Interface HttpAuthenticationMechanism

All Known Implementing Classes:
HttpAuthenticationMechanismWrapper

public interface HttpAuthenticationMechanism
HttpAuthenticationMechanism is a mechanism for obtaining a caller's credentials in some way, using the HTTP protocol where necessary.

This is used to help in securing Jakarta Servlet endpoints, including endpoints that may be build on top of Jakarta Servlets like Jakarta RESTful Web Services endpoints and Jakarta Faces views. It specifically is not used for endpoints such as remote Jakarta Enterprise Beans or (Jakarta Messaging) message driven beans.

An HttpAuthenticationMechanism is essentially a Jakarta Servlet specific and CDI enabled version of the ServerAuthModule that adheres to the Servlet Container Profile. See the Jakarta Authentication spec for further details on this.

Implementations of this class can notify the Jakarta Servlet container about a successful authentication by using the HttpMessageContext.notifyContainerAboutLogin(java.security.Principal, java.util.Set) method.

Implementations are expected and encouraged to delegate the actual credential validation and/or retrieval of the caller name with optional groups to an IdentityStore. This is however not required and implementations can either do the validation checks for authentication completely autonomously, or delegate only certain aspects of the process to the store (e.g. use the store only for retrieving the groups an authenticated user is in).

By default only one HttpAuthenticationMechanism can be active. This is enforced by the default implementation of the HttpAuthenticationMechanismHandler. If an application wants to use multiple HttpAuthenticationMechanisms, e.g. a Form mechanism for the UI section and Basic HTTP for a REST endpoint, a custom HttpAuthenticationMechanismHandler has to be provided. A future version of this specification may provide default behavior in this area.