users@jaspic-spec.java.net

[JIRA] Created: (JASPIC_SPEC-23) Status code for processing handler but not invoking resource

From: arjan tijms (JIRA) <"arjan>
Date: Sat, 10 Aug 2013 10:15:01 +0000 (UTC)

Status code for processing handler but not invoking resource
------------------------------------------------------------

                 Key: JASPIC_SPEC-23
                 URL: https://java.net/jira/browse/JASPIC_SPEC-23
             Project: jaspic-spec
          Issue Type: New Feature
            Reporter: arjan tijms


In the Servlet Container Profile of JASPIC the {{ServerAuthModule.validateRequest}} method can return the {{SUCCESS} status code, which means the given handler should be processed by the JASPIC runtime and the requested resource should be invoked. This same method can also return {{SEND_CONTINUE}} which means the handler should not be processed and the resource should not be invoked.

Neither of those status codes address the use case where a SAM wishes authentication to happen first (and ask the container to remember this) and then immediately redirect to a new resource.

This happens for instance when the user tries to access protected resource {{/A}} after which the SAM redirects the user to an external authentication provider at {{http://example.com}} which then redirects the user back to a general resource at {{/return}} which the SAM is monitoring. The SAM could redirect to {{/A}} first and then do authentication, but this slightly complicates the logic that needs to be coded.

Fragment of code from an actual SAM demonstrating a similar case:

{code}
if (...) {
    // [...]
    
    if (authenticated) {
                
        String savedURL = getSavedURL(request);
        // [...]
        
        // Note: JASPIC doesn't really support authenticating AND redirecting during the same request,
        // so we need to redirect first and then finally do the authentication with the container on
        // the request we redirected to.
        redirect(response, savedURL);
        return SEND_CONTINUE;
    } else {
        // [...]
    }
    
} else if (isOnOriginalURLAfterAuthenticate(request)) {
    
    Authenticator authenticator = getSavedAuthenticator(request);
{code}

[Source|https://github.com/arjantijms/two-factor-sam/blob/master/src/main/java/net/eisele/glassfish/twofactorsam/TwoFactorServerAuthModule.java#L110]

For completeness and to make some flows easier to code, I'd like to suggest the introduction of a new status code, something like {{SUCCESS_SEND_CONTINUE}}, meaning:

* Process the handler and any directives put into the {{MessageInfo}} map (such as asking the container to remember the auth session)
* Don't invoke the resource 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://java.net/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.