Specify behaviour for Principal when nobody is logged in, CDI EE

[starksm64]

Is your feature request related to a problem? Please describe.
From jakartaee/cdi#769,

@benjamin-confino I recently had a customer ask why we have CDI inject a Principal containing saying unauthenticated when HttpServletRequest.getUserPrincipal() will give a null in that context.

I think that unauthenticated is the correct choice for CDI, since we cannot inject a null and hope for it to remain up to date as the context changes, but I think it would be useful to clarify the spec on this point as the current behaviour is undefined.

Describe the solution you'd like
We need to clarify the behavior. From CDI-769, comment from @Ladicek:
What seems a bit weird to me is that the specification doesn't define the scope of the Principal bean. I guess it should be @RequestScoped, and that itself actually precludes a null value.

[arjantijms]

Should we not move this to the security spec and specify it there?

A null as name may be more logical for the unauthenticated principal.

What seems a bit weird to me is that the specification doesn't define the scope of the Principal bean.

The principal should perhaps have its own scope: @AuthenticatedScope. A Principal can potentially change many times during a request, e.g. via HttpServletRequest.login, HttpServletRequest.authenticate and HttpServletRequest.logout.

[starksm64]

Yes, given that there are no details other than a statement that a container must provide a bean with type, java.security.Principal, it makes sense to have this specified in the security integration sections/specs.

…

On Sat, Feb 24, 2024 at 11:48 AM Arjan Tijms ***@***.***> wrote: Should we not move this to the security spec and specify it there? A null as name may be more logical for the unauthenticated principal. What seems a bit weird to me is that the specification doesn't define the scope of the Principal bean. The principal should perhaps have its own scope: @AuthenticatedScope. A Principal can potentially change many times during a request, e.g. via HttpServletRequest.login, HttpServletRequest.authenticate and HttpServletRequest.logout. — Reply to this email directly, view it on GitHub <#841 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACRDMRTRBFLSNCWDANKP43YVIRX3AVCNFSM6AAAAABDVLKWMCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRSGQZTKNRWGA> . You are receiving this because you authored the thread.Message ID: ***@***.***>