Mechanism to define security interceptors using *AuthenticationMechanismDefinition

[arjantijms]

In Jakarta EE security we have various interceptors that add functionality to authentication mechanisms, such as @AutoApplySession and @RememberMe. Those are easy to add to custom authentication mechanisms, but at the moment not trivial to add to the build-in ones.

#192 seeks to add interceptors fully dynamically to a bean.

Alternatively, or perhaps additionally, we can allow interceptors to be defined right away using the *AuthenticationMechanismDefinition such as BasicAuthenticationMechanismDefinition.

For instance using a type reference:

@BasicAuthenticationMechanismDefinition(
    realmName="test",
    interceptorsFromType = Servlet.BasicInterceptors.class
)
@WebServlet("/servlet")
public class Servlet extends HttpServlet {

   @RememberMe(
       cookieMaxAgeSeconds = 86400,
       cookieSecureOnly = false,
       isRememberMeExpression ="#{self.isRememberMe(httpMessageContext)}"
   )
   public static Class BasicInterceptors {
       public Boolean isRememberMe(HttpMessageContext httpMessageContext) {
            return httpMessageContext.getRequest().getParameter("rememberme") != null;
        }
   }

Or from an EL expression:

@BasicAuthenticationMechanismDefinition(
    realmName="test",
    interceptors = "#{self.interceptors}"
)
@WebServlet("/servlet")
public class Servlet extends HttpServlet {

    List<Annotation> getInterceptors() {
        return List.of(
             RememberMe.Literal.of(
                86400, "",
                false, "",
                true, "",
                "JREMEMBERMEID",
                true, "#{not empty httpMessageContext.request.getParameter('rememberme')}"
            ));
    }
   
}

Or using stereotypes?