Type: New Feature
For several use cases it would be quite convenient if JASPIC would throw events at several important moments of the authentication message exchange.
Such events could be:
User code could possibly register for such events in the same way such code can register for events from the Servlet container; annotating the listener class and implementing an interface.
Additionally CDI style events can be supported as well.
Use cases for such event listeners are among others:
- Keeping track of the number of logged-in users
- Protecting against brute-force attacks by keeping count of failed login attempts for a certain account
- Creating a new local user after the first successful authentication via a remote authentication provider
- Loading application specific preferences into the HTTP session after a user logs-in
Specifically for the second use case a PreAutenticate listener should be able to veto the authentication attempt (at which JASPIC could respond by e.g. sending a 403 to the client).