[jboss-jira] [JBoss JIRA] (WFLY-11137) Make undertow extension module's dependency on org.jboss.as.security module optional

Yeray Borges (Jira) issues at jboss.org
Thu Oct 18 02:59:00 EDT 2018 

    [ https://issues.jboss.org/browse/WFLY-11137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13649679#comment-13649679 ] 

Yeray Borges commented on WFLY-11137:
-------------------------------------

[~brian.stansberry] Yes, the mechanism is always added independently wether the security subsystem is present, indeed the mechanism is added in the handler that adds all container configuration, it is executed always.

Initially I thought if we had those mechanisms configurable via the undertow servlet container, then we could have the negotation dependency optional, so if they are not configured, we would not need the negotiation dependency. However, does make sense add SPNEGO and DIGEST mechanisms in [ServletContainerAdd|https://github.com/yersan/wildfly/blob/master/undertow/src/main/java/org/wildfly/extension/undertow/ServletContainerAdd.java#L124] if we have the security subsystem disabled? Maybe [~dlofthouse] have an accurate information about that, I'm going to investigate it further.

If security subsystem is disabled and we are using Elytron for Authentication/Authorization I understand those mechanisms are added/managed by Elytron and then could not be necesary there

> Make undertow extension module's dependency on org.jboss.as.security module optional
> ------------------------------------------------------------------------------------
>
>                 Key: WFLY-11137
>                 URL: https://issues.jboss.org/browse/WFLY-11137
>             Project: WildFly
>          Issue Type: Task
>          Components: Security, Web (Undertow)
>            Reporter: Brian Stansberry
>            Assignee: Yeray Borges
>            Priority: Major
>             Fix For: 15.0.0.Alpha1
>
>
> Don't require the legacy security subsystem module if it's not actually used.
> Usage looks like this:
> {code}
> wildfly bstansberry$ cd undertow/
> undertow bstansberry$ git grep org.jboss.as.security
> src/main/java/org/wildfly/extension/undertow/deployment/UndertowDeploymentInfoService.java:import org.jboss.as.security.plugins.SecurityDomainContext;
> src/main/java/org/wildfly/extension/undertow/deployment/UndertowDeploymentProcessor.java:import org.jboss.as.security.deployment.AbstractSecurityDeployer;
> src/main/java/org/wildfly/extension/undertow/deployment/UndertowDeploymentProcessor.java:import org.jboss.as.security.deployment.SecurityAttachments;
> src/main/java/org/wildfly/extension/undertow/deployment/UndertowDeploymentProcessor.java:import org.jboss.as.security.plugins.SecurityDomainContext;
> src/main/java/org/wildfly/extension/undertow/deployment/UndertowDeploymentProcessor.java:import org.jboss.as.security.service.JaccService;
> src/main/java/org/wildfly/extension/undertow/deployment/UndertowDeploymentProcessor.java:import org.jboss.as.security.service.SecurityDomainService;
> src/main/java/org/wildfly/extension/undertow/security/DigestCredentialImpl.java:import org.jboss.as.security.DigestCredential;
> src/main/java/org/wildfly/extension/undertow/security/JAASIdentityManagerImpl.java:import org.jboss.as.security.plugins.SecurityDomainContext;
> src/main/java/org/wildfly/extension/undertow/security/SecurityContextThreadSetupAction.java:import org.jboss.as.security.plugins.SecurityDomainContext;
> src/main/java/org/wildfly/extension/undertow/security/jacc/WarJACCDeployer.java:import org.jboss.as.security.deployment.AbstractSecurityDeployer;
> src/main/java/org/wildfly/extension/undertow/security/jacc/WarJACCDeployer.java:import org.jboss.as.security.service.JaccService;
> src/main/java/org/wildfly/extension/undertow/security/jacc/WarJACCService.java:import org.jboss.as.security.service.JaccService;
> {code}
> Dropping the use of SecurityAttachments from UndertowDeploymentProcessor and instead having it check for the presence of the org.wildfly.legacy-security capability will go a long way here.  After that, most if not all of the other uses only get called either as a result of that check being true, or some config attribute that directly or indirectly references a security domain. IOW the other uses are only needed if the security subsystem is known to be configured.
> Per Intellij, DigestCredentialImpl is unused.



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the jboss-jira mailing list