Interface HttpAuthenticationMechanismHandler
HttpAuthenticationMechanismHandler
is a mechanism for obtaining a caller's credentials in some way,
using the HTTP protocol where necessary, by consulting a set of one or more HttpAuthenticationMechanism
s.
This is a special variant of an HttpAuthenticationMechanism
intended for coordination
between multiple HttpAuthenticationMechanism
s. Implementations are therefore expected and
encouraged to delegate actually obtaining the caller's credential to an actual HttpAuthenticationMechanism
.
This is however not required and implementations can do as they choose.
Implementations of Jakarta Security must supply a default implementation of the
HttpAuthenticationMechanismHandler
. This implementation must be ApplicationScoped
and this implementation
must behave as described below:
- Before servicing any calls as defined by this interface, the implementation must (implicitly) check if there is more
than one enabled bean of type
HttpAuthenticationMechanism
available, irrespective of any qualifiers. - If there is more than one enabled bean of type
HttpAuthenticationMechanism
available, the implementation must apply the ambiguous dependency resolution rules to this set of beans. For instance by usingBeanContainer.resolve(java.util.Set)
. -
If the ambiguous dependency resolution rules fail, an
AmbiguousResolutionException
must be thrown (or the one thrown byBeanContainer.resolve(java.util.Set)
propagated). - If the ambiguous dependency resolution rules succeed, the implementation must remember the one resulting bean.
-
When servicing any calls as defined by this interface, the implementation must call the method on the
remembered
HttpAuthenticationMechanism
bean with the same name and arguments, and where applicable return the result from that call.
Applications do not need to supply an HttpAuthenticationMechanismHandler
unless application-specific
behavior is desired.
-
Method Summary
Modifier and TypeMethodDescriptiondefault void
cleanSubject
(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) Remove mechanism specific principals and credentials from the subject and any other state the mechanism might have used.default AuthenticationStatus
secureResponse
(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) Secure the response, optionally.validateRequest
(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) Authenticate an HTTP request.
-
Method Details
-
validateRequest
AuthenticationStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) throws AuthenticationException Authenticate an HTTP request.This method is called in response to an HTTP client request for a resource, and is always invoked before any
Filter
orHttpServlet
. Additionally this method is called in response toHttpServletRequest.authenticate(HttpServletResponse)
Note that by default this method is always called for every request, independent of whether the request is to a protected or non-protected resource, or whether a caller was successfully authenticated before within the same HTTP session or not.
A CDI/Interceptor spec interceptor can be used to prevent calls to this method if needed. See
AutoApplySession
andRememberMe
for two examples.- Parameters:
request
- contains the request the client has maderesponse
- contains the response that will be send to the clienthttpMessageContext
- context for interacting with the container- Returns:
- the completion status of the processing performed by this method
- Throws:
AuthenticationException
- when the processing failed
-
secureResponse
default AuthenticationStatus secureResponse(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) throws AuthenticationException Secure the response, optionally.This method is called to allow for any post processing to be done on the request, and is always invoked after any
Filter
orHttpServlet
.Note that this method is only called when a (Servlet) resource has indeed been invoked, i.e. if a previous call to
validateRequest
that was invoked before anyFilter
orHttpServlet
returned SUCCESS.- Parameters:
request
- contains the request the client has maderesponse
- contains the response that will be send to the clienthttpMessageContext
- context for interacting with the container- Returns:
- the completion status of the processing performed by this method
- Throws:
AuthenticationException
- when the processing failed
-
cleanSubject
default void cleanSubject(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) Remove mechanism specific principals and credentials from the subject and any other state the mechanism might have used.This method is called in response to
HttpServletRequest.logout()
and gives the authentication mechanism the option to remove any state associated with an earlier established authenticated identity. For example, an authentication mechanism that stores state within a cookie can send remove that cookie here.- Parameters:
request
- contains the request the client has maderesponse
- contains the response that will be send to the clienthttpMessageContext
- context for interacting with the container
-