class which implements the java.security.Principal interface. (which may be as simple as a wrapper around said username ).

An additional advantage to this interface is that the pre-authenticated Principal can be one of the parameters into the IAuthorizater's two methods, and hence allows the possibility of passing more data into the authorizer than a simple username. (e.g. groups, or roles ).

[andsel]

This could be an interesting feature, but 2 considerations arises:

1. the use of Optional is not available in Java 7, by now Moquette uses JDK 7 but shold be ported on 8
2. the username is mandatory because is used in the grants to the topics.

But what is it this JsonWebToken?

[windbender]

1 is certainly a potential problem. Perhaps ask on the mailing list how many people would be concerned about swapping up to java 8 ? If the project wants to stay on java 7 then it could also just return "null" for failure to authenticate.

2 username is mandatory on the INPUT to the authentication since this is a typical way to authenticate in MQTT (though the project should also consider using client certificates for authentication as well ). However authorization should start with a Principal, because this object could be the result of multiple possible processes including username/password or client certificate authentication.