Writing a Server Authentication Module

A key step in adding an authentication mechanism to a compatible server-side message processing runtime such as the GlassFish Server servlet container is acquiring a SAM that implements the desired authentication mechanism. One way to do that is to write the SAM yourself.

A SAM implements the javax.security.auth.message.module.ServerAuthModule interface as defined by JSR 196. A SAM is invoked indirectly by the message processing runtime at the validateRequest and secureResponse interaction points. A SAM must implement the five methods of the ServerAuthModule interface:

• getSupportedMessageTypes — An array of Class objects where each element defines a message type supported by the SAM. For a SAM to be compatible with the Servlet Container Profile, the returned array must include the HttpServletRequest.class and HttpServletResponse.class objects.

• initialize(MessagePolicy requestPolicy, MessagePolicy responsePolicy, CallbackHandler Map options) — The container calls this method to provide the SAM with configuration values and with a CallbackHandler. The configuration values are returned in the policy arguments and in the options Map. The SAM uses CallbackHandler to access services, such as password validation, provided by the container.

• AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) — The container calls this method to process each received HttpServletRequest. The request and its associated HttpServletResponse are passed by the container to the SAM in the messageInfo argument. The SAM processes the request and may establish the response to be returned by the container. The SAM uses the provided Subject arguments to convey its authentication results. The SAM returns different status values to control the container's invocation processing. The status values and the circumstances under which they are returned are as follows:

  • AuthStatus.SUCCESS is returned when the application request message is successfully validated. The container responds to this status value by using the returned client Subject to invoke the target of the request. When this value is returned, the SAM (provided a custom AuthConfigProvider is not being used) must use its CallbackHandler to handle a CallerPrincipalCallback using the clientSubject as an argument to the callback.

  • AuthStatus.SEND_CONTINUE indicates that message validation is incomplete and that the SAM has established a preliminary response as the response message in messageInfo. The container responds to this status value by sending the response to the client.

  • AuthStatus.SEND_FAILURE indicates that message validation failed and that the SAM has established an appropriate failure response message in messageInfo. The container responds to this status value by sending the response to the client.

  • AuthStatus.SEND_SUCCESS is not typically returned. This status value indicates the end of a multi-message security dialog originating after the service interaction and during the processing of the application response. The container responds to this status value by sending the response to the client.

  The validateRequest method may also throw an AuthException to indicate that the message processing by the SAM failed without establishing a failure response message in messageInfo.

• secureResponse(MessageInfo messageInfo, Subject serviceSubject) — The container calls this method before sending a response, resulting from an application invocation, to the client. The response is passed to the SAM in the messageInfo argument. In most cases, this method should just return the SEND_SUCCESS status.

• cleanSubject(MessageInfo messageInfo, Subject subject) — This method removes the mechanism-specific principals, credentials, or both from the subject. This method is not currently called by the container. A legitimate implementation could remove all the principals from the argument subject.

See the Servlet Container Profile section in the JSR 196 specification for additional background and details.