Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support multiple authentication mechanisms in a single application #287

Closed
hantsy opened this issue Mar 17, 2023 · 5 comments
Closed

Support multiple authentication mechanisms in a single application #287

hantsy opened this issue Mar 17, 2023 · 5 comments
Labels
duplicate This issue or pull request already exists

Comments

@hantsy
Copy link

hantsy commented Mar 17, 2023

For example, in a Jakarta web application, it includes web pages for administrator and also provides Restful APIs for client applications.

We could use FORM to protect the web pages(/web), and JWT for the Restful APIs(/api).

  1. provides a Spring security equivalent securityMatcher(accept ant pattern or regex pattern, provides an extra attribute to accept a custom PathMatcher bean via EL) like attribute in the current annotations to filter out if the request path is matched. If it is not matched, skip the authentication quickly.
  2. Reuse @Priority annotation to order them at runtime.
@OndroMih
Copy link
Contributor

I created this proposal as a possible solution to this: jakartaee/security-examples#11.

The core idea is to make it possible to choose programmatically which of the built-in authentication mechanisms should be used based on configuration or user input. It would be possible to inject one or more mechanisms configured using the existing definition annotations (e.g. @BasicAuthenticationMechanismDefinition) and delegate authentication to them from a custom HttpAuthenticationMechanism bean.

Then it would be possible to choose between multiple mechanisms based on info in the request, e.g. URL, query parameters, cookies, etc. We can extend it by some helper functionality, e.g. to have a simple mechanism to select from the injected mechanisms using URL pattern matching, etc. Any suggestions welcome.

@arjantijms
Copy link
Contributor

See this existing issue: #188

Also note this was discussed extensively discussed during Security 1.0. There is a 3D matrix for different authentication mechanisms:

  1. Having different mechanisms per URL
  2. Having different mechanisms cooperate on a single request (typically, if A fails, fall back to B)
  3. Letting the user choose an authentication mechanism

@arjantijms arjantijms added the duplicate This issue or pull request already exists label Apr 10, 2023
@OndroMih
Copy link
Contributor

I didn't see the original issue. I commented there now too: #188 (comment).

My proposal would address the points 1. and 3. from the above. Actually, even 2. could be implemented, because a custom auth mechanism could call a built-in mechanism, and based on the result, it could call another auth mechanism. I believe my proposal is very light-weight, doesn't add any new API, and leaves a lot of power on the implementor of the custom auth mechanism. Without this, it's impossible to combine the built-in mechanisms in any way, because when a built-in mechanism is enabled, no other mechanism can be enabled with it.

@jakartaee jakartaee deleted a comment from darranl Apr 11, 2023
@darranl
Copy link
Contributor

darranl commented Apr 11, 2023

I can't remember exactly how it was presented around 2016/2017 but in WildFly with WildFly Elytron we are definitely using the phased approach.

In the first phase the configured mechanisms are given an opportunity to authenticate the incoming request, if that is not successful and authentication is required the mechs are then all given an opportunity to participate in generating the response so multiple mechanisms can challenge.

@OndroMih
Copy link
Contributor

I can't remember exactly how it was presented around 2016/2017 but in WildFly with WildFly Elytron we are definitely using the phased approach.

@darranl , are you talking about the distributed realm in Elytron? https://wildfly-security.github.io/wildfly-elytron/blog/distributed-realm/

If not, can you give me some pointers where to look to understand what is implemented in Elytron?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
duplicate This issue or pull request already exists
Projects
None yet
Development

No branches or pull requests

4 participants