users@servlet-spec.java.net

[servlet-spec users] request#authenticate - start new vs continue

From: arjan tijms <arjan.tijms_at_gmail.com>
Date: Wed, 20 Apr 2016 00:17:36 +0200

Hi,

The Servlet specification currently has a HttpServletRequest#authenticate()
method. Its Javadoc says:

"Use the container login mechanism configured for the ServletContext to
authenticate the user making this request."

It doesn't explicitly say it with so many words, but in practice this boils
down to a *mandated* authentication (the "login mechanism" must
authenticate) and it's implicitly taken to start a *new* authentication
dialog/interaction with the caller.

I found however that there's also a use case where the application needs to
indicate that an existing authentication dialog should be *continued*.
Often this is in combination with the application providing some data
(typically credentials).

E.g.

* Caller accesses protected resource
* Authentication mechanism forwards to login page
* Login page posts back to itself
* The application runs validators on the postback (e.g. using bean
validation)
* The application wants to signal the authentication mechanism to continue
the authentication process with the (validated) data

The following code shows an example of this:
https://github.com/javaee-security-spec/soteria/blob/master/test/app-mem-customform/src/main/java/test/LoginBacking.java#L76

Now in JSR 375 we can work around this somewhat by wrapping
request#authenticate and setting some flags as request attributes, but I
think this use case may potentially warrant being pushed down the Servlet
spec.

This would mean a new method or methods, along the lines of a
HttpServletRequest#authenticateContinue(Map<String, Object> parameters) and
HttpServletRequest#authenticateNew(Map<String, Object> parameters), or
perhaps HttpServletRequest#authenticate(boolean newAuth, Map<String,
Object> parameters), etc.

Thoughts?

Kind regards,
Arjan Tijms