users@servlet-spec.java.net

[servlet-spec users] Standardizing authentication modules in Servlet (via JASPIC)?

From: arjan tijms <arjan.tijms_at_gmail.com>
Date: Thu, 23 Oct 2014 22:52:36 +0200

Hi,

In section 13.6 of the Servlet 3.1 specification authentication
mechanisms are described. The spec first describes 4 specific
mechanisms and then in 13.6.5 describes that Servlet containers
*should* provide interfaces for additional authentication mechanisms.

As far as I know, every Servlet container indeed offers these, but
they are not necessarily standardized ones. Interestingly, 13.6.5 then
goes on to say that it's *recommended* that Servlet containers use the
Servlet Container Profile of the Java Authentication SPI for
Containers (aka JASPIC, i.e. JSR 196).

I wonder if this could be taken one step further by making
implementing the above mentioned Servlet Container Profile mandatory?

This is not a major new functionality, but doing something that all
containers are already doing, only now in a standard way.

A reasonable amount of Servlet containers (specifically those that are
predominantly used in full Java EE products) already support JASPIC,
so for those the change will have little or no practical impact. For
some other Servlet containers there's occasionally some level of
support available as well (see e.g.
http://stackoverflow.com/questions/14224792/how-to-use-jaspi-jaspic-on-jetty
for Jetty). With regard to Tomcat, there's an implementation done for
Geronimo that according to the author (David Jencks) should be pretty
easy to adapt to Tomcat.

This topic also came up a year ago on both the TomEE and Tomcat
mailing lists (see
http://tomee-openejb.979440.n4.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-TomEE-td4660480.html
and http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-td4993387.html).
Responses there were fairly positive; with Mark and David eventually
saying:

DB> If you wanted to roll up your sleeves, we'd be more than happy to
see [Geronimo's JASPIC] ported or reimplemented in TomEE.
M> or Tomcat :)

Having portable auth modules available is not only a concern for pure
Servlet, but is a topic that also frequently comes up when it comes to
securing JAX-RS endpoints. The following is an excellent examples of a
server auth module that works great with JAX-RS, but unfortunately can
only be used on full Java EE implementations now:
http://trajano.net/2014/07/oauth-2-0-jaspic-implementation

I think there thus seems to be a reasonable precedent for this feature.

Kind regards,
Arjan Tijms
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.