> I am mainly viewing this from DeploymentInfo API aesthetics/usability
> perspective. To me, Undertow is a standalone web container (like Jetty)
> with an usable API (JUnit tests would be the litmus test).
> Extensions/WildFly etc come later.

IMO auth extensions are useful in the standalone case as well. I think
it’s likely that most users do not write custom auth mechanisms, but
simply want to reuse packaged or thirdparty auth in as few steps as possible.

With one caveat...External SSO/Web Access Management systems.  Most commercial WAMs (ie SiteMinder, OpenAM, Oracle Access Manager, etc) rely on cookies for session management, usually with a reverse proxy model (there's an agent in the web server that controls all of the redirects to central authentication and the by the time the connection gets to the app server the user is already authenticated).  So in an environment with  a WAM the easiest thing to do is tell your app server to use some local component to "trust" the authentication from the proxy.  In weblogic this is done via the IdentityAsserter api.  In WebSphere the TAI.  Tomcat doesn't have a specific mechanism for this, I just do it in a Valve or Servlet Filter.  I've done it with older JBoss versions with JAAS plugins and Servlet Filters that I had a difficult time trying to work with.  A simple way to specify an identity asserter of some kind for offloaded authentication would be very helpful.