<< Back to previous view

[JASPIC_SPEC-21] Support for events Created: 30/Apr/13  Updated: 09/Oct/13

Status: Open
Project: jaspic-spec
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Major
Reporter: arjan tijms Assignee: Unassigned
Resolution: Unresolved Votes: 1
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Participants: arjan tijms and kithouna


For several use cases it would be quite convenient if JASPIC would throw events at several important moments of the authentication message exchange.

Such events could be:

  • PreAuthenticate
  • PostAuthenticate
  • PreLogout
  • PostLogout

User code could possibly register for such events in the same way such code can register for events from the Servlet container; annotating the listener class and implementing an interface.


public class MyListener implements AuthenticationListener  {

    public void preAuthenticate(AuthEvent authEvent) {
        // ...

    public void postAuthenticate(AuthEvent authEvent) {
        // ...

Additionally CDI style events can be supported as well.

Use cases for such event listeners are among others:

  • Keeping track of the number of logged-in users
  • Protecting against brute-force attacks by keeping count of failed login attempts for a certain account
  • Creating a new local user after the first successful authentication via a remote authentication provider
  • Loading application specific preferences into the HTTP session after a user logs-in

Specifically for the second use case a PreAutenticate listener should be able to veto the authentication attempt (at which JASPIC could respond by e.g. sending a 403 to the client).

Comment by kithouna [ 09/Oct/13 02:49 PM ]

Another use case: increase the Http session timeout after a user logs in. The AuthEvent should therefor give access to the JASPIC request/response.

Generated at Wed Apr 23 18:16:09 UTC 2014 using JIRA 4.0.2#472.