Topics

Public Review Draft - Wrapping Using a ServerAuthModule


Darran Lofthouse
 

Whilst JASPIC may have been an inspiration for a number of aspects of the API, is it strictly necessary to state that the mechanism would be wrapped using a ServerAuthModule - shouldn't this be an implementation detail left to those implementing the spec.  

Regards,
Darran Lofthouse.


Arjan Tijms
 

Hi,

On Thu, Jul 6, 2017 at 5:19 PM, Darran Lofthouse <darran.lofthouse@...> wrote:
Whilst JASPIC may have been an inspiration for a number of aspects of the API, is it strictly necessary to state that the mechanism would be wrapped using a ServerAuthModule - shouldn't this be an implementation detail left to those implementing the spec.  

This was indeed discussed, extensively even, but at long last decided not to make it an implementation detail. The simple fact is that every server out there already supports the Servlet Container Profile of JASPIC and does that according to the exact behaviour as specified in that spec. This lower level SPI can be independently tested for compliance.

Now basically every server has it's own proprietary SPI to hook authentication mechanisms in as well. You of course know this very well. But the behaviour of all these SPIs differ slightly, just think about the pre-emptive behaviour which if my memory is correct we had a discussion about earlier with Stuart involved as well wrt how it worked in WildFly/Undertow.

So, to get consistent behaviour, we basically would have been required to either copy the JASPIC spec pretty much verbatim, or come up with a similar behaviour specification ourselves. The former would be a bit pointless, as just pointing to JASPIC would be much easier then. The latter would require a lot of effort and time, that we simply didn't had. It also would be a duplication of effort, since JASPIC already does exactly that, why duplicate it?

So it's not so much that above all it would have to be bridged/wrapped by a ServerAuthModule, but that by requiring that you automatically in one simple sentence get all the specified behaviour about when the mechanism should be called for free.

Hope this makes it more clear.

Kind regards,
Arjan Tijms





 

Regards,
Darran Lofthouse.