[undertow-dev] Undertow Security: PicketBox5

Stuart Douglas sdouglas at redhat.com
Wed Nov 14 01:49:37 EST 2012 


Anil Saldhana wrote:
> Hi All,
>     I was not aware of this mailing list until today.
>
> 3-4 months ago, we rewrote PicketBox5 to be a generic security framework.
> https://docs.jboss.org/author/display/SECURITY/Java+Application+Security
> https://github.com/picketbox/picketbox
>
> We neither have JAAS stuff nor Servlet Security
> (FORM,DIGEST,CLIENT-CERT,BASIC) tied to Tomcat Authenticators.
> I am wondering if there is a scope for using PicketBox5 with Undertow.
> Also there is no tie in into any containers in
> PicketBox5.
>
> The test cases that you may want to review:
> https://github.com/picketbox/picketbox/tree/master/http/src/test/java/org/picketbox/test/authentication/http
>
> Maybe Stefan from our side can help out.  I would guess we can produce a
> prototype branch with undertow + PBox5.

I have had a look through this today, and the big problem with using 
this for Undertow is that it is based on the Servlet API's. We want to 
be able to use Undertow as the domain HTTP server as well, and we really 
need to be able to re-use the security without adding a servlet 
dependency into the AS core.

I will go through this more fully tomorrow, as I am still recovering 
from my 24 hour flight, but it looks like there are also other things 
that this may not support such as multiple authentication mechanisms and 
optional authentication.

I'm not ruling out using PicketBox, however at this stage I think that 
the best approach is probably to have the HTTP authentication mechanisms 
in Undertow, where they can make use of the async IO features as much as 
possible, and just provide a very simple SPI that we can then back with 
PicketBox in order to keep Undertow core free of external dependencies.

Stuart

>
> Regards,
> Anil
>
> PS: Feedback from *Jason Greene*: I'll let Stuart and Darran comment,
> but my thinking is that we want to greatly limit the dependencies of
> standalone undertow. Integration in AS is a different story though. I
> would imagine this means some kind of SPI between undertow and the
> container.
> _______________________________________________
> undertow-dev mailing list
> undertow-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev

More information about the undertow-dev mailing list