[undertow-dev] resteasy oauth undertow security requirements

Bill Burke bburke at redhat.com
Mon Apr 29 10:40:02 EDT 2013


Hey all,

Is there a web-site for Undertow?  Any documentation or examples?

I'm hoping to start migrating Resteasy's OAuth work so that it works 
with Undertow.  I don't know whether or not it will require undertow 
security API changes or not.  I'll post some initial 
requirements/how-we-do-it-now stuff below.

1. Support for multiple simultaneous auth protocols for one web-app. Any 
servlet auth + oauth + bearer-token.
2. Ability to introspect principal and role mapping from underlying 
"domain".  We create a smart token from this information.  With 
JBossWeb, we hacked this information from the Principal passed back from 
the security layer.
3. Ability to add additional action URLs to the web-app without 
additional user configuration.  With JBossWeb, we handled all these URLs 
within a valve.
4. Ability to create both principal and role mappings on the fly from an 
incoming request's bearer token.
5. Ability to obtain any client certificates so that they can be 
verified.  Verification only.  For this I want to be able to verify the 
client that is acting on behalf of a user.  So the calling client's 
certificates may not be the same identity of the actual user.
6. Ability to store state in-between requests.  This isn't a session as 
it will be two different clients that need to share data.  in OAuth, 
there's the User Agent that establishes an access code for the web-app. 
  The web-app makes a separate HTTP request to verify the access code 
and turn it into a token.
7. Ability to log out any requested user.  Our current implementation 
has an admin interface that can log out a user on *every* app they are 
logged into.

That's all I can think of now.  So, Undertow needs to provide these 
capabilities within their security API, *OR*, it requires a Valve 
architecture that can override any current built-in auth infrastructure, 
but at the same time, have access to the "domain" and be able to 
authenticate and introspect principal and role mappings.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the undertow-dev mailing list