Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jaspic-dev] Jakarta Authentication, Authorization and CDI



On Fri, Dec 3, 2021 at 1:46 PM arjan tijms <arjan.tijms@xxxxxxxxx> wrote:
Hi,

There has been discussion about this, and the outcome was indeed to let Authentication and Authorization remain low level SPIs/APIs, but do add a clarification that CDI should be available when a server auth module is called, without that module itself needing to be a CDI bean:

Thank you, that helps a lot otherwise it feels like they would be duplicating what we have with Jakarta Security.

 


=== Interaction with other specifications

 When this profile is used as part of a Jakarta EE compatible implementation, the requirements as stated in the sub-sections below MUST be satisfied.

 When this profile is NOT used in a Jakarta EE compatible implementation, but this implementation uses one or more of the specifications as outlined in the sub-sections below,
 then the requirements as stated in the relevant sub-sections SHOULD be satisfied.

 ==== Availability of Jakarta EE component namespaces

 The Jakarta EE JNDI component namespaces (`java:global`, `java:app`, `java:module`, `java:comp`) MUST be made available to code running in the context of a call to
 `validateRequest`, `secureResponse` and `cleanSubject` on the acquired `ServerAuthContext`.

 A practical use case for this is obtaining (application scoped) data sources, which a `ServerAuthModule` could use to validate credentials.


 Example:
 ```
 new InitialContext().lookup("java:app/myds")
 ```

 ==== Availability of CDI scopes

 The CDI built-in scopes according to "2.4.1. Built-in scope types" of the CDI specification MUST be made available to code running in the context of a call to
 `validateRequest`, `secureResponse` and `cleanSubject` on the acquired `ServerAuthContext`.

 A practical use case for this is obtaining application scoped identity stores, which a `ServerAuthModule` could use to validate credentials.


 Example:
 ```
 CDI.current().select(SomeBean.class); // SomeBean is @RequestScoped
 ```

 Note that it is a non-requirement that a `ServerAuthModule` is itself a CDI managed bean, and as such it is not required that services such as injection using the `@Inject` annotation are
 available to a `ServerAuthModule`. It is only required that programmatic lookup such as shown in the example above works correctly.



The above text was one that we had essentially prepared a long time ago (just before EE 7 initially), but it never made it into the spec text.

Kind regards,
Arjan


On Fri, Dec 3, 2021 at 2:20 PM Darran Lofthouse <darran.lofthouse@xxxxxxxxx> wrote:
Has there been any discussion about the relationship of CDI with Authentication and Authorization?

At the moment Jakarta EE Security is the security spec making use of CDI, would the plan be for Authentication and Authorization to start to add CDI support or these remain as a low level specification of APIs with Jakarta EE Security having the role of adding CDI integration?

--

Darran Lofthouse

Red Hat

darran.lofthouse@xxxxxxxxx   

_______________________________________________
jaspic-dev mailing list
jaspic-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jaspic-dev
_______________________________________________
jaspic-dev mailing list
jaspic-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jaspic-dev

Back to the top