glassfishrobot
commented
6 years ago - Issue Imported From: https://github.com/javaee/jaspic-spec/issues/22
- Original Issue Raised By:@glassfishrobot
- Original Issue Assigned To: @glassfishrobot
Open glassfishrobot opened 11 years ago
glassfishrobot
commented
6 years ago glassfishrobot
commented
11 years ago @glassfishrobot Commented Reported by arjan_t
glassfishrobot
commented
7 years ago @glassfishrobot Commented This issue was imported from java.net JIRA JASPIC_SPEC-22
A common use case in web applications is that users log-in with their email address, which then becomes the user/caller principal once authenticated.
A user should be allowed to change her email address, but this is not easily supported by JASPIC, since this also requires a re-authentication, which on its turn likely needs the original credentials used for authentication (which a secure application of course does not store, so can not use for this case).
This means that a user either needs to provide these credentials together with the action of changing the email, which is not entirely user friendly in the first place. Those provided credentials may possibly not even be useable for programmatic re-authentication if the SAM that's used only supports asking them directly from the user.
Another option is to immediately log the user out after changing the email, which again is not really user friendly.
Something similar holds for roles; a user may obtain new roles during a session (for example by making a payment, or obtaining a reward for some online action, etc). Requiring the user to log-out and log-in again for the new role to take effect is not always desirable.
See also: http://stackoverflow.com/questions/2487224/how-to-handle-dynamic-role-or-username-changes-in-jsf
In order to support such use cases I'd like to propose that the possibility to handle changes to the authenticated identity without the need for a manual logout and login (re-authenticate) be added to JASPIC.
One possibility could be for a variant on HttpServletRequest#authenticate that takes one or more Callbacks, and the definition of several new Callbacks, e.g.