JSR 196: pluggable authentication for JEE containers early draft


News: JSR 196: pluggable authentication for JEE containers early draft

  1. After nearly 3 years since the expert group formed, an early draft review of JSR 196, Java Authentication Service Provider Interface for Containers has been released for review. The spec is intended for security & user management product vendors (not application developers). The spec will create standard ways for third party authentication providers to integrate with any JEE appserver, as opposed to the current situation where security/user management vendors need to implement custom, per-appserver interfaces (like weblogic.security.spi.AuthenticationProvider) to plug-in to those appservers.

    The points at which this integration can occur are described in the spec:
    A typical message interaction between a client and server begins with a request from the client to the server. The server recieves the request and dispatches it to a service to perform the requested operation. When the service completes, it creates a response that is returned back to the client.

    The SPI defined by the specification is structured such that message processing runtimes can inject security processing at four points in the typical message interaction scenario. A message processing runtime uses the SPI at these points to delegate the corresponding message security processing to an authentication provider or module integrated into the runtime by way of the SPI.
    The four points of interception consist of two on the client side (upon first request and just before receipt of response), and on the server side (at receipt of request, and after execution of the request.

    Updated - originally this news item had the wrong JSR number, thanks to those who pointed that out.
  2. Is it easier to delete the news item than to change the topic? Time for a system update perhaps...
  3. I didn't delete the news item. I deleted the comments mentioning that the title was wrong, since i corrected the title and thus the comments themselves were no longer adding value.

  4. nnot for develoers[ Go to top ]

    ... management product vendors (not application developers) ...

    Only a manager or a vendor would need this?

  5. Acegi[ Go to top ]

    Any idea how this JSR relates to something like Acegi?
  6. Acegi[ Go to top ]

    Acegi doesn't rely on J2EE authentication but use their own mechanism. Haven't read the JSR 196 yet but I think that i´t would be possible for Acegi to act as a authentication provider (I am not an ACEGI expert though)

  7. I posted these comments on JSR196 on my blog. I found this comment from the spec interesting.

    <blockquotes>Implementations also have custom logic to determine what modules to invoke, and in what order</blockquotes>

    Basically the spec does not provide any guidelines around the interaction of the authentication modules. Am I getting this right?


    David Le Strat.