users@jaspic-spec.java.net

[JIRA] (JASPIC_SPEC-21) Support for events

From: paulkmoore (JIRA) <"paulkmoore>
Date: Fri, 20 Jan 2017 11:03:32 +0000 (UTC)

    [ https://java.net/jira/browse/JASPIC_SPEC-21?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=394124#comment-394124 ]

paulkmoore commented on JASPIC_SPEC-21:
---------------------------------------

Another use case: allow the customisation of HTTP responses (e.g. www-authenticate) that are handled exclusively by the servlet container pre-application instantiation e.g. JAX-RS SPI

> Support for events
> ------------------
>
> Key: JASPIC_SPEC-21
> URL: https://java.net/jira/browse/JASPIC_SPEC-21
> Project: jaspic-spec
> Issue Type: New Feature
> Reporter: arjan tijms
>
> For several use cases it would be quite convenient if JASPIC would throw events at several important moments of the authentication message exchange.
> Such events could be:
> * PreAuthenticate
> * PostAuthenticate
> * PreLogout
> * PostLogout
> User code could possibly register for such events in [the same way|https://javaee-spec.java.net/nonav/javadocs/javax/servlet/http/HttpSessionIdListener.html] such code can register for events from the Servlet container; annotating the listener class and implementing an interface.
> E.g.
> {code}
> @SecurityListener
> public class MyListener implements AuthenticationListener {
> public void preAuthenticate(AuthEvent authEvent) {
> // ...
> }
> public void postAuthenticate(AuthEvent authEvent) {
> // ...
> }
> }
> {code}
> Additionally CDI style events can be supported as well.
> Use cases for such event listeners are among others:
> * Keeping track of the number of logged-in users
> * Protecting against brute-force attacks by keeping count of failed login attempts for a certain account
> * Creating a new local user after the first successful authentication via a remote authentication provider
> * Loading application specific preferences into the HTTP session after a user logs-in
> Specifically for the second use case a PreAutenticate listener should be able to veto the authentication attempt (at which JASPIC could respond by e.g. sending a 403 to the client). 



--
This message was sent by Atlassian JIRA
(v6.2.3#6260)
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.