Unexpected Behaviour ServerAuthModule AuthStatus
I am playing around with JASPIC and custom ServerAuthModule, LoginModule,
CallbackHandler and Callbacks.
All this in combination with FORM based login.
By now I have a couple of questions, happy to find anybody able to answer
them. All examples on the web are trivial and the jaspic-provider-framework
testcase does this even better ;)
1) host:port/j_security_check doesn't trigger my SAM. I explicitly have to
post the form to the (e.g.
/private/restricted) to trigger that.
At the moment I simply post to /private/index.xhtml ... which does the job.
Is that the expected behavior? Somehow I would have expected to see all
posts to host:port/j_security_check trigger
the configured message security?
2) in case everything works fine (Subject returned from
loginModule, CallerPrincipalCallback and GroupPrincipalCallback added) and
i return a AuthStatus.SUCCESS everything works fine and the
protected resource is send to the client.
If I catch a LoginException from the LoginModule and try to return
AuthStatus.SEND_FAILURE I simply get a blank page :|
I can do something
like HttpServletResponse.setStatus(HttpServletResponse.SC_FORBIDDEN); and
the browser reports the 403 with a communication error (maybe chrome
But what I would have expected to see is the configured 403 error page or
at least the server sent 403 status page.
Same behavior with AuthStatus.FAILURE.
Any idea about that?
3) And a more general question: How to remember an already logged in user?
The validateRequest for requestPolicy.isMandatory() pages is called every
time. How is the proposed way of
_re_validating subsequent requests? Putting hashed stuff to the user
session? or simply validate the existence of a session? Does anybody has a
good pointer to GlassFish sources how this
is done there?