jakartaee-platform icon indicating copy to clipboard operation
jakartaee-platform copied to clipboard

Published 20 hours ago verified publisher icon eclipse-ee4j

Specify behaviour for Principal when nobody is logged in, CDI EE

Open starksm64 opened this issue 1 year ago • 2 comments

Is your feature request related to a problem? Please describe. From https://github.com/jakartaee/cdi/issues/769,

@benjamin-confino I recently had a customer ask why we have CDI inject a Principal containing saying unauthenticated when HttpServletRequest.getUserPrincipal() will give a null in that context.

I think that unauthenticated is the correct choice for CDI, since we cannot inject a null and hope for it to remain up to date as the context changes, but I think it would be useful to clarify the spec on this point as the current behaviour is undefined.

Describe the solution you'd like We need to clarify the behavior. From CDI-769, comment from @Ladicek: What seems a bit weird to me is that the specification doesn't define the scope of the Principal bean. I guess it should be @RequestScoped, and that itself actually precludes a null value.

starksm64 avatar Feb 22 '24 17:02 starksm64

Should we not move this to the security spec and specify it there?

A null as name may be more logical for the unauthenticated principal.

What seems a bit weird to me is that the specification doesn't define the scope of the Principal bean.

The principal should perhaps have its own scope: @AuthenticatedScope. A Principal can potentially change many times during a request, e.g. via HttpServletRequest.login, HttpServletRequest.authenticate and HttpServletRequest.logout.

arjantijms avatar Feb 24 '24 17:02 arjantijms

Yes, given that there are no details other than a statement that a container must provide a bean with type, java.security.Principal, it makes sense to have this specified in the security integration sections/specs.

On Sat, Feb 24, 2024 at 11:48 AM Arjan Tijms @.***> wrote:

Should we not move this to the security spec and specify it there?

A null as name may be more logical for the unauthenticated principal.

What seems a bit weird to me is that the specification doesn't define the scope of the Principal bean.

The principal should perhaps have its own scope: @AuthenticatedScope. A Principal can potentially change many times during a request, e.g. via HttpServletRequest.login, HttpServletRequest.authenticate and HttpServletRequest.logout.

— Reply to this email directly, view it on GitHub https://github.com/jakartaee/platform/issues/841#issuecomment-1962435660, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACRDMRTRBFLSNCWDANKP43YVIRX3AVCNFSM6AAAAABDVLKWMCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRSGQZTKNRWGA . You are receiving this because you authored the thread.Message ID: @.***>

starksm64 avatar Feb 25 '24 15:02 starksm64