Wildfly 26: Custom HttpAuthenticationMechanism IdentityCache Recommendations

[Laura Schanno]

Hello,

I am currently migrating an application from Wildfly 17 to Wildfly 26 (limited to Jakarta 8 for now), and have been working on a custom security realm implementation. As part of this effort, I have also created a custom HttpServerAuthenticationMechanism to handle how we get 

an Evidence instance for the calling user. In the process of reviewing the various mechanism implementations that Wildfly provides, I noticed that most, if not all of them implement and use some form of an IdentityCache that is attached in most cases to the HttpRequest’s session scope to allow for re-authentication.

Is it generally recommended to do the same for custom authentication mechanisms? If so, are there any particular constraints that need to be kept in mind?

Thanks,

Laura