Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for events #21

Open
glassfishrobot opened this issue Apr 30, 2013 · 5 comments
Open

Support for events #21

glassfishrobot opened this issue Apr 30, 2013 · 5 comments
Assignees
@arjantijms @glassfishrobot
Labels
Priority: Major Type: New Feature

Comments

@glassfishrobot
Copy link

For several use cases it would be quite convenient if JASPIC would throw events at several important moments of the authentication message exchange.

Such events could be:

  • PreAuthenticate
  • PostAuthenticate
  • PreLogout
  • PostLogout

User code could possibly register for such events in the same way such code can register for events from the Servlet container; annotating the listener class and implementing an interface.

E.g.

@SecurityListener
public class MyListener implements AuthenticationListener  {

    public void preAuthenticate(AuthEvent authEvent) {
        // ...
    }

    public void postAuthenticate(AuthEvent authEvent) {
        // ...
    }
}

Additionally CDI style events can be supported as well.

Use cases for such event listeners are among others:

  • Keeping track of the number of logged-in users
  • Protecting against brute-force attacks by keeping count of failed login attempts for a certain account
  • Creating a new local user after the first successful authentication via a remote authentication provider
  • Loading application specific preferences into the HTTP session after a user logs-in

Specifically for the second use case a PreAutenticate listener should be able to veto the authentication attempt (at which JASPIC could respond by e.g. sending a 403 to the client).
@glassfishrobot
Copy link
Author

@glassfishrobot Commented
Reported by arjan_t

@glassfishrobot
Copy link
Author

@glassfishrobot Commented
kithouna said:
Another use case: increase the Http session timeout after a user logs in. The AuthEvent should therefor give access to the JASPIC request/response.

@glassfishrobot
Copy link
Author

@glassfishrobot Commented
paulkmoore said:
Another use case: allow the customisation of HTTP responses (e.g. www-authenticate) that are handled exclusively by the servlet container pre-application instantiation e.g. JAX-RS SPI

@glassfishrobot
Copy link
Author

@glassfishrobot Commented
This issue was imported from java.net JIRA JASPIC_SPEC-21

@glassfishrobot
Copy link
Author

@glassfishrobot glassfishrobot self-assigned this May 29, 2018
@arjantijms arjantijms self-assigned this Jul 28, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@arjantijms arjantijms

@glassfishrobot glassfishrobot

Labels
Priority: Major Type: New Feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@arjantijms @glassfishrobot