In JASPIC 1.0 it has not been specified whether under the Servlet profile container services like CDI should be available at the time that a SAM is called at the start of a request.
In some implementations (e.g. JBoss EAP 6.0.1) those services are indeed fully available, while in other implementations (e.g. GlassFish 126.96.36.199) the services are partially available. In yet other implementations (e.g. WebLogic 12c 12.1.1) those services are not available at all.
For a number of use cases having this support is important, e.g.
- Fetching users via EJB/JPA for a database based auth module
- Generating and persisting tokens for "remember me" functionality
- Creating a user locally after a first time authentication with an external provider (e.g. OpenId)
Ideally the support would be at the same level as that of a Servlet Filter, meaning the CDI request and session scopes are available, the "java:comp", "java:module", "java:app", etc JNDI namespaces have been set up, injection is possible, etc.
In order to support injection as well, the Factory API might need to have variants of its methods that take a Class type instead of an object instance, like e.g. addFilter(String, Filter) vs addFilter(String, Class). There might also need to be methods like createSam(Class) in analogy to createFilter and similar methods.