users@jaspic-spec.java.net

[JIRA] Created: (JASPIC_SPEC-20) Portable way for auth module to ask container to automatically apply auth session

From: arjan tijms (JIRA) <"arjan>
Date: Sat, 20 Apr 2013 12:13:43 +0000 (UTC)

Portable way for auth module to ask container to automatically apply auth session
---------------------------------------------------------------------------------

                 Key: JASPIC_SPEC-20
                 URL: https://java.net/jira/browse/JASPIC_SPEC-20
             Project: jaspic-spec
          Issue Type: New Feature
            Reporter: arjan tijms


Per JASPIC_SPEC-3 an authentication module can ask the container to create an authentication session, meaning the container "remembers" the established authenticated identity. This is a major step forward for authentication modules that don't have a requirement to maintain such a session in a custom way.

However, even when the SAM has asked the container to create this session, the SAM is called at every request (as per the Servlet Container profile requirements) and the SAM has to tell the container it (still) wants to continue with the previously established authenticated identity by executing code like the following:

{code}

public AuthStatus doValidateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException {
 
    HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage();
    Principal userPrincipal = request.getUserPrincipal();
    
    try {
        if (userPrincipal != null) {
            handler.handle(new Callback[] {
                new CallerPrincipalCallback(clientSubject, userPrincipal) }
            );
                 
            return SUCCESS;
        }
 
        // Rest of auth code here

    } catch (ServletException | IOException e) {
        throw (AuthException) new AuthException().initCause(e);
    }
}
{code}

In order to make a common case easier, where the SAM simply always wants to continue with the previously established authenticated identity until the authentication session is ended (by whatever means), I'ld like to propose to add a way for the SAM to ask the container to automatically apply the identity stored in the authentication session to the current request.

After the SAM has asked for this AND an authenticated identity has been established, the SAM would indeed not be called anymore as long as the authentication session is valid (exists).

This might be implemented by defining another key to be put in the {{MessageInfo}} map that works alongside the existing key for asking a session, as follows:

* {{javax.servlet.http.registerSession}} - Container registers a session, but SAM still called every request and SAM decides to use this or not.
* {{javax.servlet.http.autoApplySession}} - If container has a session, it uses this and does not call the SAM. 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://java.net/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.