users@jaspic-spec.java.net

[JIRA] Commented: (JASPIC_SPEC-5) Portable way to distinguish between invocation at start of request and invocation following authenticate() call

From: monzillo (JIRA) <"monzillo>
Date: Wed, 27 Feb 2013 15:59:53 +0000 (GMT+00:00)

    [ http://java.net/jira/browse/JASPIC_SPEC-5?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=357174#action_357174 ]

monzillo commented on JASPIC_SPEC-5:
------------------------------------

Perhaps WebSphere added their flag to ensure that authentication would be mandatory, even if the policy of the auth context is not; the new "subprofile for authenticte, etc" deals with that problem by requiring that the isMandatory flag be set in MessageInfo.

that said, I can see how being able to tell distinguish such cases could be useful, so I will add an ability to do so to the sub-profile. thanks for the suggestion.


> Portable way to distinguish between invocation at start of request and invocation following authenticate() call
> ---------------------------------------------------------------------------------------------------------------
>
> Key: JASPIC_SPEC-5
> URL: http://java.net/jira/browse/JASPIC_SPEC-5
> Project: jaspic-spec
> Issue Type: New Feature
> Reporter: arjan tijms
> Assignee: monzillo
>
> The {{validateRequest}} method of an auth module can be called at the "start" of an HTTP request (before the target resource or any servlet filters are invoked), or it can be called following a call to the Servlet 3.0 {{HttpServletRequest.authenticate()}} method.
> In some cases it may be necessary for the auth module to distinguish between these cases. One use case is that following a call to {{HttpServletRequest.authenticate()}}, the auth module fully runs within the context of the calling code. E.g. if the calling code is a CDI bean backing a JSF view, then both the CDI contexts as well as the Faces context are available to the auth module. An auth module that is created specifically for CDI/JSF may take advantage of this.
> It might thus be convenient to have a portable way for the auth module to find out at which of those two different points it's invoked.
> Note that WebSphere 8.5 solves this issue by putting a key {{com.ibm.websphere.jaspi.request}} in the {{MessageInfo}} map, with {{authenticate}} as value (see http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/index.jsp?topic=%2Fcom.ibm.websphere.nd.doc%2Fae%2Ftsec_jaspi_create.html step 4).

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://java.net/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira