[undertow-dev] Asynchronous AuthenticationMechanism
Oliver Dain
oliver at analyticspot.com
Tue Jul 5 20:43:05 EDT 2016
Hey Stuart,
Thanks for the reply. We're using Cassandra so we have a good, async data
store and would love to be able to take advantage of it. I'll have to look
at the existing security stuff to see if it's easier to just implement as
standard handlers or to mix-and-match as you suggest. I would like to be
able to use some of the existing AuthenticationMechanism code rather than
re-implement, but I think I can actually write a small wrapper that lets me
call them from a regular handler rather than the other way around.
Thanks,
Oliver
On Tue, Jul 5, 2016 at 3:56 PM Stuart Douglas <sdouglas at redhat.com> wrote:
> The issue with a database is that there is basically no way to do an
> async lookup with JDBC. It is possible the DB might provide async
> drivers that you can use.
>
> The main reason why the IdentityManager uses a blocking API is because
> the vast majority of java implementations will be blocking (databases,
> ldap etc), although we may look at doing a non blocking version at
> some point in the future.
>
> There is actually nothing really 'special' about SecurityContext,
> IdentityManager etc, its just that the existing security handlers (and
> most importantly Servlet security) are implemented in terms of this.
> Depending on your requirements you can replace part or all of this.
> For example you could use a handler earlier in the chain to verify the
> user via a non blocking DB lookup, then just call
> SecurityContext.authenticationComplete() to set the current user if
> you want to use the existing security handlers.
>
> Stuart
>
> On Tue, Jul 5, 2016 at 10:29 AM, Oliver Dain <oliver at analyticspot.com>
> wrote:
> > The docs for security
> > (
> http://undertow.io/undertow-docs/undertow-docs-1.3.0/index.html#security)
> > say:
> >
> >> Security within Undertow is implemented as a set of asynchronous
> handlers
> >> and a set of authentication mechanisms co-ordinated by these handlers.
> >
> > However, it appears that the IdentityManager and AuthenticationMechanism
> > APIs are synchronous. For example, suppose I want to do simple
> > username/password authentication using FormAuthenticationMechanism. That
> > will use the IdentityManager on the SecurityContext to determine if the
> > username/password is valid. For me that would require a database lookup
> and
> > I'd like to do that asynchronously. However, the IdentityManager.verify
> API
> > requires an immediate response so I have to do a block database lookup.
> > Since I've been super careful to do everything in all my handlers async
> and
> > have exactly 1 thread per core this seems like a significant stumbling
> > block.
> >
> > 2 questions:
> >
> > 1. Is there a way to do something like I'm describing in an async manner?
> > 2. Why is security "special" using a SecurityContext, different APIs,
> etc.
> > Couldn't it all have been implemented in terms of regular HttpHandler?
> That
> > would make it the API smaller and make it possible to do async
> > authentication.
> >
> > Thanks,
> > Oliver
> > --
> > CTO, Analytic Spot
> > 44 West Broadway #222
> > Eugene, OR 97401
> > analyticspot.com • 425-296-6556
> > www.linkedin.com/in/oliverdain
> >
> > _______________________________________________
> > undertow-dev mailing list
> > undertow-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/undertow-dev
>
--
CTO, Analytic Spot
44 West Broadway #222
Eugene, OR 97401
analyticspot.com • 425-296-6556
www.linkedin.com/in/oliverdain
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20160706/f85d1dd6/attachment.html
More information about the undertow-dev
mailing list