[JASPIC_SPEC-21] Support for events Created: 30/Apr/13  Updated: 09/Oct/13

Status: Open
Project: jaspic-spec
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Major
Reporter: arjan tijms Assignee: Unassigned
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


For several use cases it would be quite convenient if JASPIC would throw events at several important moments of the authentication message exchange.

Such events could be:

  • PreAuthenticate
  • PostAuthenticate
  • PreLogout
  • PostLogout

User code could possibly register for such events in the same way such code can register for events from the Servlet container; annotating the listener class and implementing an interface.


public class MyListener implements AuthenticationListener  {

    public void preAuthenticate(AuthEvent authEvent) {
        // ...

    public void postAuthenticate(AuthEvent authEvent) {
        // ...

Additionally CDI style events can be supported as well.

Use cases for such event listeners are among others:

  • Keeping track of the number of logged-in users
  • Protecting against brute-force attacks by keeping count of failed login attempts for a certain account
  • Creating a new local user after the first successful authentication via a remote authentication provider
  • Loading application specific preferences into the HTTP session after a user logs-in

Specifically for the second use case a PreAutenticate listener should be able to veto the authentication attempt (at which JASPIC could respond by e.g. sending a 403 to the client).

Comment by kithouna [ 09/Oct/13 ]

Another use case: increase the Http session timeout after a user logs in. The AuthEvent should therefor give access to the JASPIC request/response.

Generated at Fri Nov 27 18:31:17 UTC 2015 using JIRA 6.2.3#6260-sha1:63ef1d6dac3f4f4d7db4c1effd405ba38ccdc558.