Re: [undertow-dev] modeling the handler Factory interface

Undertow has handlers which are like a chain of interceptors. It does have a SecurityHandler to which you can define authentication mehanisms. Standard servlet auth mechs (form,basic,digest,client-cert) are available to you. If you would like to change behavior of authentication, you write your own authentication mechanism. https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io...

On 05/14/2013 02:42 PM, Bill Burke wrote: > Not sure what "custom auth scheme" means yet, but my implementation > includes the following: > > * a way to define an oauth provider Custom Auth mech is sufficient. > * a way to use oauth as an SSO mechanism (an oauth consumer) Custom Auth mech on the consumer. > * traditional oauth thirdparty auth Custom Auth mech on the consumer. External third party stuff is config to auth mech. > * bearer token auth Custom Auth Mech. > * bearer token grants Not Undertow but a concern of your auth mechanism. May use IDM/Meta. > * a few management URIs for distributed log-out You may need handlers here but I guess your auth mech can probably handle global log out also. We handle GLO in our SAML IDP. I am guessing your oauth workflows will be similar given that tokens come as headers rather than post data (xml) https://github.com/picketlink2/federation/blob/master/picketlink-bindings... https://github.com/picketlink2/federation/blob/master/picketlink-bindings... > > I'm also not exactly sure what a "handler" is supposed to be yet, but > based on the above, there's a number of URI endpoints that need to be > added and supported automatically. > > I'm currently bogged down trying to pass the jaxrs2 tck. My next task > is to try and port my oauth stuff, at least as a prototype, to help > flush out the security APIs or at least to be an additional guinea pig. > > > > On 5/14/2013 3:29 PM, Anil Saldhana wrote: >> Bill, >> have you tried plugging in a custom authentication scheme? I am not >> sure you need your own handler. If you look at it, for OAuth bearer >> token, you just need OAuthAuthenticationScheme that pulls in the bearer >> token from the header. You can certainly use http redirect to a OAuth >> provider (to get some token). >> >> Regards, >> Anil >> >> On 05/14/2013 06:55 AM, Bill Burke wrote: >>> Take a look at Feature, DynamicFeature, and Configurable for JAX-RS 2.0 >>> >>> https://github.com/resteasy/Resteasy/blob/master/jaxrs/jaxrs-api/src/main... >>> >>> https://github.com/resteasy/Resteasy/blob/master/jaxrs/jaxrs-api/src/main... >>> >>> https://github.com/resteasy/Resteasy/blob/master/jaxrs/jaxrs-api/src/main... >>> >>> >>> Feature is your factory concept. Its passed a Configurable that allows >>> you to look up config properties and register components. >>> DynamicFeature allows you to bind per-endpoint. >>> >>> Might want to check out the filter model as well. Resteasy made use of >>> the JAX-RS filter model in a variety of use cases in both sync and async >>> environments. The model was also vetted by other vendors. Might be >>> something to check out to see if Undertow handler's missed anything. >>> When I get a chance to port my OAuth stuff I'll have more suggestions >>> for your handler API, maybe. >>> >>> _______________________________________________ undertow-dev mailing list undertow-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/undertow-dev