Hi there,
in my web application I have two authentication realms: One for the
regular web interface (called SsoRealm) and another one for the REST
API (called RestRealm) using an API token. The principals
authenticated by both realms have disjunct permissions (and
AuthenticationTokens). If there is no pre-existing session and an API
call arrives via the REST interface everything is fine and the
authentication (and authorization) happens via the RestRealm. However,
if there is an existing session previously authenticated via the
SsoRealm no authentication attempt via the RestRealm happens and the
consecutive authorization check (using Subject.isPermitted) fails as
the subject is from the wrong realm.
The corresponding authentication filters are registered as:
addFilterChain("/api/x/*/y", REST_AUTH, NO_SESSION_CREATION);
addFilterChain("/**", SSO_AUTH);
Is there anything I can do to force a re-authentication with the
"correct" realm?
Would a custom AuthenticationStrategy help (i.e., does the
AuthenticationStrategy contract allow the implementation of a strategy
"if RestRealm is involved, the RestRealm authentication needs to be
successful")? AFAICS
ModularRealmAuthenticator.doMultiRealmAuthentication is not called
again if there is an existing authenticated session...
Thanks,
Thilo
