[
http://java.net/jira/browse/JASPIC_SPEC-3?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=356086#action_356086 ]
arjan tijms commented on JASPIC_SPEC-3:
---------------------------------------
Maybe interesting to know that JBoss AS/EAP always "remembers" the authentication automatically. There does not seem to be a way to -not- let the container remember the authentication. WebLogic remembers the principal (obtained via HttpServletRequest.getUserPrincipal), but doesn't grant access to protected resources if the auth module doesn't authenticate again at the start of a (new) request.
GlassFish, Geronimo and WebSphere all don't seem to remember anything between requests.
A clarification in the spec could be that *without* the portable mechanism that's proposed for this issue the container should not remember anything (leaving the auth module fully responsible) and that *with* this mechanism the container should remember the full authentication between followup requests until either the http session times out or is explicitly ended (implying authentication session is bound to the http session), or HttpServletRequest.logout is called.
> No portable way for auth module to ask the container to create a container authentication session
> -------------------------------------------------------------------------------------------------
>
> Key: JASPIC_SPEC-3
> URL: http://java.net/jira/browse/JASPIC_SPEC-3
> Project: jaspic-spec
> Issue Type: New Feature
> Reporter: monzillo
> Assignee: monzillo
>
> The spi is optimized for the case where the auth module is responsible for
> creating and managing authentication sessions internally and separate from
> Servlet's HttpSession machinery.
> Still there are repeated requests for this enhancement. The RI provides this
> functionality via an undocumented messageInfo flag; which when set by an auth
> module, instructs the Glassfish container to "register" and authentication
> session.
> The enhancement request is to standardize a portable means for an auth module
> to cause the encompassing container to create an authentication and to bind it
> to the response. This might be done by a flag, or by a new Callback handler, or
> perhaps by another mechanism.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://java.net/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira