Issue Details (XML | Word | Printable)

Key: JASPIC_SPEC-22
Type: New Feature New Feature
Status: Open Open
Priority: Major Major
Assignee: Unassigned
Reporter: arjan tijms
Votes: 2
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
jaspic-spec

Modification of authenticated identity without re-authentication

Created: 04/May/13 06:34 PM   Updated: 04/May/13 06:34 PM
Component/s: None
Affects Version/s: None
Fix Version/s: None

Time Tracking:
Not Specified

Tags:
Participants: arjan tijms


 Description  « Hide

A common use case in web applications is that users log-in with their email address, which then becomes the user/caller principal once authenticated.

A user should be allowed to change her email address, but this is not easily supported by JASPIC, since this also requires a re-authentication, which on its turn likely needs the original credentials used for authentication (which a secure application of course does not store, so can not use for this case).

This means that a user either needs to provide these credentials together with the action of changing the email, which is not entirely user friendly in the first place. Those provided credentials may possibly not even be useable for programmatic re-authentication if the SAM that's used only supports asking them directly from the user.

Another option is to immediately log the user out after changing the email, which again is not really user friendly.

Something similar holds for roles; a user may obtain new roles during a session (for example by making a payment, or obtaining a reward for some online action, etc). Requiring the user to log-out and log-in again for the new role to take effect is not always desirable.

See also: http://stackoverflow.com/questions/2487224/how-to-handle-dynamic-role-or-username-changes-in-jsf

In order to support such use cases I'd like to propose that the possibility to handle changes to the authenticated identity without the need for a manual logout and login (re-authenticate) be added to JASPIC.

One possibility could be for a variant on HttpServletRequest#authenticate that takes one or more Callbacks, and the definition of several new Callbacks, e.g.

  • AddGroupPrincipalCallback - Adds a new group/role to the authenticated identity
  • RemoveGroupPrincipalCallback - Removed an existing group/role from the authenticated identity
  • UpdateCallerPrincipalCallback - Updates the caller principal in the authenticated identity


There are no comments yet on this issue.