Type: New Feature
In Java EE and specifically in JASPIC there is somewhat of the assumption that a single authentication method is configured (in many cases even mostly outside the application).
While for some classes of applications this has clear benefits, it doesn't particularly play nice with the increasingly popular practice that web applications offer their users a choice for their login method.
For instance, stackoverflow.com currently displays the following login choices:
- Log in with StackExchange
- Log in with Google
- Log in with facebook
- Log in with Yahoo!
To make it to implement this use case I would like to request that JASPIC adds some level of support for this.
One way to do this could be via the existing authentication context and perhaps via the concept of having different "authentication stacks". (Note that JASPIC_SPEC-15 is related to this, but instead asks how auth modules in a single stack interact)
With this concept, each such stack (possibly consisting of only a single SAM) is named and corresponds with an authentication mechanism (e.g. "native form", or "OpenId-Wordpress", etc).
For the Web Profile the application can then programmatically set an authentication mechanism for the current session by calling a variant on the request#authenticate method, e.g. request#authenticateWith(String, Request, Response), where the provided String parameter is a name that corresponds with one of the pre-configured stacks. Such a new method would require coordination with the Servlet spec of course.