[jboss-jira] [JBoss JIRA] (ELY-160) Client authentication configuration by task

Fri Feb 20 18:37:49 EST 2015

    [ https://issues.jboss.org/browse/ELY-160?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13042612#comment-13042612 ] 

David Lloyd commented on ELY-160:
---------------------------------

This may need to be fairly detailed and/or include a protocol specification.  Imagine this following madcap scenario:

* TCP connection established to {{remote+https://myhost.com}}
* HTTP client negotiates SSL based on authentication client configuration (matching {{https}} and, I guess, the {{connection}} task)
* SSL negotiation completed, now HTTP authentication takes place (matching {{https}} and the {{request}} task perhaps)
* Once HTTP authentication is complete, the HTTP upgrade request goes through, handing off control to Remoting
* Now Remoting negotiates security properties - STARTTLS would be negotiated here though we hard-disable this when an SSL channel already exists today
* Remoting now negotiates another authentication mechanism (ideally just EXTERNAL at this point, though there's presently no way for Elytron to know to do this so it would go ahead and probably use the same class of mechanism used by HTTP auth!)

> Client authentication configuration by task
> -------------------------------------------
>
>                 Key: ELY-160
>                 URL: https://issues.jboss.org/browse/ELY-160
>             Project: WildFly Elytron
>          Issue Type: Task
>          Components: API / SPI
>            Reporter: David Lloyd
>            Assignee: David Lloyd
>             Fix For: 1.0.0.Beta1
>
>
> The authentication client needs support for multiple tasks, such as:
> * {{connection}} - the authentication configuration applies to the connection itself
> * {{request}} - the authentication configuration applies to activities interacting with services provided by the named peer
> * {{*}} - the authentication configuration applies to all matching tasks
> In this way, one can specify a separate configuration for initial connections versus normal requests on that connection.
> Furthermore, a new authentication configuration type should then be added which allows a task configuration to be inherited to another task.  For example:
> * {{useConfiguration("<referenced-task>"}} - could specify that my current authentication configuration for the matched task should use the configuration assigned to the referenced task, for example "connection", which would in turn mean that the connection credentials should be used (whatever they may be) for the given task/match criteria.
> This allows a simple default configuration which allows connection credentials to be used whenever they are available.

--
This message was sent by Atlassian JIRA
(v6.3.11#6341)