users@jaspic-spec.java.net

[JIRA] (JASPIC_SPEC-23) Status code for processing handler but not invoking resource

From: monzillo (JIRA) <"monzillo>
Date: Tue, 16 Dec 2014 18:59:54 +0000 (UTC)

    [ https://java.net/jira/browse/JASPIC_SPEC-23?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=382401#comment-382401 ]

monzillo commented on JASPIC_SPEC-23:
-------------------------------------

Note that a SAM that manages its own sessions, can establish an authentication session, and then redirect (and return SEND_CONTINUE).

it sounds like you are looking for a way for a SAM to return SEND_CONTINUE while also causing the container to do registerSession.

Note that I don't believe there is any prohibition on a SAM using the CBH prior to returning SEND_CONTINUE, and
AYK, SEND_CONTINUE causes the container to return the response from the SAM (without invoking the resource)
As such, changing the profile wrt to the processing of registerSession; may be a simple change that would meet your needs.

I haven't tried it, but you may be able to get the behavior you seek, by writing a SAM that calls request.authenticate; in which case authenticate will make an internal call to validateRequest. The internal call should perform the authentication and return SUCCESS (with registerSession in msgInfo), and then the encapsulating call should do the redirect and return SEND_CONTINUE. You would need to convey some state to influence the behavior of the SAM.


> Status code for processing handler but not invoking resource
> ------------------------------------------------------------
>
> Key: JASPIC_SPEC-23
> URL: https://java.net/jira/browse/JASPIC_SPEC-23
> Project: jaspic-spec
> Issue Type: New Feature
> Reporter: arjan tijms
>
> In the Servlet Container Profile of JASPIC the {{ServerAuthModule.validateRequest}} method can return the {{SUCCESS} status code, which means the given handler should be processed by the JASPIC runtime and the requested resource should be invoked. This same method can also return {{SEND_CONTINUE}} which means the handler should not be processed and the resource should not be invoked.
> Neither of those status codes address the use case where a SAM wishes authentication to happen first (and ask the container to remember this) and then immediately redirect to a new resource.
> This happens for instance when the user tries to access protected resource {{/A}} after which the SAM redirects the user to an external authentication provider at {{http://example.com}} which then redirects the user back to a general resource at {{/return}} which the SAM is monitoring. The SAM could redirect to {{/A}} first and then do authentication, but this slightly complicates the logic that needs to be coded.
> Fragment of code from an actual SAM demonstrating a similar case:
> {code}
> if (...) {
> // [...]
>
> if (authenticated) {
>
> String savedURL = getSavedURL(request);
> // [...]
>
> // Note: JASPIC doesn't really support authenticating AND redirecting during the same request,
> // so we need to redirect first and then finally do the authentication with the container on
> // the request we redirected to.
> redirect(response, savedURL);
> return SEND_CONTINUE;
> } else {
> // [...]
> }
>
> } else if (isOnOriginalURLAfterAuthenticate(request)) {
>
> Authenticator authenticator = getSavedAuthenticator(request);
> {code}
> [Source|https://github.com/arjantijms/two-factor-sam/blob/master/src/main/java/net/eisele/glassfish/twofactorsam/TwoFactorServerAuthModule.java#L110]
> For completeness and to make some flows easier to code, I'd like to suggest the introduction of a new status code, something like {{SUCCESS_SEND_CONTINUE}}, meaning:
> * Process the handler and any directives put into the {{MessageInfo}} map (such as asking the container to remember the auth session)
> * Don't invoke the resource



--
This message was sent by Atlassian JIRA
(v6.2.3#6260)