jaspic-spec
  1. jaspic-spec
  2. JASPIC_SPEC-23

Status code for processing handler but not invoking resource

    Details

    • Type: New Feature New Feature
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Labels:
      None

      Description

      In the Servlet Container Profile of JASPIC the ServerAuthModule.validateRequest method can return the SUCCESS} status code, which means the given handler should be processed by the JASPIC runtime and the requested resource should be invoked. This same method can also return {{SEND_CONTINUE which means the handler should not be processed and the resource should not be invoked.

      Neither of those status codes address the use case where a SAM wishes authentication to happen first (and ask the container to remember this) and then immediately redirect to a new resource.

      This happens for instance when the user tries to access protected resource /A after which the SAM redirects the user to an external authentication provider at http://example.com which then redirects the user back to a general resource at /return which the SAM is monitoring. The SAM could redirect to /A first and then do authentication, but this slightly complicates the logic that needs to be coded.

      Fragment of code from an actual SAM demonstrating a similar case:

      if (...) {
          // [...]
          
          if (authenticated) {
                      
              String savedURL = getSavedURL(request);
              // [...]
              
              // Note: JASPIC doesn't really support authenticating AND redirecting during the same request, 
              // so we need to redirect first and then finally do the authentication with the container on 
              // the request we redirected to.
              redirect(response, savedURL);
              return SEND_CONTINUE;
          } else {
              // [...]
          }
          
      } else if (isOnOriginalURLAfterAuthenticate(request)) {
          
          Authenticator authenticator = getSavedAuthenticator(request);
      

      Source

      For completeness and to make some flows easier to code, I'd like to suggest the introduction of a new status code, something like SUCCESS_SEND_CONTINUE, meaning:

      • Process the handler and any directives put into the MessageInfo map (such as asking the container to remember the auth session)
      • Don't invoke the resource

        Activity

        arjan tijms created issue -

          People

          • Assignee:
            Unassigned
            Reporter:
            arjan tijms
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated: