Hi,
I can't find much if anything in the spec whether a ServletRequestListener
is supposed to be invoked before or after an authentication module. More
specifically before or after a JASPIC SAM is invoked, but the question is
interesting for native authentication mechanisms just as well.
Currently the spec (via its javadoc says):
"Interface for receiving notification events about requests coming
into and going out of scope of a web application."
In case of a Servlet Profile JASPIC SAM, it's an application level
component that gets to see the request.
However, the following paragraph doesn't fit:
"A ServletRequest is defined as coming into scope of a web
application when it is about to enter the first servlet or filter
of the web application, and as going out of scope as it exits
the last servlet or the first filter in the chain."
This is problematic, since a SAM is invoked before the first servlet or
filter, and again after the last servlet or filter.
I tested this on 3 well known servers (by adding a requestlistener and a
couple of system.out lines to the SAM used here:
https://github.com/javaee-samples/javaee7-samples/tree/master/jaspic/basic-authentication)
and the results were as follows:
WLS 12.1.3
SAM called
RequestListener called
JBoss Wildfly 8.2
RequestListener called
SAM called
GlassFish 4.1
RequestListener called
SAM called
So GlassFish and JBoss invoke the ServletRequestListener BEFORE a
ServerAuthenticationModule (SAM) while WebLogic does so AFTER.
Clearly having Java EE implementations doing things differently here is not
ideal.
I would like to propose that RequestListeners are invoked before a SAM is
invoked.
Thoughts?
Kind regards,
Arjan Tijms