AuthenticateServlet.java

package org.javaee7.jaspic.programmaticauthentication.servlet;

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/**
 * 
 * @author Arjan Tijms
 * 
 */
@WebServlet(urlPatterns = "/public/authenticate")
public class AuthenticateServlet extends HttpServlet {

    private static final long serialVersionUID = 1L;

    @Override
    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

        response.getWriter().write("This is a public servlet \n");

        String webName = null;
        if (request.getUserPrincipal() != null) {
            webName = request.getUserPrincipal().getName();
        }

        response.getWriter().write("before web username: " + webName + "\n");
        boolean webHasRole = request.isUserInRole("architect");
        response.getWriter().write("before web user has role \"architect\": " + webHasRole + "\n");
        
        // By *not* setting the "doLogin" request attribute the request.authenticate call
        // would do nothing. request.authenticate is a mandatory authentication, so doing
        // nothing is not allowed. But one or more initial failures should not prevent
        // a later successful authentication.
        if (request.getParameter("failFirst") != null) {
            try {
                request.authenticate(response);
            } catch (IOException | ServletException e) {
                // GlassFish returns false when either authentication is in progress or authentication
                // failed (or was not done at all), but JBoss throws an exception.
                // TODO: Get clarification what is actually expected, likely exception is most correct.
                //       Then test for the correct return value.
            }
        }
        
        if ("2".equals(request.getParameter("failFirst"))) {
            try {
                request.authenticate(response);
            } catch (IOException | ServletException e) {
            }
        }
        
        // Programmatically trigger the authentication chain
        request.setAttribute("doLogin", true);
        boolean authenticateOutcome = request.authenticate(response);
        
        if (request.getUserPrincipal() != null) {
            webName = request.getUserPrincipal().getName();
        }
        
        response.getWriter().write("request.authenticate outcome: " + authenticateOutcome + "\n");
        
        response.getWriter().write("after web username: " + webName + "\n");
        webHasRole = request.isUserInRole("architect");
        response.getWriter().write("after web user has role \"architect\": " + webHasRole + "\n");

    }

}