Skip to main content

[JIRA] Commented: (JASPIC_SPEC-21) Support for events

  • From: "kithouna (JIRA)" < >
  • To:
  • Subject: [JIRA] Commented: (JASPIC_SPEC-21) Support for events
  • Date: Wed, 9 Oct 2013 14:50:28 +0000 (UTC)
  • Auto-submitted: auto-generated
  • List-id: <issues.jaspic-spec.java.net>


    [ 
https://java.net/jira/browse/JASPIC_SPEC-21?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=369472#action_369472
 ] 

kithouna commented on JASPIC_SPEC-21:
-------------------------------------

Another use case: increase the Http session timeout after a user logs in. The 
AuthEvent should therefor give access to the JASPIC request/response.

> Support for events
> ------------------
>
>                 Key: JASPIC_SPEC-21
>                 URL: https://java.net/jira/browse/JASPIC_SPEC-21
>             Project: jaspic-spec
>          Issue Type: New Feature
>            Reporter: arjan tijms
>
> For several use cases it would be quite convenient if JASPIC would throw 
> events at several important moments of the authentication message exchange.
> Such events could be:
> * PreAuthenticate
> * PostAuthenticate
> * PreLogout
> * PostLogout
> User code could possibly register for such events in [the same 
> way|https://javaee-spec.java.net/nonav/javadocs/javax/servlet/http/HttpSessionIdListener.html]
>  such code can register for events from the Servlet container; annotating 
> the listener class and implementing an interface.
> E.g.
> {code}
> @SecurityListener
> public class MyListener implements AuthenticationListener  {
>     public void preAuthenticate(AuthEvent authEvent) {
>         // ...
>     }
>     public void postAuthenticate(AuthEvent authEvent) {
>         // ...
>     }
> }
> {code}
> Additionally CDI style events can be supported as well.
> Use cases for such event listeners are among others:
> * Keeping track of the number of logged-in users
> * Protecting against brute-force attacks by keeping count of failed login 
> attempts for a certain account
> * Creating a new local user after the first successful authentication via a 
> remote authentication provider
> * Loading application specific preferences into the HTTP session after a 
> user logs-in
> Specifically for the second use case a PreAutenticate listener should be 
> able to veto the authentication attempt (at which JASPIC could respond by 
> e.g. sending a 403 to the client).

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
https://java.net/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        


[JIRA] Commented: (JASPIC_SPEC-21) Support for events

kithouna (JIRA) 10/09/2013
 
 
Close
loading
Please Confirm
Close