[javaee-security-spec users] [jsr375-experts] Re: [servlet-spec users] Re: request#authenticate - start new vs continue

From: Stuart Douglas <>
Date: Wed, 20 Apr 2016 02:39:04 +0000

On Wed, 20 Apr 2016 at 12:28 Greg Wilkins <> wrote:

> On 20 April 2016 at 08:17, arjan tijms <> wrote:
>> It doesn't explicitly say it with so many words, but in practice this
>> boils down to a *mandated* authentication (the "login mechanism" must
>> authenticate) and it's implicitly taken to start a *new* authentication
>> dialog/interaction with the caller.
> This is not exactly how Jetty interprets this.
> Specifically we have a concept of deferred authentication, were
> credentials may have been supplied (by BASIC/DIGEST headers or be a part of
> a current session), but that have not been checked because the request did
> not match a security constraint with authentication requirements.
> In such cases, a call to authenticate will attempt a login with the
> credentials/session already available and thus will often be able to return
> true and not need to start a *new* authentication interaction.

We implement this the same way.


>> I found however that there's also a use case where the application needs
>> to indicate that an existing authentication dialog should be *continued*.
>> Often this is in combination with the application providing some data
>> (typically credentials).
>> E.g.
>> * Caller accesses protected resource
>> * Authentication mechanism forwards to login page
>> * Login page posts back to itself
>> * The application runs validators on the postback (e.g. using bean
>> validation)
>> * The application wants to signal the authentication mechanism to
>> continue the authentication process with the (validated) data
>> The following code shows an example of this:
> Sorry I'm not following your example? I can see no call to authenticate()
> in that example code?
> Are you saying you want to authenticate without using a form target
> of /j_security_check ??? If so, isn't that what the login API is for?
> Can you explain in a little bit more detail... perhaps leaving out JSF and
> expressing it in pure Servlet API terms?
> regards
> --
> Greg Wilkins <> CTO