Hi Ron,
On Wed, Mar 25, 2015 at 10:04 PM, Ron Monzillo <ron.monzillo_at_oracle.com>
wrote:
> The Servlet Spec doesn't get specific about when SAM's must be invoked.
> IOW, the request must have been initialized,
> but perhaps the initialized event could be delayed until after the SAM is
> called. If this needs to be specified, I would
> expect it would belong in the Servlet Profile of JSR 196.
>
Okay, that might be the best place indeed.
> It may be worth noting that a RequestListener that is invoked before the
> configured authentication mechanism (in this case
> a SAM), could be invoking application code before the request has been
> authorized by the container.
>
Yes, that's indeed a consequence, but the reality is of course that this
has been the case for a long time. At least JBoss AS 7.1 and GlassFish 3.1
had this behavior if I'm not mistaken, and those two together are a rather
large percentage of the Java EE market.
> Is it sufficient to establish that the servlet request must have been
> initialized before the SAM is invoked?
>
Well, the reason I was particularly interested in this is the fact that in
most (all?) cases the CDI per request initialization is done in a
RequestListener. So having the RequestListener be invoked before the SAM is
invoked *may* be a practical prerequisite for having CDI support in a SAM.
I've asked the CDI EG if this is indeed the case, but it seems likely it is.
Kind regards,
Arjan
>
> I suggest we move this discussion off the Servlet list.
> Ron
>
>
> On 3/25/15 10:29 AM, arjan tijms wrote:
>
> Hi,
>
> I can't find much if anything in the spec whether a
> ServletRequestListener is supposed to be invoked before or after an
> authentication module. More specifically before or after a JASPIC SAM is
> invoked, but the question is interesting for native authentication
> mechanisms just as well.
>
> Currently the spec (via its javadoc says):
>
> "Interface for receiving notification events about requests coming
> into and going out of scope of a web application."
>
> In case of a Servlet Profile JASPIC SAM, it's an application level
> component that gets to see the request.
>
> However, the following paragraph doesn't fit:
>
> "A ServletRequest is defined as coming into scope of a web
> application when it is about to enter the first servlet or filter
> of the web application, and as going out of scope as it exits
> the last servlet or the first filter in the chain."
>
> This is problematic, since a SAM is invoked before the first servlet or
> filter, and again after the last servlet or filter.
>
> I tested this on 3 well known servers (by adding a requestlistener and a
> couple of system.out lines to the SAM used here:
> https://github.com/javaee-samples/javaee7-samples/tree/master/jaspic/basic-authentication)
> and the results were as follows:
>
> WLS 12.1.3
> SAM called
> RequestListener called
>
> JBoss Wildfly 8.2
> RequestListener called
> SAM called
>
> GlassFish 4.1
> RequestListener called
> SAM called
>
> So GlassFish and JBoss invoke the ServletRequestListener BEFORE a
> ServerAuthenticationModule (SAM) while WebLogic does so AFTER.
>
> Clearly having Java EE implementations doing things differently here is
> not ideal.
>
> I would like to propose that RequestListeners are invoked before a SAM
> is invoked.
>
> Thoughts?
>
> Kind regards,
> Arjan Tijms
>
>
>
>
>
>
>