jaspic-spec
  1. jaspic-spec
  2. JASPIC_SPEC-5

Portable way to distinguish between invocation at start of request and invocation following authenticate() call

    Details

    • Type: New Feature New Feature
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Labels:
      None

      Description

      The validateRequest method of an auth module can be called at the "start" of an HTTP request (before the target resource or any servlet filters are invoked), or it can be called following a call to the Servlet 3.0 HttpServletRequest.authenticate() method.

      In some cases it may be necessary for the auth module to distinguish between these cases. One use case is that following a call to HttpServletRequest.authenticate(), the auth module fully runs within the context of the calling code. E.g. if the calling code is a CDI bean backing a JSF view, then both the CDI contexts as well as the Faces context are available to the auth module. An auth module that is created specifically for CDI/JSF may take advantage of this.

      It might thus be convenient to have a portable way for the auth module to find out at which of those two different points it's invoked.

      Note that WebSphere 8.5 solves this issue by putting a key com.ibm.websphere.jaspi.request in the MessageInfo map, with authenticate as value (see http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/index.jsp?topic=%2Fcom.ibm.websphere.nd.doc%2Fae%2Ftsec_jaspi_create.html step 4).

        Activity

        arjan tijms created issue -
        monzillo made changes -
        Field Original Value New Value
        Assignee monzillo [ monzillo ]
        Hide
        monzillo added a comment -

        Perhaps WebSphere added their flag to ensure that authentication would be mandatory, even if the policy of the auth context is not; the new "subprofile for authenticte, etc" deals with that problem by requiring that the isMandatory flag be set in MessageInfo.

        that said, I can see how being able to tell distinguish such cases could be useful, so I will add an ability to do so to the sub-profile. thanks for the suggestion.

        Show
        monzillo added a comment - Perhaps WebSphere added their flag to ensure that authentication would be mandatory, even if the policy of the auth context is not; the new "subprofile for authenticte, etc" deals with that problem by requiring that the isMandatory flag be set in MessageInfo. that said, I can see how being able to tell distinguish such cases could be useful, so I will add an ability to do so to the sub-profile. thanks for the suggestion.

          People

          • Assignee:
            monzillo
            Reporter:
            arjan tijms
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated: