> Security within Undertow is implemented as a set of asynchronous handlers and a set of authentication mechanisms co-ordinated by these handlers.

However, it appears that the IdentityManager and AuthenticationMechanism APIs are synchronous. For example, suppose I want to do simple username/password authentication using FormAuthenticationMechanism. That will use the IdentityManager on the SecurityContext to determine if the username/password is valid. For me that would require a database lookup and I'd like to do that asynchronously. However, the IdentityManager.verify API requires an immediate response so I have to do a block database lookup. Since I've been super careful to do everything in all my handlers async and have exactly 1 thread per core this seems like a significant stumbling block.

2 questions:

1. Is there a way to do something like I'm describing in an async manner?

2. Why is security "special" using a SecurityContext, different APIs, etc. Couldn't it all have been implemented in terms of regular HttpHandler? That would make it the API smaller and make it possible to do async authentication.

Thanks,

Oliver