[undertow-dev] Principal mapping after authentication

Anil Saldhana Anil.Saldhana at redhat.com
Wed Sep 4 10:01:26 EDT 2013 

Hi Stuart,
   this mapping has to happen before any security context is set up for 
propagating the identity to other subsystems such as EJBs. I think you 
are in agreement.

The Undertow security framework has to have some callback mechanism to 
switch the identity with which the authentication call was made.

Let me dig into the undertow code using your email as guidance.

Regards,
Anil

On 09/04/2013 02:34 AM, Stuart Douglas wrote:
> At the moment we don't have the ability to do this, but we could potentially add it.
>
> It does get a bit tricky however, say we just expand the SecurityNotification mechanism to allow you to wrap the account after login. This would work from Undertow's perspective, however it is likely that there is other code that expects the account to be of a certain type, that will now fail because of the wrapper.
>
> We would also have to look carefully at how this would with with the JAASIdentityManagerImpl in the Wildfly code base, as it appears that we will be stuck with that for a while yet. To make this work properly with the rest of Wildfly we would probably actually need to implement this inside the JAAS IDM itself, to make sure the Picketbox SecurityContext is setup correctly.
>
> Stuart
>
> ----- Original Message -----
>> From: "Anil Saldhana" <Anil.Saldhana at redhat.com>
>> To: undertow-dev at lists.jboss.org
>> Sent: Tuesday, 3 September, 2013 4:58:25 PM
>> Subject: [undertow-dev] Principal mapping after authentication
>>
>> Hi All,
>>     one of the challenges we had with JBossWeb was principal mapping
>> after authentication.  It was hard as hell to do that. I wished for a
>> mechanism where the authentication call would have a post authentication
>> callback to see if the original principal has been mapped to something
>> else.  This is a use case seen in integration with third party security
>> systems including commercial vendors.
>>
>> I have not dug into Undertow security codebase to see if this is
>> possible yet but I wanted to put this to the dev list so that we can
>> discuss it.
>>
>> Regards,
>> Anil

More information about the undertow-dev mailing list