Authentication mechanism per URL pattern

[tofflos]

The use case would be writing a JAX-RS endpoint that provides an API, some HTML/JS that provides an UI on top that API, and then bundling them together as a single application. I would then like to offer BASIC authentication for "machines" interacting directly with the API and FORM-based authentication for "humans" interacting indirectly via the UI.

This type of functionality was mentioned in javaee/security-spec#37 but I couldn't find a dedicated issue:

Note that this feature is distinct from having different authentication mechanisms for different resources, like e.g. FORM for the web based UI part at /app/* of an application and BASIC for the REST part at say /rest/*.

[vanuatoo]

This issue is very important. We've got one back-end for several front-ends. Admin panel, website, api and we use different mechanisms for each. Cookie for admin panel, OIDC for website, token for API and we have to mix all the logic in one class.

[m-reza-rahman]

This is a very common requirement. It would be great to get it addressed.

[arjantijms]

Indeed, this is an extremely common requirement. We also should balance this with at least the other "multi authentication mechanism" requirement, which is for "log in with" types of dialogs, e.g. login with Github, login with email, etc.

[arjantijms]

P.s. there's multiple ways to go about the implementation. My gut feeling says it's easies to leave the SPI (Jakarta Authentication) alone, and implement this by putting requirements on the bridge authentication module and the rest of Jakarta Security.

[darranl]

+1 on looking at this being a part of Jakarta Security otherwise we could trace this all the way back to the servlet specification where one mechanism per deployment is specified.