[JASPIC_SPEC-23] Status code for processing handler but not invoking resource Created: 10/Aug/13  Updated: 16/Dec/14

Status: Open
Project: jaspic-spec
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Major
Reporter: arjan tijms Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

In the Servlet Container Profile of JASPIC the ServerAuthModule.validateRequest method can return the SUCCESS} status code, which means the given handler should be processed by the JASPIC runtime and the requested resource should be invoked. This same method can also return {{SEND_CONTINUE which means the handler should not be processed and the resource should not be invoked.

Neither of those status codes address the use case where a SAM wishes authentication to happen first (and ask the container to remember this) and then immediately redirect to a new resource.

This happens for instance when the user tries to access protected resource /A after which the SAM redirects the user to an external authentication provider at http://example.com which then redirects the user back to a general resource at /return which the SAM is monitoring. The SAM could redirect to /A first and then do authentication, but this slightly complicates the logic that needs to be coded.

Fragment of code from an actual SAM demonstrating a similar case:

if (...) {
    // [...]
    
    if (authenticated) {
                
        String savedURL = getSavedURL(request);
        // [...]
        
        // Note: JASPIC doesn't really support authenticating AND redirecting during the same request, 
        // so we need to redirect first and then finally do the authentication with the container on 
        // the request we redirected to.
        redirect(response, savedURL);
        return SEND_CONTINUE;
    } else {
        // [...]
    }
    
} else if (isOnOriginalURLAfterAuthenticate(request)) {
    
    Authenticator authenticator = getSavedAuthenticator(request);

Source

For completeness and to make some flows easier to code, I'd like to suggest the introduction of a new status code, something like SUCCESS_SEND_CONTINUE, meaning:

  • Process the handler and any directives put into the MessageInfo map (such as asking the container to remember the auth session)
  • Don't invoke the resource


 Comments   
Comment by monzillo [ 16/Dec/14 ]

Note that a SAM that manages its own sessions, can establish an authentication session, and then redirect (and return SEND_CONTINUE).

it sounds like you are looking for a way for a SAM to return SEND_CONTINUE while also causing the container to do registerSession.

Note that I don't believe there is any prohibition on a SAM using the CBH prior to returning SEND_CONTINUE, and
AYK, SEND_CONTINUE causes the container to return the response from the SAM (without invoking the resource)
As such, changing the profile wrt to the processing of registerSession; may be a simple change that would meet your needs.

I haven't tried it, but you may be able to get the behavior you seek, by writing a SAM that calls request.authenticate; in which case authenticate will make an internal call to validateRequest. The internal call should perform the authentication and return SUCCESS (with registerSession in msgInfo), and then the encapsulating call should do the redirect and return SEND_CONTINUE. You would need to convey some state to influence the behavior of the SAM.

Generated at Sun Aug 30 23:53:48 UTC 2015 using JIRA 6.2.3#6260-sha1:63ef1d6dac3f4f4d7db4c1effd405ba38ccdc558.