[undertow-dev] resteasy oauth undertow security requirements

Bill Burke bburke at redhat.com
Mon Apr 29 10:41:23 EDT 2013 

BTW, here's a description and documentation of our SSO/OAuth plugin for AS7

http://docs.jboss.org/resteasy/docs/3.0-beta-4/userguide/html/oauth2.html


On 4/29/2013 10:40 AM, Bill Burke wrote:
> Hey all,
>
> Is there a web-site for Undertow?  Any documentation or examples?
>
> I'm hoping to start migrating Resteasy's OAuth work so that it works
> with Undertow.  I don't know whether or not it will require undertow
> security API changes or not.  I'll post some initial
> requirements/how-we-do-it-now stuff below.
>
> 1. Support for multiple simultaneous auth protocols for one web-app. Any
> servlet auth + oauth + bearer-token.
> 2. Ability to introspect principal and role mapping from underlying
> "domain".  We create a smart token from this information.  With
> JBossWeb, we hacked this information from the Principal passed back from
> the security layer.
> 3. Ability to add additional action URLs to the web-app without
> additional user configuration.  With JBossWeb, we handled all these URLs
> within a valve.
> 4. Ability to create both principal and role mappings on the fly from an
> incoming request's bearer token.
> 5. Ability to obtain any client certificates so that they can be
> verified.  Verification only.  For this I want to be able to verify the
> client that is acting on behalf of a user.  So the calling client's
> certificates may not be the same identity of the actual user.
> 6. Ability to store state in-between requests.  This isn't a session as
> it will be two different clients that need to share data.  in OAuth,
> there's the User Agent that establishes an access code for the web-app.
>    The web-app makes a separate HTTP request to verify the access code
> and turn it into a token.
> 7. Ability to log out any requested user.  Our current implementation
> has an admin interface that can log out a user on *every* app they are
> logged into.
>
> That's all I can think of now.  So, Undertow needs to provide these
> capabilities within their security API, *OR*, it requires a Valve
> architecture that can override any current built-in auth infrastructure,
> but at the same time, have access to the "domain" and be able to
> authenticate and introspect principal and role mappings.
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the undertow-dev mailing list