Reviewing the JSR-375 scope documentation I am just thinking before the
end of "Terminology" and before the commencement of "API for
Authentication Mechanism" should we spend some time covering the
different general approaches to authentication?
I think a lot is discussed in terms of HTTP but that is not the only
entry to an application server for the purpose of invocation.
Within HTTP we have authentication that can occur and be associated with
a session, there are then authentication mechanisms that continue to
send challenge responses with each subsequent request. We also have SSO
based authentication where there could be a different lifecycle to the
underlying session.
Then for non-HTTP we have a range from authentication on establishing a
connection to the server through to authentication associated with a
specific invocation.
Regards,
Darran Lofthouse.