Hey Stuart,

Thanks for the reply. We're using Cassandra so we have a good, async data store and would love to be able to take advantage of it. I'll have to look at the existing security stuff to see if it's easier to just implement as standard handlers or to mix-and-match as you suggest. I would like to be able to use some of the existing AuthenticationMechanism code rather than re-implement, but I think I can actually write a small wrapper that lets me call them from a regular handler rather than the other way around.

Thanks,
Oliver

On Tue, Jul 5, 2016 at 3:56 PM Stuart Douglas <sdouglas@redhat.com> wrote:
The issue with a database is that there is basically no way to do an
async lookup with JDBC. It is possible the DB might provide async
drivers that you can use.

The main reason why the IdentityManager uses a blocking API is because
the vast majority of java implementations will be blocking (databases,
ldap etc), although we may look at doing a non blocking version at
some point in the future.

There is actually nothing really 'special' about SecurityContext,
IdentityManager etc, its just that the existing security handlers (and
most importantly Servlet security) are implemented in terms of this.
Depending on your requirements you can replace part or all of this.
For example you could use a handler earlier in the chain to verify the
user via a non blocking DB lookup, then just call
SecurityContext.authenticationComplete() to set the current user if
you want to use the existing security handlers.

Stuart

On Tue, Jul 5, 2016 at 10:29 AM, Oliver Dain <oliver@analyticspot.com> wrote:
> The docs for security
> (http://undertow.io/undertow-docs/undertow-docs-1.3.0/index.html#security)
> say:
>
>> Security within Undertow is implemented as a set of asynchronous handlers
>> and a set of authentication mechanisms co-ordinated by these handlers.
>
> However, it appears that the IdentityManager and AuthenticationMechanism
> APIs are synchronous. For example, suppose I want to do simple
> username/password authentication using FormAuthenticationMechanism. That
> will use the IdentityManager on the SecurityContext to determine if the
> username/password is valid. For me that would require a database lookup and
> I'd like to do that asynchronously. However, the IdentityManager.verify API
> requires an immediate response so I have to do a block database lookup.
> Since I've been super careful to do everything in all my handlers async and
> have exactly 1 thread per core this seems like a significant stumbling
> block.
>
> 2 questions:
>
> 1. Is there a way to do something like I'm describing in an async manner?
> 2. Why is security "special" using a SecurityContext, different APIs, etc.
> Couldn't it all have been implemented in terms of regular HttpHandler? That
> would make it the API smaller and make it possible to do async
> authentication.
>
> Thanks,
> Oliver
> --
> CTO, Analytic Spot
> 44 West Broadway #222
> Eugene, OR 97401
> analyticspot.com • 425-296-6556
> www.linkedin.com/in/oliverdain
>
> _______________________________________________
> undertow-dev mailing list
> undertow-dev@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev
--
CTO, Analytic Spot
44 West Broadway #222
Eugene, OR 97401
analyticspot.com • 425-296-6556
www.linkedin.com/in/oliverdain