Ability for application to choose authentication method at runtime #16
Assignees
Labels
Comments
|
@glassfishrobot Commented |
|
@glassfishrobot Commented |
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In Java EE and specifically in JASPIC there is somewhat of the assumption that a single authentication method is configured (in many cases even mostly outside the application).
While for some classes of applications this has clear benefits, it doesn't particularly play nice with the increasingly popular practice that web applications offer their users a choice for their login method.
For instance, stackoverflow.com currently displays the following login choices:
See http://stackoverflow.com/users/login
To make it to implement this use case I would like to request that JASPIC adds some level of support for this.
One way to do this could be via the existing authentication context and perhaps via the concept of having different "authentication stacks". (Note that #15 is related to this, but instead asks how auth modules in a single stack interact)
With this concept, each such stack (possibly consisting of only a single SAM) is named and corresponds with an authentication mechanism (e.g. "native form", or "OpenId-Wordpress", etc).
For the Web Profile the application can then programmatically set an authentication mechanism for the current session by calling a variant on the request#authenticate method, e.g. request#authenticateWith(String, Request, Response), where the provided String parameter is a name that corresponds with one of the pre-configured stacks. Such a new method would require coordination with the Servlet spec of course.
The text was updated successfully, but these errors were encountered: