users@jaspic-spec.java.net

Re: [servlet-spec users] request#authenticate - start new vs continue

From: Greg Wilkins <gregw_at_webtide.com>
Date: Wed, 20 Apr 2016 12:28:00 +1000

On 20 April 2016 at 08:17, arjan tijms <arjan.tijms_at_gmail.com> wrote:
>
>
> It doesn't explicitly say it with so many words, but in practice this
> boils down to a *mandated* authentication (the "login mechanism" must
> authenticate) and it's implicitly taken to start a *new* authentication
> dialog/interaction with the caller.
>

This is not exactly how Jetty interprets this.

Specifically we have a concept of deferred authentication, were credentials
may have been supplied (by BASIC/DIGEST headers or be a part of a current
session), but that have not been checked because the request did not match
a security constraint with authentication requirements.

In such cases, a call to authenticate will attempt a login with the
credentials/session already available and thus will often be able to return
true and not need to start a *new* authentication interaction.



> I found however that there's also a use case where the application needs
> to indicate that an existing authentication dialog should be *continued*.
> Often this is in combination with the application providing some data
> (typically credentials).
>
> E.g.
>
> * Caller accesses protected resource
> * Authentication mechanism forwards to login page
> * Login page posts back to itself
> * The application runs validators on the postback (e.g. using bean
> validation)
> * The application wants to signal the authentication mechanism to continue
> the authentication process with the (validated) data
>
> The following code shows an example of this:
> https://github.com/javaee-security-spec/soteria/blob/master/test/app-mem-customform/src/main/java/test/LoginBacking.java#L76
>
>
Sorry I'm not following your example? I can see no call to authenticate()
in that example code?
Are you saying you want to authenticate without using a form target
of /j_security_check ??? If so, isn't that what the login API is for?

Can you explain in a little bit more detail... perhaps leaving out JSF and
expressing it in pure Servlet API terms?

regards


-- 
Greg Wilkins <gregw@webtide.com> CTO http://webtide.com