Hi,
On Fri, Mar 31, 2017 at 4:59 PM, Rudy De Busscher <rdebusscher_at_gmail.com>
wrote:
> Hi Arjan,
>
> That would indeed a good addition for this release (EE8), as it is linked
> to the 'authentication' theme we have.
>
> The question is, what do we put as payload within the event? I should say
> the principal,
> *javax.security.CallerPrincipal*
> which we have created for the spec.
>
Indeed ;) This is also almost the payload I used for the example event in
that kickoff app;
public class AuthenticatedEvent extends SecurityEvent {
private static final long serialVersionUID = 1L;
public AuthenticatedEvent(Object source, Principal principal) {
super(source, principal);
}
}
>
> And next to login and logout events, I should also add a* failed login*
> event.
>
> This allows the developers to 'block' a user when there are x failed
> attempts.
>
Definitely, that's a very common request as well.
There's 2 options here: an actual event called FailedLogin, or a more
general event PostAuthenticate with Failure or so as status.
Likely the FailedLogin as you proposed is better, but just throwing (no
pun) out some options here ;)
One thing to realise here is that Soteria can easily throw the events using
CDI right before it returns the outcome to the container calling it. In
many cases this will be "good enough", but to be actually 100% correct the
events should be thrown by the container when it has actually applied (set)
or removed the authenticated identity.
This unfortunately requires some container specific code, such as shown for
Undertow in the linked article.
Kind regards,
Arjan Tijms
>
> Regards
> Rudy
>
>
> On 31 March 2017 at 14:35, arjan tijms <arjan.tijms_at_gmail.com> wrote:
>
>> Hi,
>>
>> One of the things that were discussed early on, but till so far hasn't
>> seen much followup is throwing (CDI) events when the caller is
>> authenticated (logs in) and logs out.
>>
>> See this issue: https://java.net/jira/browse/JASPIC_SPEC-21
>>
>> I also wrote an article about this a couple of years ago:
>>
>> http://arjan-tijms.omnifaces.org/2012/12/bridging-undertows-
>> authentication.html
>>
>> An example of how these events can be used in practice is shown here:
>>
>> https://github.com/javaeekickoff/java-ee-kickoff-app/blob/
>> master/src/main/java/org/example/kickoff/model/producer
>> /ActiveUserProducer.java
>>
>> The simple post authenticate events (being informational only) are
>> relatively well understood and something like this is quite often asked for
>> and/or needed by users.
>>
>> I think it would be good to include this in JSR 375.
>>
>> Thoughts?
>>
>> Kind regards,
>> Arjan Tijms
>>
>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Java EE Security API - JSR 375 - Experts" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to jsr375-experts+unsubscribe_at_googlegroups.com.
>> To post to this group, send email to jsr375-experts_at_googlegroups.com.
>> To view this discussion on the web visit https://groups.google.com/d/ms
>> gid/jsr375-experts/CAE%3D-AhCLNv6U297cETZTGK%2B5V4MWi5LxoMyd
>> 0kF3oRF2am2RMQ%40mail.gmail.com
>> <https://groups.google.com/d/msgid/jsr375-experts/CAE%3D-AhCLNv6U297cETZTGK%2B5V4MWi5LxoMyd0kF3oRF2am2RMQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Java EE Security API - JSR 375 - Experts" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jsr375-experts+unsubscribe_at_googlegroups.com.
> To post to this group, send email to jsr375-experts_at_googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/jsr375-experts/CAL%2Bwt-6nmC%3DP52qSwL5iLSWUNk-%
> 2BfT7q9Cr2j1UZkGx9%2B3reWQ%40mail.gmail.com
> <https://groups.google.com/d/msgid/jsr375-experts/CAL%2Bwt-6nmC%3DP52qSwL5iLSWUNk-%2BfT7q9Cr2j1UZkGx9%2B3reWQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>