I've been working with the JASPIC test suite Arjan recommended[1]. There are a few wrinkles but I've got things working well enough that I can test the JASPIC code I'm working on.
I've reached the point where I need to hook in to the authenticators and this had raised some interesting questions. The samples use a SevletContextListener to register the JASPIC AuthConfigProvider. The problem is that SevletContextListener events fire after the authenticator has been configured. As I thought about this some more, I realised that there is nothing in the Servlet Container profile in the JASPIC spec (that I have been able to find) about when AuthConfigProvider registration takes place. This means that AuthConfigProvider registrations and de-registrations could take place while the web application is running. I am currently leaning towards a refactoring of AuthenticatorBase along the following lines: - implement authenticate() and have it delegate to a new protected method doAuthenticate() - have authenticate() check (i.e. on every request) for a JASPIC config and use it if present - cache what I can (for speed) and use a RegistrationListener to track updates The refactoring does mean that any custom authenticator will not support JASPIC unless it is updated to over-ride doAuthenticate() rather than authenticate(). I'm concerned that looking for a JASPIC configuration on every request could slow things down. I'll test this and, if it does, I'll make JASPIC support something that has to be explicitly enabled for a Context. Thoughts? Comments? Mark [1] https://github.com/javaee-samples/javaee7-samples --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org