Peter Major

AME-8532 Review changes
  1. … 3 more files in changeset.
AME-8532 Multicert support for decrypting SAML messages
  1. … 8 more files in changeset.
Code Review updates
Update license headers
  1. … 6 more files in changeset.
Support multiple KeyDescriptors during signature verification
  1. … 10 more files in changeset.
Adjust getVerificationCerts to work with more than one KeyDescriptors
Use constants
Remove duplicated code
Create plural versions of KeyUtil methods
OPENAM-6395 Resolve build issue
I think it would be better if the psearch impl gets refactored to use ScheduledExecutorService (via ExecutorServiceFactory) instead of the legacy SystemTimerPool code. That should mean that when AM...

I think it would be better if the psearch impl gets refactored to use ScheduledExecutorService (via ExecutorServiceFactory) instead of the legacy SystemTimerPool code. That should mean that when AM gets shut down, the executorservice will be shut down as well, so either the reconnect task would kick off and fail to connect, or the executorservice would reject the new task straight away, which could be handled somewhat similarly to what is done here.

If I'm understanding correctly the proposed fix for this will be to modify the rest API's realm detection yet again, so that the path will not use the DNS alias as a base, instead similarly to the ...

If I'm understanding correctly the proposed fix for this will be to modify the rest API's realm detection yet again, so that the path will not use the DNS alias as a base, instead similarly to the query parameter, the path will override the realm determined by DNS alias.

equalsIgnoreCase may cause some problems with systems where the user ID is case sensitive. Shall we use "openam.session.case.sensitive.uuid" system property and do equals/equalsIgnoreCase based on ...

equalsIgnoreCase may cause some problems with systems where the user ID is case sensitive. Shall we use "openam.session.case.sensitive.uuid" system property and do equals/equalsIgnoreCase based on that?

Looking at UserSelfCheckCondition that appears to be also doing equalsignorecase, so maybe we should just put this on the account of badly implemented case sensitive user ID support in OpenAM?

This should. Delegation permissions will be evaluated at the IdServicesImpl layer and that will prevent any invalid attempts of changing passwords. For the sake of sanity: Quentin CASTEL please det...

This should. Delegation permissions will be evaluated at the IdServicesImpl layer and that will prevent any invalid attempts of changing passwords.
For the sake of sanity:
Quentin CASTEL please detail how exactly tested this change in your env?

s/points/point

s/points/point

+1

+1

Please follow https://wikis.forgerock.org/confluence/display/openam/Writing+JavaDoc then.
it's not really parsing anything?

it's not really parsing anything?

spurious space

spurious space

grater? http://sources.forgerock.org/static/mt0445/2static/images/wiki/icons/emoticons/smile.gif

grater?

s/isBlank/isEmpty

s/isBlank/isEmpty

no need for casting.

no need for casting.

or fallback to the default implementation here?

or fallback to the default implementation here?

should we use the defaultValue version with the default impl?

should we use the defaultValue version with the default impl?

Similarly I think there is not much gain by exposing both id and secretkeyattrName to this extension as probably every impl would start with calling getAttribute() (which would be cumbersome for ev...

Similarly I think there is not much gain by exposing both id and secretkeyattrName to this extension as probably every impl would start with calling getAttribute() (which would be cumbersome for every impl as they would need to write some exception handling for the IdRepoExceptions)

the minSecretKeyLength probably shouldn't be part of the interface as that validation potentially should be done for all secret keys regardless how they are being retrieved.

the minSecretKeyLength probably shouldn't be part of the interface as that validation potentially should be done for all secret keys regardless how they are being retrieved.

as discussed previously this should be part of the default implementation, we should allow custom storage format for these

as discussed previously this should be part of the default implementation, we should allow custom storage format for these