[javaee-spec users] Re: JASPIC doesn't support HttpServletRequest#login?

From: Ron Monzillo <>
Date: Mon, 04 Feb 2013 19:30:53 -0500

Arjan and I continued this discussion on the JBOSS forum thread at:

where the current state of the discussion is:

calls to jsr 196/jaspic ServerAuthContext#validateRequest should not be
made under HttpServletRequst#login.
Such calls should be made under httpServletRequest#authenticate.

In the upcoming MR to the JASPIC spec I agreed to add a requirement to
the Servlet profile of JASPIC,
that HttpServletRequest.login throw an exception if jsr 196 is
configured for the app; since login
presumes the underlying authentication mechanism is password based,
which may not be the case.


Arjan.tijms wrote:
> Hi,
> I'm playing around with JASPIC in various containers, and from
> experiments it looks like JASPIC doesn't support the
> HttpServletRequest#login method. I tried GlassFish, JBoss AS
> 7.1.3 (EAP 6.0.1) and WebLogic 12.1.1.
> For GlassFish I tried both declarative configuration (as e.g.
> described here
> and programmatic configuration (as I described on my own blog here
> For JBoss AS and WebLogic I only tried the programmatic option.
> In all cases, the SAM is correctly called when a resource is accessed,
> but it's NOT called whenever I call HttpServletRequest#login (e.g.
> from within the doGet method of a simple Servlet). Instead, a default
> login module (default realm) is called. This doesn't seem quite right.
> When a SAM is configured and indeed called in some situations, but
> then a completely different login module is called in another situation.
> Upon inspection of the source code of both GlassFish and JBoss AS, it
> doesn't seem there's any code present that even could delegate this
> call to a JASPIC SAM.
> For instance, in GlassFish the HttpServletRequest#login call is to
> org.apache.catalina.connector.RequestFacade#login, which directly
> calls org.apache.catalina.connector.Request#login (see
> this will call through to
> where "realm_name" will
> be the empty string.
> From there a
> call
> is done (see
> From here Realm.getDefaultRealm() returns "file", which a bit further
> down the call chain is used to obtain an instance of
>, which is
> invoked via a JAAS LoginContext, and throws an exception if the file
> realm can't authenticate the user (and thus WILL authenticate the user
> when credentials are used that are NOT accepted by the JASPIC SAM, but
> happen to be accepted by the default realm, which could open a huge
> security hole).
> In JBoss AS a simular thing happens. For JASPIC support the
> valve needs to
> be configured and this one is called following a call to
> HttpServletRequest#login, but eventually the authenticate method in
> its base class is called (see
> which knows nothing about JASPIC and just delegates to a default realm
> again.
> So, is it indeed true that JASPIC does not
> support HttpServletRequest#login or am I perhaps completely missing
> something?
> Kind regards,
> Arjan Tijms