users@jaspic-spec.java.net

[JIRA] Created: (JASPIC_SPEC-16) Ability for application to choose authentication method at runtime

From: arjan tijms (JIRA) <"arjan>
Date: Wed, 27 Mar 2013 15:28:53 +0000 (GMT+00:00)

Ability for application to choose authentication method at runtime
------------------------------------------------------------------

                 Key: JASPIC_SPEC-16
                 URL: http://java.net/jira/browse/JASPIC_SPEC-16
             Project: jaspic-spec
          Issue Type: New Feature
            Reporter: arjan tijms


In Java EE and specifically in JASPIC there is somewhat of the assumption that a single authentication method is configured (in many cases even mostly outside the application).

While for some classes of applications this has clear benefits, it doesn't particularly play nice with the increasingly popular practice that web applications offer their users a choice for their login method.

For instance, stackoverflow.com currently displays the following login choices:

* Log in with StackExchange
* Log in with Google
* Log in with facebook
* Log in with Yahoo!

See http://stackoverflow.com/users/login

To make it to implement this use case I would like to request that JASPIC adds some level of support for this.

One way to do this could be via the existing authentication context and perhaps via the concept of having different "authentication stacks". (Note that JASPIC_SPEC-15 is related to this, but instead asks how auth modules in a single stack interact)

With this concept, each such stack (possibly consisting of only a single SAM) is named and corresponds with an authentication mechanism (e.g. "native form", or "OpenId-Wordpress", etc).

For the Web Profile the application can then programmatically set an authentication mechanism for the current session by calling a variant on the {{request#authenticate}} method, e.g. {{request#authenticateWith(String, Request, Response)}}, where the provided {{String}} parameter is a name that corresponds with one of the pre-configured stacks. Such a new method would require coordination with the Servlet spec of course. 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://java.net/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.