users@servlet-spec.java.net

[servlet-spec users] Clarify / improve HttpServletRequest#authenticate?

From: arjan tijms <arjan.tijms_at_gmail.com>
Date: Wed, 26 Nov 2014 15:24:15 +0100

Hi,

Currently the Javadoc for HttpServletRequest#authenticate states the
following for the return value:

"true when non-null values were or have been established as the values
returned by getUserPrincipal, getRemoteUser, and getAuthType. Return
false if authentication is incomplete and the underlying login
mechanism has committed, in the response, the message (e.g.,
challenge) and HTTP status code to be returned to the user."

See https://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpServletRequest.html#authenticate(javax.servlet.http.HttpServletResponse)

Simplified that's:

true -> authentication has happened
false -> authentication is in progress and something has been
committed to the response

This however leaves out one important case, and that's when the using
code wants to pre-emptively trigger authentication, but the auth
module decides to "do nothing" (which, depending on its policy, can be
a valid action).

Most servlet containers I tested just return false when "nothing" has
happened, but to the letter of the spec this seems to be not entirely
correct. At least one servlet container has tried to implement the
spec more correctly, and has interpreted that the requirement is here
to throw a ServletException following its Javadoc:

"ServletException - if the authentication failed and the caller is
responsible for handling the error (i.e., the underlying login
mechanism did NOT establish the message and HTTP status code to be
returned to the user)"

But IMHO, this is not entirely in the spirit of the spec either.
Authentication did not "fail" and there is no "error". The auth module
completely within its rights chose to do nothing.

I wonder if anyone can suggest a way to improve this?

Redefine the false outcome to just say authentication did not happen? I.e.

return true -> authentication has happened
return false -> authentication did not happen

Or introduce a new authenticate method returning say an enum:

AUTHENTICATED -> authentication has happened
IN_PROGRESS -> authentication is incomplete
DID_NOTHING -> auth module decided to do nothing

Or ... ?

Kind regards,
Arjan Tijms
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.