I have implemented a custom HttpAuthenticationMechanism
subclass to provide authentication using the Soteria/Java EE Security framework. I've got authentication working just fine. However, I've noticed that when I call HttpMessageContext.setRegisterSession(String, Set<String>)
to create a Java EE Session
, the behavior is not what I would expect. I am expecting that the authenticated identity be associated with the web Session
, and my AuthenticationMechanism
's validateRequest(HttpServletRequest req, HttpServletResponse res, HttpMessageContext ctx)
method would not be called on subsequent requests. What I am observing, however, is that validateRequest()
is called on every request, even if the user has already authenticated successfully.
I am able to get the behavior I want using the @AutoApplySession
annotation on my AuthenticationMechanism
class, but that is not the behavior I want. I'd like to choose whether or not to create a session based on the type of credential provided.
Is my understanding of the setRegisterSession()
method incorrect? Or is this a bug within Soteria?
@AutoApplySession
is the new way to do this in Soteria (JSR 375). If it does not suit your needs (as you need to either remember the authenticated identity or re-authenticate for all requests during the same HTTP session based on some other credential info), validateRequest
method will still be called, regardless of whether you call the HttpMessageContext
'ssetRegisterSession
method or not. HttpMessageContext.setRegisterSession
will make the container remember the credentials but will not reuse them automatically, you still need to make the container reuse the authentication identity by doing the same thing Soteria's AutoApplySessionInterceptor
does. So in your class which implements HttpAuthenticationMechanism
you should add the following code before your actual authentication logic is performed in the validateRequest
method:
Principal userPrincipal = request.getUserPrincipal();
if (userPrincipal != null) {
httpMessageContext.getHandler().handle(new Callback[] {
new CallerPrincipalCallback(httpMessageContext.getClientSubject(), userPrincipal) }
);
return AuthenticationStatus.SUCCESS;
}
Also, see this answer by Arjan Tijms. Although it's about JASPIC not Soteria, but in this case I think it's relevant. Hope this helps.
I thing you're following the incorrect source you've look at this IMPLEMENTATION.
/* (non-Javadoc)
* @see javax.security.authenticationmechanism.http.HttpMessageContext#setRegisterSession(java.lang.String, java.util.Set)
*/
@Override
public void setRegisterSession(String username, Set<String> groups) {
Jaspic.setRegisterSession(messageInfo, username, groups);
}
Under the library location:
import org.glassfish.soteria.mechanisms.jaspic.Jaspic;
From the mechanisms.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With