[undertow-dev] Overriding Authentication Mechanism for the deployment

Anil Saldhana Anil.Saldhana at redhat.com
Tue May 14 10:07:56 EDT 2013 

Stuart,
   from experience, rough estimate for users wanting to customize auth 
mechanisms (authenticators from TC lingo).

Of the users who want to customize authentication mechanisms for SAML
Scenario 1:: Webapp level: 10%
Scenario 2:: Apply custom auth scheme to a selected set of web apps 
(configure outside the webapp at the AS level irrespective of what 
login-config set up in web.xml): 60%
Scenario 3:: Apply custom auth scheme to all the web apps running in AS: 30%

Scenario 2 is typically when the AS is managed by administrators who 
configure security.  The webapps may be provided by various teams. Admin 
type webapps will then be customized at the web app level to override 
the global custom auth scheme.

Given this, I am not sure if we really want to muck inside the web.xml 
login-config/auth-method. IMO it is very few users who really want to 
apply at the webapp level.

Ideally we need to enable customizing the auth mechs at the wildfly/web 
configuration level.  So Undertow ->deploymentinfo/overrideAuthMech 
should suffice.

Regards,
Anil

On 05/13/2013 06:29 PM, Stuart Douglas wrote:
> That maps to the login-config element in web.xml. I was just thinking
> about how we could allow this to configure custom authenticators. A
> class name by itself is not enough, as you need some way of configuring
> the authenticator.
>
> I was thinking we introduce:
>
> interface AuthenticationMechanismFactory {
>     AuthenticationMechanism create(final Map<String, String> properties);
> }
>
> And then allow a syntax like so:
>
> <auth-method>com.acme.MyAuthMechanismFactory?prop1=val1,prop2=val2</auth-method>
>
> Thoughts?
>
> Stuart
>
>
> Anil Saldhana wrote:
>> Also another location is Undertow->LoginConfig class probably we need the same flexibility.
>> I did see a TODO there.
>>
>> On May 13, 2013, at 6:13 PM, Stuart Douglas<sdouglas at redhat.com>  wrote:
>>
>>> I changed this to the DeploymentInfo level, and also made it a list to
>>> allow multiple custom authentication mechanisms to be used in the same
>>> deployment.
>>>
>>> Stuart
>>>
>>> Anil Saldhana wrote:
>>>> Hi Stuart/Darran,
>>>>      I sent in a PR
>>>> (https://github.com/anilsaldhana/undertow/commit/70838540d01c821973b38f530a97be2f54e83c13)
>>>> to override the authentication mechanism used for a particular web app
>>>> irrespective of what is configured in web.xml login config
>>>>
>>>> I need this behavior to introduce saml workflow into a web app.
>>>>
>>>> I put the API change at the DeploymentManagerImpl level.  If you have a
>>>> better alternative, I would like to hear.
>>>>
>>>> Regards,
>>>> Anil

More information about the undertow-dev mailing list