Configure authentication mechanisms - undertow-dev - Jboss List Archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Configure authentication mechanisms

Build failed in Jenkins: Undertow...

Build failed in Jenkins: Undertow...

Anil Saldhana

Wednesday, 24 April 2013 Wed, 24 Apr '13

3:09 p.m.

Hi, I am trying to figure out how to set up the authentication mechanisms in undertow. If I write an authentication mechanism involving saml, how do I make the web apps using that mechanism. Any links to test cases. Regards, Anil

Reply

Show replies by date

Stuart Douglas

Wednesday, 24 April Wed, 24 Apr

5:04 p.m.

If you are configuring Undertow programmatically you need to add a io.undertow.security.handlers.AuthenticationMechanismsHandler to the handler chain that has your authentication mechanism. Unfortunately we don't have a way of hooking this up into the Wildfly config yet, although it will not be a very big job. Regarding config options for AS7 there are a few possibilities: 1) Allow the user to specify the class name and module in JBoss Web to configure per app, and same in standalone.xml for global authenticators. 2) Introduce a servlet loader based mechanism to allow mechanisms to be loaded and associated with a simple name. This name could then be specified in the web.xml login config. In the subsystem you could list all the modules that you want to load authentication mechanisms from. This has the advantage that internal class names do not leak out into config. 3) Some other way?? I am leaning towards option 2. I think it should be possible to get this integrated into the next Undertow release early next week. Stuart Anil Saldhana wrote:

Hi, I am trying to figure out how to set up the authentication mechanisms in undertow. If I write an authentication mechanism involving saml, how do I make the web apps using that mechanism. Any links to test cases. Regards, Anil _______________________________________________ undertow-dev mailing list undertow-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/undertow-dev

Reply

Anil Saldhana

5:33 p.m.

https://community.jboss.org/wiki/WildFlyWebContainerSecurityUseCases We use JBossWeb Valves/Authenticators in AS7/JBossWeb. Undertow currently just handles the standard mechanisms (gss,form,basic,client-cert,digest) via the LoginConfig construct. https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io... I am wondering if it is possible to update the builder API to change to overriden implementations of the mechanisms for example: FORM. In my case, the SAMLAuthenticationMechanism would be a subclass of FormAuthenticationMechanism. I think Bill Burke has a similar use case where he would like to inject an OAuth driven Auth Mechanism. I guess as a start the builder api should be updated. Not sure how it should look. On 04/24/2013 04:04 PM, Stuart Douglas wrote:

If you are configuring Undertow programmatically you need to add a io.undertow.security.handlers.AuthenticationMechanismsHandler to the handler chain that has your authentication mechanism. Unfortunately we don't have a way of hooking this up into the Wildfly config yet, although it will not be a very big job. Regarding config options for AS7 there are a few possibilities: 1) Allow the user to specify the class name and module in JBoss Web to configure per app, and same in standalone.xml for global authenticators. 2) Introduce a servlet loader based mechanism to allow mechanisms to be loaded and associated with a simple name. This name could then be specified in the web.xml login config. In the subsystem you could list all the modules that you want to load authentication mechanisms from. This has the advantage that internal class names do not leak out into config. 3) Some other way?? I am leaning towards option 2. I think it should be possible to get this integrated into the next Undertow release early next week. Stuart Anil Saldhana wrote: > Hi, > I am trying to figure out how to set up the authentication mechanisms > in undertow. If I write an authentication mechanism involving saml, how > do I make the web apps using that mechanism. > > Any links to test cases. > > Regards, > Anil

Reply

Anil Saldhana

5:36 p.m.

On 04/24/2013 04:33 PM, Anil Saldhana wrote:

https://community.jboss.org/wiki/WildFlyWebContainerSecurityUseCases We use JBossWeb Valves/Authenticators in AS7/JBossWeb. Undertow currently just handles the standard mechanisms (gss,form,basic,client-cert,digest) via the LoginConfig construct. https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io... I am wondering if it is possible to update the builder API to change to overriden implementations of the mechanisms for example: FORM. In my case, the SAMLAuthenticationMechanism would be a subclass of FormAuthenticationMechanism.

I meant the builder api should allow customization of implementations of the default mechanisms. FORM-> AnilsGoryFormImplementation. Also the web.xml login config element is a string. Theoretically you can configure the string to be whatever you want.

I think Bill Burke has a similar use case where he would like to inject an OAuth driven Auth Mechanism. I guess as a start the builder api should be updated. Not sure how it should look. On 04/24/2013 04:04 PM, Stuart Douglas wrote: > If you are configuring Undertow programmatically you need to add a > io.undertow.security.handlers.AuthenticationMechanismsHandler to the > handler chain that has your authentication mechanism. > > Unfortunately we don't have a way of hooking this up into the Wildfly > config yet, although it will not be a very big job. Regarding config > options for AS7 there are a few possibilities: > > 1) Allow the user to specify the class name and module in JBoss Web to > configure per app, and same in standalone.xml for global authenticators. > > 2) Introduce a servlet loader based mechanism to allow mechanisms to be > loaded and associated with a simple name. This name could then be > specified in the web.xml login config. In the subsystem you could list > all the modules that you want to load authentication mechanisms from. > This has the advantage that internal class names do not leak out into > config. > > 3) Some other way?? > > I am leaning towards option 2. I think it should be possible to get this > integrated into the next Undertow release early next week. > > Stuart > > Anil Saldhana wrote: >> Hi, >> I am trying to figure out how to set up the authentication mechanisms >> in undertow. If I write an authentication mechanism involving saml, how >> do I make the web apps using that mechanism. >> >> Any links to test cases. >> >> Regards, >> Anil >>

Reply

Stuart Douglas

6:43 p.m.

Anil Saldhana wrote:

On 04/24/2013 04:33 PM, Anil Saldhana wrote: > https://community.jboss.org/wiki/WildFlyWebContainerSecurityUseCases > > We use JBossWeb Valves/Authenticators in AS7/JBossWeb. > > Undertow currently just handles the standard mechanisms > (gss,form,basic,client-cert,digest) via the LoginConfig construct. > https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io... > > I am wondering if it is possible to update the builder API to change to > overriden implementations of the mechanisms for example: FORM. In my > case, the SAMLAuthenticationMechanism would be a subclass of > FormAuthenticationMechanism. I meant the builder api should allow customization of implementations of the default mechanisms. FORM-> AnilsGoryFormImplementation. Also the web.xml login config element is a string. Theoretically you can configure the string to be whatever you want.

Yes, but the question is how to map that string to an authentication mechanism. Basically do we go the simple route and just use class names, exposing internal class names as a public API, or can we do something a bit nicer. Stuart

> I think Bill Burke has a similar use case where he would like to inject > an OAuth driven Auth Mechanism. > > I guess as a start the builder api should be updated. Not sure how it > should look. > > > On 04/24/2013 04:04 PM, Stuart Douglas wrote: >> If you are configuring Undertow programmatically you need to add a >> io.undertow.security.handlers.AuthenticationMechanismsHandler to the >> handler chain that has your authentication mechanism. >> >> Unfortunately we don't have a way of hooking this up into the Wildfly >> config yet, although it will not be a very big job. Regarding config >> options for AS7 there are a few possibilities: >> >> 1) Allow the user to specify the class name and module in JBoss Web to >> configure per app, and same in standalone.xml for global authenticators. >> >> 2) Introduce a servlet loader based mechanism to allow mechanisms to be >> loaded and associated with a simple name. This name could then be >> specified in the web.xml login config. In the subsystem you could list >> all the modules that you want to load authentication mechanisms from. >> This has the advantage that internal class names do not leak out into >> config. >> >> 3) Some other way?? >> >> I am leaning towards option 2. I think it should be possible to get this >> integrated into the next Undertow release early next week. >> >> Stuart >> >> Anil Saldhana wrote: >>> Hi, >>> I am trying to figure out how to set up the authentication mechanisms >>> in undertow. If I write an authentication mechanism involving saml, how >>> do I make the web apps using that mechanism. >>> >>> Any links to test cases. >>> >>> Regards, >>> Anil >>> _______________________________________________ undertow-dev mailing list undertow-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/undertow-dev

Reply

Darran Lofthouse

Thursday, 25 April Thu, 25 Apr

3:19 a.m.

FYI - I have already started a thread discussing the configuration we need to make available for authentication mechanisms and how we take into account different aspects of a deployment including the auth method in the web.xml. On 24/04/13 23:43, Stuart Douglas wrote:

Anil Saldhana wrote: > On 04/24/2013 04:33 PM, Anil Saldhana wrote: >> https://community.jboss.org/wiki/WildFlyWebContainerSecurityUseCases >> >> We use JBossWeb Valves/Authenticators in AS7/JBossWeb. >> >> Undertow currently just handles the standard mechanisms >> (gss,form,basic,client-cert,digest) via the LoginConfig construct. >> https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io... >> >> I am wondering if it is possible to update the builder API to change to >> overriden implementations of the mechanisms for example: FORM. In my >> case, the SAMLAuthenticationMechanism would be a subclass of >> FormAuthenticationMechanism. > I meant the builder api should allow customization of implementations of > the default mechanisms. > FORM-> AnilsGoryFormImplementation. > > Also the web.xml login config element is a string. Theoretically you > can configure the string to be > whatever you want. Yes, but the question is how to map that string to an authentication mechanism. Basically do we go the simple route and just use class names, exposing internal class names as a public API, or can we do something a bit nicer. Stuart >> I think Bill Burke has a similar use case where he would like to inject >> an OAuth driven Auth Mechanism. >> >> I guess as a start the builder api should be updated. Not sure how it >> should look. >> >> >> On 04/24/2013 04:04 PM, Stuart Douglas wrote: >>> If you are configuring Undertow programmatically you need to add a >>> io.undertow.security.handlers.AuthenticationMechanismsHandler to the >>> handler chain that has your authentication mechanism. >>> >>> Unfortunately we don't have a way of hooking this up into the Wildfly >>> config yet, although it will not be a very big job. Regarding config >>> options for AS7 there are a few possibilities: >>> >>> 1) Allow the user to specify the class name and module in JBoss Web to >>> configure per app, and same in standalone.xml for global authenticators. >>> >>> 2) Introduce a servlet loader based mechanism to allow mechanisms to be >>> loaded and associated with a simple name. This name could then be >>> specified in the web.xml login config. In the subsystem you could list >>> all the modules that you want to load authentication mechanisms from. >>> This has the advantage that internal class names do not leak out into >>> config. >>> >>> 3) Some other way?? >>> >>> I am leaning towards option 2. I think it should be possible to get this >>> integrated into the next Undertow release early next week. >>> >>> Stuart >>> >>> Anil Saldhana wrote: >>>> Hi, >>>> I am trying to figure out how to set up the authentication mechanisms >>>> in undertow. If I write an authentication mechanism involving saml, how >>>> do I make the web apps using that mechanism. >>>> >>>> Any links to test cases. >>>> >>>> Regards, >>>> Anil >>>> > _______________________________________________ > undertow-dev mailing list > undertow-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev _______________________________________________ undertow-dev mailing list undertow-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/undertow-dev

Reply

Stuart Douglas

Wednesday, 24 April Wed, 24 Apr

6:41 p.m.

Anil Saldhana wrote:

https://community.jboss.org/wiki/WildFlyWebContainerSecurityUseCases We use JBossWeb Valves/Authenticators in AS7/JBossWeb. Undertow currently just handles the standard mechanisms (gss,form,basic,client-cert,digest) via the LoginConfig construct. https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io...

Yes, that API is pretty limited at the moment. In general that Undertow API is subject to change, it is basically my first attempt and when I have some time I want to refine it to make it more useful.

I am wondering if it is possible to update the builder API to change to overriden implementations of the mechanisms for example: FORM. In my case, the SAMLAuthenticationMechanism would be a subclass of FormAuthenticationMechanism.

This should be possible. We will also need something similar in the servlet builder API. Stuart

I think Bill Burke has a similar use case where he would like to inject an OAuth driven Auth Mechanism. I guess as a start the builder api should be updated. Not sure how it should look.

On 04/24/2013 04:04 PM, Stuart Douglas wrote: > If you are configuring Undertow programmatically you need to add a > io.undertow.security.handlers.AuthenticationMechanismsHandler to the > handler chain that has your authentication mechanism. > > Unfortunately we don't have a way of hooking this up into the Wildfly > config yet, although it will not be a very big job. Regarding config > options for AS7 there are a few possibilities: > > 1) Allow the user to specify the class name and module in JBoss Web to > configure per app, and same in standalone.xml for global authenticators. > > 2) Introduce a servlet loader based mechanism to allow mechanisms to be > loaded and associated with a simple name. This name could then be > specified in the web.xml login config. In the subsystem you could list > all the modules that you want to load authentication mechanisms from. > This has the advantage that internal class names do not leak out into > config. > > 3) Some other way?? > > I am leaning towards option 2. I think it should be possible to get this > integrated into the next Undertow release early next week. > > Stuart > > Anil Saldhana wrote: >> Hi, >> I am trying to figure out how to set up the authentication mechanisms >> in undertow. If I write an authentication mechanism involving saml, how >> do I make the web apps using that mechanism. >> >> Any links to test cases. >> >> Regards, >> Anil _______________________________________________ undertow-dev mailing list undertow-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/undertow-dev

Reply

Darran Lofthouse

Thursday, 25 April Thu, 25 Apr

3:35 a.m.

Lets not start a new discussion on this, the discussion has already started on the AS7 dev list as this is a WildFly integration issue. Regards, Darran Lofthouse. On 24/04/13 22:04, Stuart Douglas wrote:

If you are configuring Undertow programmatically you need to add a io.undertow.security.handlers.AuthenticationMechanismsHandler to the handler chain that has your authentication mechanism. Unfortunately we don't have a way of hooking this up into the Wildfly config yet, although it will not be a very big job. Regarding config options for AS7 there are a few possibilities: 1) Allow the user to specify the class name and module in JBoss Web to configure per app, and same in standalone.xml for global authenticators. 2) Introduce a servlet loader based mechanism to allow mechanisms to be loaded and associated with a simple name. This name could then be specified in the web.xml login config. In the subsystem you could list all the modules that you want to load authentication mechanisms from. This has the advantage that internal class names do not leak out into config. 3) Some other way?? I am leaning towards option 2. I think it should be possible to get this integrated into the next Undertow release early next week. Stuart Anil Saldhana wrote: > Hi, > I am trying to figure out how to set up the authentication mechanisms > in undertow. If I write an authentication mechanism involving saml, how > do I make the web apps using that mechanism. > > Any links to test cases. > > Regards, > Anil > _______________________________________________ > undertow-dev mailing list > undertow-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev _______________________________________________ undertow-dev mailing list undertow-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/undertow-dev

Reply

Anil Saldhana

9:30 a.m.

Don't you need some kind of builders to wire things up in Undertow even if you are doing the configuration in Wildfly? On 04/25/2013 02:35 AM, Darran Lofthouse wrote:

Lets not start a new discussion on this, the discussion has already started on the AS7 dev list as this is a WildFly integration issue. Regards, Darran Lofthouse. On 24/04/13 22:04, Stuart Douglas wrote: > If you are configuring Undertow programmatically you need to add a > io.undertow.security.handlers.AuthenticationMechanismsHandler to the > handler chain that has your authentication mechanism. > > Unfortunately we don't have a way of hooking this up into the Wildfly > config yet, although it will not be a very big job. Regarding config > options for AS7 there are a few possibilities: > > 1) Allow the user to specify the class name and module in JBoss Web to > configure per app, and same in standalone.xml for global authenticators. > > 2) Introduce a servlet loader based mechanism to allow mechanisms to be > loaded and associated with a simple name. This name could then be > specified in the web.xml login config. In the subsystem you could list > all the modules that you want to load authentication mechanisms from. > This has the advantage that internal class names do not leak out into > config. > > 3) Some other way?? > > I am leaning towards option 2. I think it should be possible to get this > integrated into the next Undertow release early next week. > > Stuart > > Anil Saldhana wrote: >> Hi, >> I am trying to figure out how to set up the authentication mechanisms >> in undertow. If I write an authentication mechanism involving saml, how >> do I make the web apps using that mechanism. >> >> Any links to test cases. >> >> Regards, >> Anil

Reply

Stuart Douglas

8:04 p.m.

Anil Saldhana wrote:

Don't you need some kind of builders to wire things up in Undertow even if you are doing the configuration in Wildfly?

Yes and no, for servlet everything is done through the io.undertow.servlet.api.DeploymentInfo class, that allows you to build a servlet deployment. For things above the servlet level handlers are just wired together directly. The io.undertow.Undertow API is my first attempt at providing an easy to use embeddable API, it was never intended to be used by Wildfly. Stuart

On 04/25/2013 02:35 AM, Darran Lofthouse wrote: > Lets not start a new discussion on this, the discussion has already > started on the AS7 dev list as this is a WildFly integration issue. > > Regards, > Darran Lofthouse. > > > On 24/04/13 22:04, Stuart Douglas wrote: >> If you are configuring Undertow programmatically you need to add a >> io.undertow.security.handlers.AuthenticationMechanismsHandler to the >> handler chain that has your authentication mechanism. >> >> Unfortunately we don't have a way of hooking this up into the Wildfly >> config yet, although it will not be a very big job. Regarding config >> options for AS7 there are a few possibilities: >> >> 1) Allow the user to specify the class name and module in JBoss Web to >> configure per app, and same in standalone.xml for global authenticators. >> >> 2) Introduce a servlet loader based mechanism to allow mechanisms to be >> loaded and associated with a simple name. This name could then be >> specified in the web.xml login config. In the subsystem you could list >> all the modules that you want to load authentication mechanisms from. >> This has the advantage that internal class names do not leak out into >> config. >> >> 3) Some other way?? >> >> I am leaning towards option 2. I think it should be possible to get this >> integrated into the next Undertow release early next week. >> >> Stuart >> >> Anil Saldhana wrote: >>> Hi, >>> I am trying to figure out how to set up the authentication mechanisms >>> in undertow. If I write an authentication mechanism involving saml, how >>> do I make the web apps using that mechanism. >>> >>> Any links to test cases. >>> >>> Regards, >>> Anil _______________________________________________ undertow-dev mailing list undertow-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/undertow-dev

Reply

Darran Lofthouse

4:13 a.m.

Anil, If you are looking to implement a mechanism one thing that would be very useful would be to identify any additional requirements on the IDM interface. As I said on the other thread this interface is still very much evolving - the Digest side is still to be updated but it would be good to verify if we can cover your saml case with the existing interface or if additional methods are needed. FYI I need to define what it will look like yet but for Digest we may also switch to a DigestCredential approach like PicketLink IDM with the Credential being used to pass information to the IDM implementation and receive some values back. The SAML approach may just be a case of needing an additional custom Credential. Regards, Darran Lofthouse. On 24/04/13 20:09, Anil Saldhana wrote:

Hi, I am trying to figure out how to set up the authentication mechanisms in undertow. If I write an authentication mechanism involving saml, how do I make the web apps using that mechanism. Any links to test cases. Regards, Anil _______________________________________________ undertow-dev mailing list undertow-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/undertow-dev

Reply

Anil Saldhana

9:42 a.m.

The SAML Aunthentication Mechanism will probably be an extension of FORM authentication mechanism which will deal with save/restore requests. But at this time, I am looking for ways to inject my authentication mechanism. It may be a bit early for this discussion to happen. But it needs to happen considering the next wildfly release will be all undertow. We have tons of users who use SAML stack. And if we do not have that taken care of in the picketlink upgrade, the users will be mad unfortunately. On 04/25/2013 03:13 AM, Darran Lofthouse wrote:

Anil, If you are looking to implement a mechanism one thing that would be very useful would be to identify any additional requirements on the IDM interface. As I said on the other thread this interface is still very much evolving - the Digest side is still to be updated but it would be good to verify if we can cover your saml case with the existing interface or if additional methods are needed. FYI I need to define what it will look like yet but for Digest we may also switch to a DigestCredential approach like PicketLink IDM with the Credential being used to pass information to the IDM implementation and receive some values back. The SAML approach may just be a case of needing an additional custom Credential. Regards, Darran Lofthouse. On 24/04/13 20:09, Anil Saldhana wrote: > Hi, > I am trying to figure out how to set up the authentication mechanisms > in undertow. If I write an authentication mechanism involving saml, how > do I make the web apps using that mechanism. > > Any links to test cases. > > Regards, > Anil

Reply

4016

days inactive

4018

days old

undertow-dev@lists.jboss.org

Manage subscription

11 comments

3 participants

tags (0)

participants (3)

Anil Saldhana
Darran Lofthouse
Stuart Douglas