1. jaspic-spec

Status code for processing handler but not invoking resource


    • Type: New Feature New Feature
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Labels:


      In the Servlet Container Profile of JASPIC the ServerAuthModule.validateRequest method can return the SUCCESS} status code, which means the given handler should be processed by the JASPIC runtime and the requested resource should be invoked. This same method can also return {{SEND_CONTINUE which means the handler should not be processed and the resource should not be invoked.

      Neither of those status codes address the use case where a SAM wishes authentication to happen first (and ask the container to remember this) and then immediately redirect to a new resource.

      This happens for instance when the user tries to access protected resource /A after which the SAM redirects the user to an external authentication provider at http://example.com which then redirects the user back to a general resource at /return which the SAM is monitoring. The SAM could redirect to /A first and then do authentication, but this slightly complicates the logic that needs to be coded.

      Fragment of code from an actual SAM demonstrating a similar case:

      if (...) {
          // [...]
          if (authenticated) {
              String savedURL = getSavedURL(request);
              // [...]
              // Note: JASPIC doesn't really support authenticating AND redirecting during the same request, 
              // so we need to redirect first and then finally do the authentication with the container on 
              // the request we redirected to.
              redirect(response, savedURL);
              return SEND_CONTINUE;
          } else {
              // [...]
      } else if (isOnOriginalURLAfterAuthenticate(request)) {
          Authenticator authenticator = getSavedAuthenticator(request);


      For completeness and to make some flows easier to code, I'd like to suggest the introduction of a new status code, something like SUCCESS_SEND_CONTINUE, meaning:

      • Process the handler and any directives put into the MessageInfo map (such as asking the container to remember the auth session)
      • Don't invoke the resource


        arjan tijms created issue -


          • Assignee:
            arjan tijms
          • Votes:
            0 Vote for this issue
            2 Start watching this issue


            • Created: