users@servlet-spec.java.net

[servlet-spec users] Re: Clarify / improve HttpServletRequest#authenticate?

From: arjan tijms <arjan.tijms_at_gmail.com>
Date: Thu, 27 Nov 2014 13:50:10 +0100

Hi,

On Thu, Nov 27, 2014 at 11:53 AM, Mark Thomas <markt_at_apache.org> wrote:
> Do we want to add some clarification in the spec on this? Currently the
> expected behaviour when a user agent pre-emptively sends credentials for
> an unprotected resource is undefined.

In JASPIC at least this actually is defined. It basically boils down
to the spec saying:

* An auth module should always be called for each request, whether the
resource is protected or not, and whether the user previously
authenticated within the http session or not.
* An auth module is allowed to opt-out of authentication, e.g. "doing nothing"

With regard to pre-emption, there are two cases:

* A user agent pre-emptively sends credentials and the auth module
that's invoked prior to the resource invocation can opt to process
these
* User code in a Servlet pre-emptively sets credentials (e.g. as
request attributes) and calls request.authenticate, upon which the
(same) auth module can opt to process these again

> Should we define the expected
> behaviour, define the options but leave the implementation to the
> implementor, define the options add something to web.xml to standardise
> configuration, something else...

I would say define the expected behaviour, and linking to or aligning
with JASPIC wherever appropriate.

> I don't think we can re-define the meanings of the return values. That
> might break stuff. (Generally, I'm happy to deprecate and then remove
> features even through that might break very old stuff but experience
> tells me that the JavaEE folks view that as a no go.)

That's indeed true. The slightest theoretical breakage of old stuff is
often viewed as a no go.

I should do some testing myself, but I wonder, does anyone already
know if there are or were any servers out there besides Undertow
1.1.0+ that actually throw an exception when the result of
request.authenticate() is that "nothing happened"?

>> Or introduce a new authenticate method returning say an enum:
>>
>> AUTHENTICATED -> authentication has happened
>> IN_PROGRESS -> authentication is incomplete
>> DID_NOTHING -> auth module decided to do nothing
>>
>> Or ... ?
>
> It depends on what we want to do about pre-emptive authentication for
> unprotected resources. Depending on how we opt to treat that, we might
> not need a new method.

Okay, so let's see what happens in that discussion first then.

Kind regards,
Arjan Tijms