users@javaee-spec.java.net

[javaee-spec users] Re: Authentication events in Java EE

From: arjan tijms <arjan.tijms_at_gmail.com>
Date: Tue, 11 Nov 2014 11:35:29 +0100

Hi,

@UserScoped sure sounds like an interesting idea, and indeed authentication
events could be a key enabler for this.

Several things to think about:

Where should those events be defined?

* Platform level
* Servlet (starts and ends auth in web app)
* JASPIC (actually does authentication)
* Security JSR (umbrella for all things security? But doesn't exist yet)

What technology should the events be based on?

* Servlet listeners
* CDI events
* Something else

Kind regards,
Arjan


On Sunday, November 9, 2014, Anatole Tresch <atsticks_at_gmail.com> wrote:

> Hi Arjan
>
> from my experience I agree this would be a very useful feature. It would
> also help to add something like @UserScoped as CDI context, which can help
> in improving a lot of things. E.g. it is possible to organize data that can
> be shared across multiple session in web applications, but nevertheless be
> isolated on user level. Also we have use cases where changes in the
> security context would be very useful to be determined by listening to
> events.
>
> Best,
> Anatole
>
>
> 2014-11-07 14:54 GMT+01:00 arjan tijms <arjan.tijms_at_gmail.com
> <javascript:_e(%7B%7D,'cvml','arjan.tijms_at_gmail.com');>>:
>
>> Hi,
>>
>> A while ago I created https://java.net/jira/browse/JASPIC_SPEC-21
>> (Support for events). The idea there is that the authentication system
>> throws several events at various stages of the authentication process.
>>
>> Via this basic and general mechanism a lot of higher level features
>> could be realized by applications, such as keeping track of logged-in
>> users, protecting against brute force attacks, increasing the session
>> time-out after a user logs in and more.
>>
>> Now there are quite a number of areas of the Java EE security system
>> that could use attention and some of that has been discussed before,
>> but I don't think this relatively simple but powerful mechanism has
>> seen much discussion yet.
>>
>> Therefore I was wondering what people think about this.
>>
>> Kind regards,
>> Arjan Tijms
>>
>> p.s.
>>
>> Since there's no Security JSR yet (and thus no associated mailing
>> list) I posted this to the Java EE user's list, which I hope is the
>> next best place to discuss this.
>>
>
>
>
> --
> *Anatole Tresch*
> Java Engineer & Architect, JSR Spec Lead
> Glärnischweg 10
> CH - 8620 Wetzikon
>
> *Switzerland, Europe Zurich, GMT+1*
> *Twitter: @atsticks*
> *Blogs: **http://javaremarkables.blogspot.ch/
> <http://javaremarkables.blogspot.ch/>*
>
> *Google: atsticksMobile +41-76 344 62 79*
>