Details

    • Type: New Feature New Feature
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Labels:
      None

      Description

      For several use cases it would be quite convenient if JASPIC would throw events at several important moments of the authentication message exchange.

      Such events could be:

      • PreAuthenticate
      • PostAuthenticate
      • PreLogout
      • PostLogout

      User code could possibly register for such events in the same way such code can register for events from the Servlet container; annotating the listener class and implementing an interface.

      E.g.

      @SecurityListener
      public class MyListener implements AuthenticationListener  {
      
          public void preAuthenticate(AuthEvent authEvent) {
              // ...
          }
      
          public void postAuthenticate(AuthEvent authEvent) {
              // ...
          }
      }
      

      Additionally CDI style events can be supported as well.

      Use cases for such event listeners are among others:

      • Keeping track of the number of logged-in users
      • Protecting against brute-force attacks by keeping count of failed login attempts for a certain account
      • Creating a new local user after the first successful authentication via a remote authentication provider
      • Loading application specific preferences into the HTTP session after a user logs-in

      Specifically for the second use case a PreAutenticate listener should be able to veto the authentication attempt (at which JASPIC could respond by e.g. sending a 403 to the client).

        Activity

        arjan tijms created issue -

          People

          • Assignee:
            Unassigned
            Reporter:
            arjan tijms
          • Votes:
            1 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated: