[undertow-dev] Asynchronous AuthenticationMechanism

Stuart Douglas sdouglas at redhat.com
Tue Jul 5 18:56:09 EDT 2016 

The issue with a database is that there is basically no way to do an
async lookup with JDBC. It is possible the DB might provide async
drivers that you can use.

The main reason why the IdentityManager uses a blocking API is because
the vast majority of java implementations will be blocking (databases,
ldap etc), although we may look at doing a non blocking version at
some point in the future.

There is actually nothing really 'special' about SecurityContext,
IdentityManager etc, its just that the existing security handlers (and
most importantly Servlet security) are implemented in terms of this.
Depending on your requirements you can replace part or all of this.
For example you could use a handler earlier in the chain to verify the
user via a non blocking DB lookup, then just call
SecurityContext.authenticationComplete() to set the current user if
you want to use the existing security handlers.

Stuart

On Tue, Jul 5, 2016 at 10:29 AM, Oliver Dain <oliver at analyticspot.com> wrote:
> The docs for security
> (http://undertow.io/undertow-docs/undertow-docs-1.3.0/index.html#security)
> say:
>
>> Security within Undertow is implemented as a set of asynchronous handlers
>> and a set of authentication mechanisms co-ordinated by these handlers.
>
> However, it appears that the IdentityManager and AuthenticationMechanism
> APIs are synchronous. For example, suppose I want to do simple
> username/password authentication using FormAuthenticationMechanism. That
> will use the IdentityManager on the SecurityContext to determine if the
> username/password is valid. For me that would require a database lookup and
> I'd like to do that asynchronously. However, the IdentityManager.verify API
> requires an immediate response so I have to do a block database lookup.
> Since I've been super careful to do everything in all my handlers async and
> have exactly 1 thread per core this seems like a significant stumbling
> block.
>
> 2 questions:
>
> 1. Is there a way to do something like I'm describing in an async manner?
> 2. Why is security "special" using a SecurityContext, different APIs, etc.
> Couldn't it all have been implemented in terms of regular HttpHandler? That
> would make it the API smaller and make it possible to do async
> authentication.
>
> Thanks,
> Oliver
> --
> CTO, Analytic Spot
> 44 West Broadway #222
> Eugene, OR 97401
> analyticspot.com • 425-296-6556
> www.linkedin.com/in/oliverdain
>
> _______________________________________________
> undertow-dev mailing list
> undertow-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev

More information about the undertow-dev mailing list