users@jaspic-spec.java.net

[JIRA] Commented: (JASPIC_SPEC-21) Support for events

From: kithouna (JIRA) <"kithouna>
Date: Wed, 9 Oct 2013 14:50:28 +0000 (UTC)

    [ https://java.net/jira/browse/JASPIC_SPEC-21?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=369472#action_369472 ]

kithouna commented on JASPIC_SPEC-21:
-------------------------------------

Another use case: increase the Http session timeout after a user logs in. The AuthEvent should therefor give access to the JASPIC request/response.

> Support for events
> ------------------
>
> Key: JASPIC_SPEC-21
> URL: https://java.net/jira/browse/JASPIC_SPEC-21
> Project: jaspic-spec
> Issue Type: New Feature
> Reporter: arjan tijms
>
> For several use cases it would be quite convenient if JASPIC would throw events at several important moments of the authentication message exchange.
> Such events could be:
> * PreAuthenticate
> * PostAuthenticate
> * PreLogout
> * PostLogout
> User code could possibly register for such events in [the same way|https://javaee-spec.java.net/nonav/javadocs/javax/servlet/http/HttpSessionIdListener.html] such code can register for events from the Servlet container; annotating the listener class and implementing an interface.
> E.g.
> {code}
> @SecurityListener
> public class MyListener implements AuthenticationListener {
> public void preAuthenticate(AuthEvent authEvent) {
> // ...
> }
> public void postAuthenticate(AuthEvent authEvent) {
> // ...
> }
> }
> {code}
> Additionally CDI style events can be supported as well.
> Use cases for such event listeners are among others:
> * Keeping track of the number of logged-in users
> * Protecting against brute-force attacks by keeping count of failed login attempts for a certain account
> * Creating a new local user after the first successful authentication via a remote authentication provider
> * Loading application specific preferences into the HTTP session after a user logs-in
> Specifically for the second use case a PreAutenticate listener should be able to veto the authentication attempt (at which JASPIC could respond by e.g. sending a 403 to the client). 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://java.net/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.