Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce HttpAuthenticationMechanismHandler #309

Closed
arjantijms opened this issue Feb 20, 2024 · 2 comments · Fixed by #310
Closed

Introduce HttpAuthenticationMechanismHandler #309

arjantijms opened this issue Feb 20, 2024 · 2 comments · Fixed by #310
Assignees
@arjantijms
Labels
4.0 authentication m2
Milestone
4.0

Comments

@arjantijms
Copy link
Contributor

arjantijms commented Feb 20, 2024
edited
Loading

As an analogy to the IdentityStoreHandler, introduce an HttpAuthenticationMechanismHandler as an extra point for handling multiple authentication mechanisms. This construct can be used as the basis for the following requested features:

  • Authentication mechanism per URL SECURIY Authentication mechanism per URL pattern #86
  • User choice of authentication mechanism (login with provider X, login with provider Y, etc)
  • Multiple authentication mechanisms (try JWT, fallback to BASIC, etc)

The HttpAuthenticationMechanismHandler will not provide details about any of these features, and the behaviour of the default implementation should be the same as the current behaviour in Jakarta Security (one allowed enabled HttpAuthenticationMechanism)

A handler is called by the system, and contains the algorithm for handling multiple mechanisms. Which is currently really simple - only 1 authentication mechanism is allowed.

The developer should not bothered by this handler. It's an optional thing of plumbing for the developer, which essentially standardises what the CDI extension for Jakarta Security implementations was already doing. That CDI extension had a bit of logic in it to only allow for one HttpAuthenticationMechanism. That logic is now officially delegated to the Handler, and not longer an implementation detail.

Like the identity store handler, the Jakarta Security implementation has to provide a default implementation of this.
@arjantijms arjantijms added this to the 4.0 milestone Feb 20, 2024
@arjantijms arjantijms self-assigned this Feb 20, 2024
arjantijms added a commit to arjantijms/security that referenced this issue Feb 21, 2024
@arjantijms
Introduce HttpAuthenticationMechanismHandler for jakartaee#309
479fdeb 
Tests added to demonstrate and verify the behaviour

Signed-off-by: Arjan Tijms <[email protected]>
arjantijms added a commit to arjantijms/soteria that referenced this issue Feb 21, 2024
@arjantijms
Support for the HttpAuthenticationMechanismHandler
74f99d9 
See jakartaee/security#309

Signed-off-by: Arjan Tijms <[email protected]>
@arjantijms arjantijms mentioned this issue Feb 21, 2024
Merged
@OndroMih OndroMih mentioned this issue Feb 21, 2024
Merged
@OndroMih
Copy link
Contributor

I understand that this is not supposed to provide a solution to any of the existing issues or proposed usecases, but can be used as a building block for a final solution. E.g., with this, it's not possible to delegate to Form based auth for one URL pattern and to OpenID for another pattern, but once it's possible to inject the default form and OpenId mechanisms, then the handler could delegate to them based on the URL.

I support this PR, and I'd like to see solutions based on this, e.g. injecting existing auth mechanisms as suggested by #188, or programmatic configuration as suggested in #227

@arjantijms
Copy link
Contributor Author

but once it's possible to inject the default form and OpenId mechanisms, then the handler could delegate to them based on the URL.

Indeed. That hinges on introducing qualifiers for the default (build-in) authentication mechanisms. This will be handled by another issue.

@OndroMih OndroMih mentioned this issue Feb 21, 2024
Closed
arjantijms added a commit that referenced this issue Feb 22, 2024
@arjantijms
Merge pull request #310 from arjantijms/309_HttpAuthenticationMechani…
0146f9d 
…smHandler

Introduce HttpAuthenticationMechanismHandler for #309
@OndroMih OndroMih mentioned this issue Jul 21, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@arjantijms arjantijms

Labels
4.0 authentication m2
Projects
None yet
Milestone
4.0
Development

Successfully merging a pull request may close this issue.

Introduce HttpAuthenticationMechanismHandler for #309 arjantijms/security
2 participants
@OndroMih @arjantijms