users@javaee-spec.java.net

[javaee-spec users] Re: Authentication events in Java EE

From: Anatole Tresch <atsticks_at_gmail.com>
Date: Sun, 9 Nov 2014 20:52:46 +0100

Hi Arjan

from my experience I agree this would be a very useful feature. It would
also help to add something like @UserScoped as CDI context, which can help
in improving a lot of things. E.g. it is possible to organize data that can
be shared across multiple session in web applications, but nevertheless be
isolated on user level. Also we have use cases where changes in the
security context would be very useful to be determined by listening to
events.

Best,
Anatole


2014-11-07 14:54 GMT+01:00 arjan tijms <arjan.tijms_at_gmail.com>:

> Hi,
>
> A while ago I created https://java.net/jira/browse/JASPIC_SPEC-21
> (Support for events). The idea there is that the authentication system
> throws several events at various stages of the authentication process.
>
> Via this basic and general mechanism a lot of higher level features
> could be realized by applications, such as keeping track of logged-in
> users, protecting against brute force attacks, increasing the session
> time-out after a user logs in and more.
>
> Now there are quite a number of areas of the Java EE security system
> that could use attention and some of that has been discussed before,
> but I don't think this relatively simple but powerful mechanism has
> seen much discussion yet.
>
> Therefore I was wondering what people think about this.
>
> Kind regards,
> Arjan Tijms
>
> p.s.
>
> Since there's no Security JSR yet (and thus no associated mailing
> list) I posted this to the Java EE user's list, which I hope is the
> next best place to discuss this.
>



-- 
*Anatole Tresch*
Java Engineer & Architect, JSR Spec Lead
Glärnischweg 10
CH - 8620 Wetzikon
*Switzerland, Europe Zurich, GMT+1*
*Twitter:  @atsticks*
*Blogs: **http://javaremarkables.blogspot.ch/
<http://javaremarkables.blogspot.ch/>*
*Google: atsticksMobile  +41-76 344 62 79*