arjan tijms [
https://community.jboss.org/people/atijms] commented on the document
"JBoss AS7: Enabling JASPI Authentication for Web Applications"
To view all comments on this document, visit:
https://community.jboss.org/docs/DOC-17782#comment-11498
--------------------------------------------------
Ron, thank you so much for the response!
Indeed, HttpServletRequest.authenticate works. I tested this using JBoss EAP 6.0.1,
WebLogic 12.1.1, and GlassFish 3.1.2.2.
It would help a lot of the next MR to the spec would state this explicitly. Are there
already any plans for this MR? And being a MR, will there be some sort of open tracker
where one can submit issues?
ValidateRequest should not be called under HttpServletRequest.login
mostly because login presumes a user name/password authentication mechanism (which may not
be compatible with the configured auth context).
Indeed, but that holds for proprietary login modules as well, doesn't it? The contract
on HttpServletRequest.login already mentions something along those lines:
+"This method returns without throwing a ServletException when the login mechanism
configured for the ServletContext supports username password validation"+
I will think about how that might be possible
+
+
Thanks again, it will be interesting to see what the options here are.
If for some reason it really is not possible to handle HttpServletRequest.login with JSR
196, then maybe an exception should be thrown instead if jsr 196 is configured for the
app?
What happens now is that the call silently goes to a completely different login module. If
this login module happened to store the username/password that the user is trying to
authenticate with, he/she will be totally unexpected and silently authenticated with the
wrong login module.
--------------------------------------------------