[JASPIC_SPEC-20] Portable way for auth module to ask container to automatically apply auth session Created: 20/Apr/13  Updated: 20/Apr/13

Status: Open
Project: jaspic-spec
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Major
Reporter: arjan tijms Assignee: Unassigned
Resolution: Unresolved Votes: 5
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Tags: ease-of-use, ease_of_development


Per JASPIC_SPEC-3 an authentication module can ask the container to create an authentication session, meaning the container "remembers" the established authenticated identity. This is a major step forward for authentication modules that don't have a requirement to maintain such a session in a custom way.

However, even when the SAM has asked the container to create this session, the SAM is called at every request (as per the Servlet Container profile requirements) and the SAM has to tell the container it (still) wants to continue with the previously established authenticated identity by executing code like the following:

public AuthStatus doValidateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException {
    HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage();
    Principal userPrincipal = request.getUserPrincipal();
    try {
        if (userPrincipal != null) {   
            handler.handle(new Callback[] { 
                new CallerPrincipalCallback(clientSubject, userPrincipal) }
            return SUCCESS;   
        // Rest of auth code here

    } catch (ServletException | IOException e) {
        throw (AuthException) new AuthException().initCause(e);

In order to make a common case easier, where the SAM simply always wants to continue with the previously established authenticated identity until the authentication session is ended (by whatever means), I'ld like to propose to add a way for the SAM to ask the container to automatically apply the identity stored in the authentication session to the current request.

After the SAM has asked for this AND an authenticated identity has been established, the SAM would indeed not be called anymore as long as the authentication session is valid (exists).

This might be implemented by defining another key to be put in the MessageInfo map that works alongside the existing key for asking a session, as follows:

  • javax.servlet.http.registerSession - Container registers a session, but SAM still called every request and SAM decides to use this or not.
  • javax.servlet.http.autoApplySession - If container has a session, it uses this and does not call the SAM.

Generated at Mon Apr 24 05:04:13 UTC 2017 using JIRA 6.2.3#6260-sha1:63ef1d6dac3f4f4d7db4c1effd405ba38ccdc558.