Questions re. HttpAuthenticationMechanism

32 views
Skip to first unread message

Laura Schanno

unread,
Aug 25, 2025, 11:52:45 PM (11 days ago) Aug 25
to WildFly

Hello,


I have some questions about creating a custom HttpAuthenticationMechanism.


Some background: we’re migrating from Wildfly 17 to Wildfly 26 and need to create custom security realms. Along with that, we need a custom authentication mechanism to support identifying users either from a JWT token or from trusted header information when an SSL session is not established.


Our older authentication mechanism is an implementation of Undertow’s AuthenticationMechanism interface, but it is my understanding that we need to migrate to an implementation of Wildfly’s HttpAuthenticationMechanism to be compatible with Elytron. 


Question 1: Is my understanding there correct? Is it generally necessary to migrate from Undertow’s authentication mechanism APIs to Wildfly’s when interfacing with Elytron?

Question 2: Is there a way to obtain the request start time in the custom HttpAuthenticationMechanism from the supplied HttpServerRequest instance? In Undertow’s AuthenticationMechanism, the HttpServerExchange argument supports the following:


long requestStartTime = exchange.getRequestStartTime();


We gather this information to track certain metrics about requests submitted to our systems. I didn’t see an equivalent method for the HttpServerRequest class, and would like to know if there’s a way to get the request start time in some other manner.


Rebecca Searls

unread,
Aug 26, 2025, 9:07:17 AM (10 days ago) Aug 26
to Laura Schanno, WildFly

Question 1: Is my understanding there correct? Is it generally necessary to migrate from Undertow’s authentication mechanism APIs to Wildfly’s when interfacing with Elytron?

Yes you will need to implement Elytron's HttpServerAuthenticationMechanism interface.
 

Question 2: Is there a way to obtain the request start time in the custom HttpAuthenticationMechanism from the supplied HttpServerRequest instance? In Undertow’s AuthenticationMechanism, the HttpServerExchange argument supports the following:

HttpServerAuthenticationMechanism does not provide a getRequestStartTime() method or access to get to undertow's exchange class. 
       


--
You received this message because you are subscribed to the Google Groups "WildFly" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wildfly+u...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wildfly/3f48fa88-c77d-401b-b500-31d6bd9a8c82n%40googlegroups.com.

Laura Schanno

unread,
Aug 26, 2025, 11:42:16 AM (10 days ago) Aug 26
to WildFly
Rebecca,

Thank you for the confirmation. Do you know if there's any way to capture the start time of the request outside of the authentication mechanism?

Rebecca Searls

unread,
Aug 27, 2025, 8:39:56 AM (9 days ago) Aug 27
to Laura Schanno, WildFly
In HttpServerAuthenticationMechanism there is method,
     void evaluateRequest(HttpServerRequest request)

Ref request to get a session creation time.
     long cTime = request.getSSLSession().getCreationTime();
     

Laura Schanno

unread,
Aug 27, 2025, 10:25:08 AM (9 days ago) Aug 27
to WildFly
Thank you! I'll proceed with using that for the request time.
Reply all
Reply to author
Forward
0 new messages