Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Understanding loginConfig vs Authenticaton handlers

31 views
Skip to first unread message

Brad Wood

unread,
Jul 7, 2022, 1:51:08 PM7/7/22
to Undertow Dev
I'm working on understanding Undertow's auth mechanisms a little better, and I'm looking at some code written by another developer that implements basic auth for all requests on a server.  I'm a little confused by the difference between the login config and the AuthenticationMechanismsHandler and how they are different.  I'm unclear if they are meant to be used together or if their functionality overlaps, etc.  

I see code like this where I can set up one or more auth mechanisms via the loginConfig class and then I pass an identity manager to the DeploymentInfo.

        LoginConfig loginConfig = new LoginConfig(realm);
        Map<String, String> props = new HashMap<>();
        props.put("charset", "ISO_8859_1");
        props.put("user-agent-charsets", "Chrome,UTF-8,OPR,UTF-8");
        loginConfig.addFirstAuthMethod(new AuthMethodConfig("BASIC", props));
        servletBuilder.setIdentityManager(this).setLoginConfig(loginConfig);

Elsewhere I see what feels like nearly the same thing but via a different set of classes, where a number of auth handlers are added to the security inituial handler.  Again, I can add one or more auth mechanism as well as passing in the identity manager:

        handler = new AuthenticationCallHandler(handler);
        handler = new AuthenticationConstraintHandler(handler);
        final List<AuthenticationMechanism> mechanisms = Collections.<AuthenticationMechanism>singletonList(new BasicAuthenticationMechanism(realm));
        handler = new AuthenticationMechanismsHandler(handler, mechanisms);
        handler = new SecurityInitialHandler(AuthenticationMode.PRO_ACTIVE, this, handler);

What is the difference between these two approaches?  Are they meant to be used together?  Mutually exclusive?  The loginConfig classes are covered in this part of the docs
but no mention at all is made of the handlers in my second code block.

Thanks!

~Brad

Developer Advocate
Ortus Solutions, Corp 

ColdBox Platform: http://www.coldbox.org 

Brad Wood

unread,
Jul 20, 2022, 1:58:41 PM7/20/22
to Undertow Dev
Any chance of getting clarification on the authentication mechanisms?

Flavia Rainone

unread,
Jul 21, 2022, 3:04:25 AM7/21/22
to Undertow Dev
Hi Brad,

The difference is that the AuthenticationMechanismsHandler is used internally by Undertow to setup security when you configure your LoginConfig. You can view the code for this here:

Well, you can of course set up your own handler and configure it directly if you prefer, but it was created to be used internally. That's why it is not on the documentation.

Best regards,
Flavia

Brad Wood

unread,
Jul 21, 2022, 11:04:24 AM7/21/22
to Flavia Rainone, Undertow Dev
Actually, I was incorrect in my OP when I said it wasn't documented.  I found the docs after posting here:

That said, the docs didn't answer any of my questions.  My best guess is the loginConfig stuff is designed to be part of the servlet and matches the flow of the web.xml security section, which is I assume is why it has stuff like "role" even though roles never appear to actually be used anywhere in Undertow!

The best I can tell is the login config doesn't even work. When I try to configure basic auth via the login config, I can't get it to fire. Which is sort of a shame since the security constraint stuff looked cool, but it seems to be specific to the login config from what I can tell.  

> Well, you can of course set up your own handler and configure it directly if you prefer, but it was created to be used internally

This doesn't seem right because when I add login config to my servlet deployment, I don't see any indicator that Undertow has added the SecurityInitialHandler classes to my request chain.  In fact, the SecurityInitialHandler appears to fire way before the servlet is even invoked which is why it feels like a totally different implementation.  

Thanks!

~Brad

Developer Advocate
Ortus Solutions, Corp 

ColdBox Platform: http://www.coldbox.org 


--
You received this message because you are subscribed to the Google Groups "Undertow Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to undertow-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/undertow-dev/1592acc2-2dd5-4cff-8fe7-04840f67a8f1n%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Flavia Rainone

unread,
Sep 5, 2022, 3:40:03 PM9/5/22
to Undertow Dev
Brad,

Can you please create a Jira with more details on it not working? I'll follow up there to investigate what is wrong with LoginConfig.

Thanks!

Reply all
Reply to author
Forward
0 new messages