[undertow-dev] AuthenticationMechanismFactory
Marc Boorshtein
marc.boorshtein at tremolosecurity.com
Fri Dec 13 11:51:33 EST 2013
>
>
> >
> > I am mainly viewing this from DeploymentInfo API aesthetics/usability
> > perspective. To me, Undertow is a standalone web container (like Jetty)
> > with an usable API (JUnit tests would be the litmus test).
> > Extensions/WildFly etc come later.
>
> IMO auth extensions are useful in the standalone case as well. I think
> it’s likely that most users do not write custom auth mechanisms, but
> simply want to reuse packaged or thirdparty auth in as few steps as
> possible.
>
>
>
>
With one caveat...External SSO/Web Access Management systems. Most
commercial WAMs (ie SiteMinder, OpenAM, Oracle Access Manager, etc) rely on
cookies for session management, usually with a reverse proxy model (there's
an agent in the web server that controls all of the redirects to central
authentication and the by the time the connection gets to the app server
the user is already authenticated). So in an environment with a WAM the
easiest thing to do is tell your app server to use some local component to
"trust" the authentication from the proxy. In weblogic this is done via
the IdentityAsserter api. In WebSphere the TAI. Tomcat doesn't have a
specific mechanism for this, I just do it in a Valve or Servlet Filter.
I've done it with older JBoss versions with JAAS plugins and Servlet
Filters that I had a difficult time trying to work with. A simple way to
specify an identity asserter of some kind for offloaded authentication
would be very helpful.
Thanks
Marc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20131213/c6b07eaf/attachment.html
More information about the undertow-dev
mailing list