[undertow-dev] CachedAuthenticatedSessionMechanism should return NOT_ATTEMPTED?
Darran Lofthouse
darran.lofthouse at jboss.com
Mon Mar 3 08:35:34 EST 2014
I think the problem here is if we return NOT_ATTEMPTED in some scenarios
where a user was previously authenticated against a web app this could
be quietly lost.
Returning NOT_AUTHENTICATED on the other hand forces the challenge phase
again.
Is caching against the session really the correct approach for your
mechanism? For a number of mechanisms caching against the session is
actually a bad habit carried over from Tomcat, instead alternative
caching should be employed to optimise subsequent authentication token
validation.
The places where we do need to cache against the session are for form
based authentication mechanisms as not caching would result in a prompt
to the user on every request, for other mechanisms where we have tokens
coming from the browser we don't cache against the session.
Regards,
Darran Lofthouse.
On 01/03/14 00:39, Bill Burke wrote:
> If IdentityManager.verify(Account) returns null, shouldn't
> CachedAuthenticatedSessionMechanism return NOT_ATTEMPTED instead of
> aborting and returning 403/NOT_AUTHENTICATED? I was expecting that
> returning null would start the auth process again.
>
>
>
>
More information about the undertow-dev
mailing list