[undertow-dev] AuthenticationMechanismFactory

Bill Burke bburke at redhat.com
Mon Dec 16 08:44:08 EST 2013 


On 12/14/2013 5:33 AM, Stuart Douglas wrote:
>
>> What does ordering have to do with AuthMechFactory?  Are you planning an
>> additional META-INF/services mechanism for AuthMechFactorys?  If not,
>> how does one plug in one?  Via a ServletExtension?  If so, *AGAIN*, what
>> is the point of the AuthMechFactory when all the construction can be
>> done within the ServletExtension?
>
> Because you can have multiple servlet extensions. This way undertow controls the order. If both extensions just add themselves you have no defined order.
>

Again, what does ordering have to do with requiring an AuthMechFactory 
interface?

MyServletExtension {
    di.registerAuthMech("AUTH_PROTOCOL", new AuthMech(...));
}

Why do i need a AuthMechFactory if the servlet extension is able to 
construct the AuthMech?  I just would never use AuthMechFactory as all 
config information is already available within the ServletExtension for 
me to construct the AuthMechanism.  In fact, there's much more metadata 
available within the ServletExtension than is passed to the AuthMechFactory.

>
>>
>> But, while we're talking about ordering...
>>
>> For Keycloak there's an "oauth redirect" mechanism that sends a 302
>> response back for its challenge.  The way the Undertow logic works now,
>> if this mechanism isn't first, the 302 status code will never be sent
>> back, it will never work and you might as well not even list the
>> mechanism.  Either my ServletExtension can force it to be first by
>> calling LoginConfig.addFirst(), or it can throw a deployment exception.
>
> As long as the mechanism beforehand does not specify a status code, your mechanism should be able to. This is a fundamental limitation of HTTP, and it does limit which mechanisms can be combined.
>

Multiple WWW-Authenticate headers are allowed i'm just not sure what a 
user-agent would do if it saw a code other than 401 with a response that 
contained these headers.

> Basically some mechanisms are never going to be able to work together.
>
>>
>> BTW, I'm also not sure if you combine a 302 and a WWW-Authenticate it
>> won't confuse the User-Agent.  Maybe the ChallengeResult should specify
>> whether iteration of the mechanisms should continue.
>>

Again, it would be great if a ChallengeResult could abort the 
sendChallenge loop.  It would suck if there was no workaround for cases 
that were sensitive to a strict response.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the undertow-dev mailing list