users@javaee-security-spec.java.net

[javaee-security-spec users] [jsr375-experts] Re: request#authenticate - start new vs continue

From: Darran Lofthouse <darran.lofthouse_at_redhat.com>
Date: Fri, 22 Apr 2016 12:30:19 +0100

Coincidentally this type of conversational authentication has popped up
in our ELytron design this week - although in the cases I have looked at
so far I am not sure if the application is a good place for further
decision making.

On 19/04/16 23:17, arjan tijms wrote:
> Hi,
>
> The Servlet specification currently has a
> HttpServletRequest#authenticate() method. Its Javadoc says:
>
> "Use the container login mechanism configured for the ServletContext to
> authenticate the user making this request."
>
> It doesn't explicitly say it with so many words, but in practice this
> boils down to a *mandated* authentication (the "login mechanism" must
> authenticate) and it's implicitly taken to start a *new* authentication
> dialog/interaction with the caller.
>
> I found however that there's also a use case where the application needs
> to indicate that an existing authentication dialog should be
> *continued*. Often this is in combination with the application providing
> some data (typically credentials).
>
> E.g.
>
> * Caller accesses protected resource
> * Authentication mechanism forwards to login page
> * Login page posts back to itself
> * The application runs validators on the postback (e.g. using bean
> validation)
> * The application wants to signal the authentication mechanism to
> continue the authentication process with the (validated) data
>
> The following code shows an example of this:
> https://github.com/javaee-security-spec/soteria/blob/master/test/app-mem-customform/src/main/java/test/LoginBacking.java#L76
>
> Now in JSR 375 we can work around this somewhat by wrapping
> request#authenticate and setting some flags as request attributes, but I
> think this use case may potentially warrant being pushed down the
> Servlet spec.
>
> This would mean a new method or methods, along the lines of a
> HttpServletRequest#authenticateContinue(Map<String, Object> parameters)
> and HttpServletRequest#authenticateNew(Map<String, Object> parameters),
> or perhaps HttpServletRequest#authenticate(boolean newAuth, Map<String,
> Object> parameters), etc.
>
> Thoughts?
>
> Kind regards,
> Arjan Tijms
>
>
> 

-- 
Darran Lofthouse - Principal Software Engineer
Registered in England and Wales under Company Registration No. 03798903
Directors: Michael Cunningham (US), Michael O'Neill(Ireland), Paul 
Argiry (US)
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.