Re: [undertow-dev] Undertow Security: PicketBox5

>>>>>> Maybe Stefan from our side can help out. I would guess we can >>>>>> produce a >>>>>> prototype branch with undertow + PBox5. >>>>> I have had a look through this today, and the big problem with using >>>>> this for Undertow is that it is based on the Servlet API's. We want to >>>>> be able to use Undertow as the domain HTTP server as well, and we >>>>> really >>>>> need to be able to re-use the security without adding a servlet >>>>> dependency into the AS core. >>>>> >>>>> I will go through this more fully tomorrow, as I am still recovering >>>>> from my 24 hour flight, but it looks like there are also other things >>>>> that this may not support such as multiple authentication mechanisms >>>>> and >>>>> optional authentication. >>>>> >>>>> I'm not ruling out using PicketBox, however at this stage I think that >>>>> the best approach is probably to have the HTTP authentication >>>>> mechanisms >>>>> in Undertow, where they can make use of the async IO features as >>>>> much as >>>>> possible, and just provide a very simple SPI that we can then back >>>>> with >>>>> PicketBox in order to keep Undertow core free of external >>>>> dependencies. >>>>> > Let us try this approach. We will keep an eye out for the SPI. Ok, hopefully we will have something this week. So far we are passing the JSF and JSTL TCK tests, with only ~70 tests in total to go between servlet and JSP, mostly security related, so this is a high priority for me. Stuart

>>>>> Stuart >>>>> >>>>>> Regards, >>>>>> Anil >>>>>> >>>>>> PS: Feedback from *Jason Greene*: I'll let Stuart and Darran comment, >>>>>> but my thinking is that we want to greatly limit the dependencies of >>>>>> standalone undertow. Integration in AS is a different story though. I >>>>>> would imagine this means some kind of SPI between undertow and the >>>>>> container. >>>>>>