users@javaee-security-spec.java.net

[javaee-security-spec users] [jsr375-experts] Re: [servlet-spec users] Re: request#authenticate - start new vs continue

From: Stuart Douglas <stuart.w.douglas_at_gmail.com>
Date: Wed, 20 Apr 2016 02:39:04 +0000

On Wed, 20 Apr 2016 at 12:28 Greg Wilkins <gregw_at_webtide.com> wrote:

> On 20 April 2016 at 08:17, arjan tijms <arjan.tijms_at_gmail.com> wrote:
>>
>>
>> It doesn't explicitly say it with so many words, but in practice this
>> boils down to a *mandated* authentication (the "login mechanism" must
>> authenticate) and it's implicitly taken to start a *new* authentication
>> dialog/interaction with the caller.
>>
>
> This is not exactly how Jetty interprets this.
>
> Specifically we have a concept of deferred authentication, were
> credentials may have been supplied (by BASIC/DIGEST headers or be a part of
> a current session), but that have not been checked because the request did
> not match a security constraint with authentication requirements.
>
> In such cases, a call to authenticate will attempt a login with the
> credentials/session already available and thus will often be able to return
> true and not need to start a *new* authentication interaction.
>

We implement this the same way.

Stuart


>
>
>
>> I found however that there's also a use case where the application needs
>> to indicate that an existing authentication dialog should be *continued*.
>> Often this is in combination with the application providing some data
>> (typically credentials).
>>
>> E.g.
>>
>> * Caller accesses protected resource
>> * Authentication mechanism forwards to login page
>> * Login page posts back to itself
>> * The application runs validators on the postback (e.g. using bean
>> validation)
>> * The application wants to signal the authentication mechanism to
>> continue the authentication process with the (validated) data
>>
>> The following code shows an example of this:
>> https://github.com/javaee-security-spec/soteria/blob/master/test/app-mem-customform/src/main/java/test/LoginBacking.java#L76
>>
>>
> Sorry I'm not following your example? I can see no call to authenticate()
> in that example code?
> Are you saying you want to authenticate without using a form target
> of /j_security_check ??? If so, isn't that what the login API is for?
>
> Can you explain in a little bit more detail... perhaps leaving out JSF and
> expressing it in pure Servlet API terms?
>
> regards
>
>
> --
> Greg Wilkins <gregw@webtide.com> CTO http://webtide.com
>