On 23/10/2014 21:52, arjan tijms wrote:
> Hi,
>
> In section 13.6 of the Servlet 3.1 specification authentication
> mechanisms are described. The spec first describes 4 specific
> mechanisms and then in 13.6.5 describes that Servlet containers
> *should* provide interfaces for additional authentication mechanisms.
>
> As far as I know, every Servlet container indeed offers these, but
> they are not necessarily standardized ones. Interestingly, 13.6.5 then
> goes on to say that it's *recommended* that Servlet containers use the
> Servlet Container Profile of the Java Authentication SPI for
> Containers (aka JASPIC, i.e. JSR 196).
>
> I wonder if this could be taken one step further by making
> implementing the above mentioned Servlet Container Profile mandatory?
>
> This is not a major new functionality, but doing something that all
> containers are already doing, only now in a standard way.
>
> A reasonable amount of Servlet containers (specifically those that are
> predominantly used in full Java EE products) already support JASPIC,
> so for those the change will have little or no practical impact. For
> some other Servlet containers there's occasionally some level of
> support available as well (see e.g.
> http://stackoverflow.com/questions/14224792/how-to-use-jaspi-jaspic-on-jetty
> for Jetty). With regard to Tomcat, there's an implementation done for
> Geronimo that according to the author (David Jencks) should be pretty
> easy to adapt to Tomcat.
>
> This topic also came up a year ago on both the TomEE and Tomcat
> mailing lists (see
> http://tomee-openejb.979440.n4.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-TomEE-td4660480.html
> and http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-td4993387.html).
> Responses there were fairly positive; with Mark and David eventually
> saying:
>
> DB> If you wanted to roll up your sleeves, we'd be more than happy to
> see [Geronimo's JASPIC] ported or reimplemented in TomEE.
> M> or Tomcat :)
That is taking what I said rather out of context.
I recommend that folks read the entire discussion but the short version
is that there is very, very little user demand for it. To date, Arjan is
the only Tomcat user asking for JASPIC support in Tomcat.
Comparing this to WebSocket, we saw much, much more demand for WebSocket
but no-one is talking about making WebSocket support mandatory for a
Servlet container.
I remain of the opinion that JASPIC support should be optional for a
Servlet container.
Mark
>
> Having portable auth modules available is not only a concern for pure
> Servlet, but is a topic that also frequently comes up when it comes to
> securing JAX-RS endpoints. The following is an excellent examples of a
> server auth module that works great with JAX-RS, but unfortunately can
> only be used on full Java EE implementations now:
> http://trajano.net/2014/07/oauth-2-0-jaspic-implementation
>
> I think there thus seems to be a reasonable precedent for this feature.
>
> Kind regards,
> Arjan Tijms
>