Per JASPIC_SPEC-3 an authentication module can ask the container to create an authentication session, meaning the container "remembers" the established authenticated identity. This is a major step forward for authentication modules that don't have a requirement to maintain such a session in a custom way.
However, even when the SAM has asked the container to create this session, the SAM is called at every request (as per the Servlet Container profile requirements) and the SAM has to tell the container it (still) wants to continue with the previously established authenticated identity by executing code like the following:
In order to make a common case easier, where the SAM simply always wants to continue with the previously established authenticated identity until the authentication session is ended (by whatever means), I'ld like to propose to add a way for the SAM to ask the container to automatically apply the identity stored in the authentication session to the current request.
After the SAM has asked for this AND an authenticated identity has been established, the SAM would indeed not be called anymore as long as the authentication session is valid (exists).
This might be implemented by defining another key to be put in the MessageInfo map that works alongside the existing key for asking a session, as follows:
- javax.servlet.http.registerSession - Container registers a session, but SAM still called every request and SAM decides to use this or not.
- javax.servlet.http.autoApplySession - If container has a session, it uses this and does not call the SAM.