[undertow-dev] Reducing Use of Undertow IdentityManager

Thu May 30 13:33:16 EDT 2013

Hello all,

Starting this e-mail thread as I want to raise the option of reducing 
the use of the IdentityManager [1] within Undertow[2].  At the moment I 
think it at risk of becoming another general purpose IDM API/SPI which 
was never it's intention.

The purpose of this IdentityManager was as an SPI to define the 
verification methods required by the authentication mechanisms included 
in Undertow.  By providing it in this way the core of Undertow would not 
be dependent on any specific IDM implementation.

Short term within WildFly we have implementations of this that wrap by 
the management security realms and the existing JAAS domains - longer 
term we will only be wrapping PicketLink IDM.

In the past the question has been raised, "Why not just use PicketLink 
IDM directly?".  From an Undertow perspective the reason is so that we 
can use different IDM implementations and transition from what we have 
today in WildFly to purely using PicketLink IDM, also the core of 
Undertow is not dependent on any specific implementation.

For any additional authentication mechanisms being added there is no 
need for them to use this as an API and encouraging mechanisms to use 
this encourages that this interface is going to increase in complexity.

What I am looking to do now is to remove access to this interface from 
the SecurityContext and instead leave it to be retrieved as an 
attachment from the HttpServerExchange.  The WildFly integration will 
then take on the responsibility of ensuring the appropriate 
implementation is attached to the exchange.

Where authentication mechanisms are added that require access to more 
advanced IDM capabilities then the IDM required should be attached to 
the exchange and the mechanism use it directly.

 From an Undertow perspective this just leaves one small interface that 
needs to be implemented so that the authentication mechanism can 
register the authenticated identity with the current request: -

void authenticationComplete(final Account account, final String 
mechanismName);

As I type this e-mail I realise I may have one further option - remove 
the IdentityManager interface entirely and instead make each 
authentication mechanism abstract with a verify method.  As we integrate 
in WildFly we extend each mechanism to provide the implementation of the 
verify methods.

Either way I do not think Undertow is the correct location for a new 
general purpose IdentityManager API, if we truly need that then it 
should be split out into it's own module so that it can also be used 
outside of HTTP e.g. SASL.

Regards,
Darran Lofthouse.

1 - https://community.jboss.org/wiki/Undertow-IdentityManager
2 - https://issues.jboss.org/browse/UNDERTOW-65