<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<body link="#355491" alink="#4262a1" vlink="#355491" style="background: #e2e2e2; margin: 0; padding: 20px;">
<div>
<table cellpadding="0" bgcolor="#FFFFFF" border="0" cellspacing="0" style="border: 1px solid #dadada; margin-bottom: 30px; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td>
<table border="0" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF" style="border: solid 2px #ccc; background: #dadada; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td bgcolor="#000000" valign="middle" height="58px" style="border-bottom: 1px solid #ccc; padding: 20px; -moz-border-radius-topleft: 3px; -moz-border-radius-topright: 3px; -webkit-border-top-right-radius: 5px; -webkit-border-top-left-radius: 5px;">
<h1 style="color: #333333; font: bold 22px Arial, Helvetica, sans-serif; margin: 0; display: block !important;">
<!-- To have a header image/logo replace the name below with your img tag -->
<!-- Email clients will render the images when the message is read so any image -->
<!-- must be made available on a public server, so that all recipients can load the image. -->
<a href="https://community.jboss.org/index.jspa" style="text-decoration: none; color: #E1E1E1">JBoss Community</a></h1>
</td>
</tr>
<tr>
<td bgcolor="#FFFFFF" style="font: normal 12px Arial, Helvetica, sans-serif; color:#333333; padding: 20px; -moz-border-radius-bottomleft: 4px; -moz-border-radius-bottomright: 4px; -webkit-border-bottom-right-radius: 5px; -webkit-border-bottom-left-radius: 5px;"><h3 style="margin: 10px 0 5px; font-size: 17px; font-weight: normal;">
JBoss AS7: Enabling JASPI Authentication for Web Applications
</h3>
<span style="margin-bottom: 10px;">
new comment by <a href="https://community.jboss.org/people/atijms">arjan tijms</a> <a href="https://community.jboss.org/docs/DOC-17782#comment-11498">View all comments on this document</a>
</span>
<hr style="margin: 20px 0; border: none; background-color: #dadada; height: 1px;">
<div class="jive-rendered-content"><p>Ron, thank you so much for the response!</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Indeed, <span style="color: #555555; font-family: 'Lucida Sans', 'Lucida Sans Unicode', 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">HttpServletRequest.authenticate works. I tested this using JBoss EAP 6.0.1, WebLogic 12.1.1, and GlassFish 3.1.2.2.</span></p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p><span style="color: #555555; font-family: 'Lucida Sans', 'Lucida Sans Unicode', 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">It would help a lot of the next MR to the spec would state this explicitly. Are there already any plans for this MR? And being a MR, will there be some sort of open tracker where one can submit issues?</span></p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><blockquote class="jive-quote"><p><span style="color: #555555; font-family: 'Lucida Sans', 'Lucida Sans Unicode', 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;"> ValidateRequest should not be called under HttpServletRequest.login mostly because login presumes a user name/password authentication mechanism (which may not be compatible with the configured auth context). </span></p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p>
                    </blockquote><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Indeed, but that holds for proprietary login modules as well, doesn't it? The contract on HttpServletRequest.login already mentions something along those lines:</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p><em>"This method returns without throwing a ServletException when the login mechanism configured for the ServletContext supports username password validation"</em></p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><blockquote class="jive-quote"><p><span style="color: #555555; font-family: 'Lucida Sans', 'Lucida Sans Unicode', 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">I will think about how that might be possible</span></p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p>
                    </blockquote><p><em><br/></em></p><p><span style="color: #555555; font-family: 'Lucida Sans', 'Lucida Sans Unicode', 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">Thanks again, it will be interesting to see what the options here are.</span></p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p><span style="color: #555555; font-family: 'Lucida Sans', 'Lucida Sans Unicode', 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">If for some reason it really is not possible to handle HttpServletRequest.login with JSR 196, then maybe an exception should be thrown instead if jsr 196 is configured for the app? </span></p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p><span style="color: #555555; font-family: 'Lucida Sans', 'Lucida Sans Unicode', 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">What happens now is that the call silently goes to a completely different login module. If this login module happened to store the username/password that the user is trying to authenticate with, he/she will be totally unexpected and silently authenticated with the wrong login module.<br/></span></p></div>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>