users@servlet-spec.java.net

[servlet-spec users] Re: RequestListeners invoked before or after authentication modules?

From: Ron Monzillo <ron.monzillo_at_oracle.com>
Date: Wed, 25 Mar 2015 17:04:19 -0400

Hi Arjan,

The request needs to be initialized before the SAM is invoked; otherwise
the SAM will not be able to do its job.

The Servlet Spec doesn't get specific about when SAM's must be invoked.
IOW, the request must have been initialized,
but perhaps the initialized event could be delayed until after the SAM
is called. If this needs to be specified, I would
expect it would belong in the Servlet Profile of JSR 196.

It may be worth noting that a RequestListener that is invoked before the
configured authentication mechanism (in this case
a SAM), could be invoking application code before the request has been
authorized by the container.
Moreover such a listener would not be able to do things like log the
authentication identity established for the request...
but that is something that could be done within the authentication
mechanism.

Is it sufficient to establish that the servlet request must have been
initialized before the SAM is invoked?

I suggest we move this discussion off the Servlet list.
Ron

On 3/25/15 10:29 AM, arjan tijms wrote:
> Hi,
>
> I can't find much if anything in the spec whether a
> ServletRequestListener is supposed to be invoked before or after an
> authentication module. More specifically before or after a JASPIC SAM
> is invoked, but the question is interesting for native authentication
> mechanisms just as well.
>
> Currently the spec (via its javadoc says):
>
> "Interface for receiving notification events about requests coming
> into and going out of scope of a web application."
>
> In case of a Servlet Profile JASPIC SAM, it's an application level
> component that gets to see the request.
>
> However, the following paragraph doesn't fit:
>
> "A ServletRequest is defined as coming into scope of a web
> application when it is about to enter the first servlet or filter
> of the web application, and as going out of scope as it exits
> the last servlet or the first filter in the chain."
>
> This is problematic, since a SAM is invoked before the first servlet
> or filter, and again after the last servlet or filter.
>
> I tested this on 3 well known servers (by adding a requestlistener and
> a couple of system.out lines to the SAM used here:
> https://github.com/javaee-samples/javaee7-samples/tree/master/jaspic/basic-authentication)
> and the results were as follows:
>
> WLS 12.1.3
> SAM called
> RequestListener called
>
> JBoss Wildfly 8.2
> RequestListener called
> SAM called
>
> GlassFish 4.1
> RequestListener called
> SAM called
>
> So GlassFish and JBoss invoke the ServletRequestListener BEFORE a
> ServerAuthenticationModule (SAM) while WebLogic does so AFTER.
>
> Clearly having Java EE implementations doing things differently here
> is not ideal.
>
> I would like to propose that RequestListeners are invoked before a SAM
> is invoked.
>
> Thoughts?
>
> Kind regards,
> Arjan Tijms
>
>
>
>
>