users@jaspic-spec.java.net

[JIRA] Created: (JASPIC_SPEC-22) Modification of authenticated identity without re-authentication

From: arjan tijms (JIRA) <"arjan>
Date: Sat, 4 May 2013 18:35:35 +0000 (UTC)

Modification of authenticated identity without re-authentication
----------------------------------------------------------------

                 Key: JASPIC_SPEC-22
                 URL: https://java.net/jira/browse/JASPIC_SPEC-22
             Project: jaspic-spec
          Issue Type: New Feature
            Reporter: arjan tijms


A common use case in web applications is that users log-in with their email address, which then becomes the user/caller principal once authenticated.

A user should be allowed to change her email address, but this is not easily supported by JASPIC, since this also requires a re-authentication, which on its turn likely needs the original credentials used for authentication (which a secure application of course does not store, so can not use for this case).

This means that a user either needs to provide these credentials together with the action of changing the email, which is not entirely user friendly in the first place. Those provided credentials may possibly not even be useable for programmatic re-authentication if the SAM that's used only supports asking them directly from the user.

Another option is to immediately log the user out after changing the email, which again is not really user friendly.

Something similar holds for roles; a user may obtain new roles during a session (for example by making a payment, or obtaining a reward for some online action, etc). Requiring the user to log-out and log-in again for the new role to take effect is not always desirable.

See also: http://stackoverflow.com/questions/2487224/how-to-handle-dynamic-role-or-username-changes-in-jsf

In order to support such use cases I'd like to propose that the possibility to handle changes to the authenticated identity without the need for a manual logout and login (re-authenticate) be added to JASPIC.

One possibility could be for a variant on {{HttpServletRequest#authenticate}} that takes one or more {{Callbacks}}, and the definition of several new {{Callbacks}}, e.g.

* {{AddGroupPrincipalCallback}} - Adds a new group/role to the authenticated identity
* {{RemoveGroupPrincipalCallback}} - Removed an existing group/role from the authenticated identity
* {{UpdateCallerPrincipalCallback}} - Updates the caller principal in the authenticated identity 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://java.net/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.