[undertow-dev] Undertow Security: PicketBox5
Anil Saldhana
Anil.Saldhana at redhat.com
Tue Nov 27 10:34:19 EST 2012
On 11/26/2012 08:43 PM, Stuart Douglas wrote:
>>>>>>> Maybe Stefan from our side can help out. I would guess we can
>>>>>>> produce a
>>>>>>> prototype branch with undertow + PBox5.
>>>>>> I have had a look through this today, and the big problem with using
>>>>>> this for Undertow is that it is based on the Servlet API's. We want to
>>>>>> be able to use Undertow as the domain HTTP server as well, and we
>>>>>> really
>>>>>> need to be able to re-use the security without adding a servlet
>>>>>> dependency into the AS core.
>>>>>>
>>>>>> I will go through this more fully tomorrow, as I am still recovering
>>>>>> from my 24 hour flight, but it looks like there are also other things
>>>>>> that this may not support such as multiple authentication mechanisms
>>>>>> and
>>>>>> optional authentication.
>>>>>>
>>>>>> I'm not ruling out using PicketBox, however at this stage I think that
>>>>>> the best approach is probably to have the HTTP authentication
>>>>>> mechanisms
>>>>>> in Undertow, where they can make use of the async IO features as
>>>>>> much as
>>>>>> possible, and just provide a very simple SPI that we can then back
>>>>>> with
>>>>>> PicketBox in order to keep Undertow core free of external
>>>>>> dependencies.
>>>>>>
>> Let us try this approach. We will keep an eye out for the SPI.
> Ok, hopefully we will have something this week.
>
> So far we are passing the JSF and JSTL TCK tests, with only ~70 tests in
> total to go between servlet and JSP, mostly security related, so this is
> a high priority for me.
>
> Stuart
Stuart - fyi - here is the requirements document for PicketBox5.
(https://docs.jboss.org/author/display/SECURITY/PicketBox+Requirements+Document).
The big items for us are multiple authentication schemes, general
session management, step-up/down security, logout and events. I will
request Stefan to be available for any consultation/help with Undertow
security.
>
>
>>>>>> Stuart
>>>>>>
>>>>>>> Regards,
>>>>>>> Anil
>>>>>>>
>>>>>>> PS: Feedback from *Jason Greene*: I'll let Stuart and Darran comment,
>>>>>>> but my thinking is that we want to greatly limit the dependencies of
>>>>>>> standalone undertow. Integration in AS is a different story though. I
>>>>>>> would imagine this means some kind of SPI between undertow and the
>>>>>>> container.
>>>>>>>
More information about the undertow-dev
mailing list