Monday, July 20, 2009

ServletAuthenticationFilter - Revisit

I want to clarify what a ServletAuthenticationFilter is used for and when it gets invoked. The explanation in the product documentation is accurate, but I want to add some important context. When the documentation says "the servlet container calls the Servlet Authentication Filters prior to authentication occurring", this begs the question "When does authentication occur?".

Authentication occurs when the resources that the user is accessing is protected. Using the default security model (DD Only), then this is strictly what is defined in the deployment descriptor (web.xml). By default, resources are unprotected. Also, authentication occurs when the current user (including the anonymous user), is not authorized to access a resource.

So, in practice, authentication occurs the first time the user attempts to access a protected resource. ServletAuthenticationFilters enable authentication schemes other than those provided OOTB by JEE like SAML, SPNEGO, OpenId etc. Even though the re-use the standard Filter interface, they are not the same. Standard filters, which are configured on a per-application basis, get called every time, but after authentication and authorization. The fact that ServletAuthenticationFilters get called before is what makes them unique.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.