1. jaspic-spec

Portable way for auth module to ask container to automatically apply auth session


    • Type: New Feature New Feature
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Labels:


      Per JASPIC_SPEC-3 an authentication module can ask the container to create an authentication session, meaning the container "remembers" the established authenticated identity. This is a major step forward for authentication modules that don't have a requirement to maintain such a session in a custom way.

      However, even when the SAM has asked the container to create this session, the SAM is called at every request (as per the Servlet Container profile requirements) and the SAM has to tell the container it (still) wants to continue with the previously established authenticated identity by executing code like the following:

      public AuthStatus doValidateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException {
          HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage();
          Principal userPrincipal = request.getUserPrincipal();
          try {
              if (userPrincipal != null) {   
                  handler.handle(new Callback[] { 
                      new CallerPrincipalCallback(clientSubject, userPrincipal) }
                  return SUCCESS;   
              // Rest of auth code here
          } catch (ServletException | IOException e) {
              throw (AuthException) new AuthException().initCause(e);

      In order to make a common case easier, where the SAM simply always wants to continue with the previously established authenticated identity until the authentication session is ended (by whatever means), I'ld like to propose to add a way for the SAM to ask the container to automatically apply the identity stored in the authentication session to the current request.

      After the SAM has asked for this AND an authenticated identity has been established, the SAM would indeed not be called anymore as long as the authentication session is valid (exists).

      This might be implemented by defining another key to be put in the MessageInfo map that works alongside the existing key for asking a session, as follows:

      • javax.servlet.http.registerSession - Container registers a session, but SAM still called every request and SAM decides to use this or not.
      • javax.servlet.http.autoApplySession - If container has a session, it uses this and does not call the SAM.


        There are no comments yet on this issue.


          • Assignee:
            arjan tijms
          • Votes:
            5 Vote for this issue
            1 Start watching this issue


            • Created: