HTTP External Mechanism Support in Elytron
Overview
This proposal is to add support for the External HTTP mechanism with Elytron. This mechanism will perform no verification,
but will authenticate a user based on credentials established externally. This will be used to accept a principal which
is passed by the REMOTE_USER attribute in the AJP protocol.
Issue Metadata
Issue
Related Issues
Dev Contacts
QE Contacts
Testing By
[ ] Engineering
[X] QE
Affected Projects or Components
-
Security
Other Interested Projects
Requirements
Hard Requirements
-
New HTTP
ExternalAuthenticationMechanism,ExternalMechanismFactory, andWildFlyElytronHttpExternalProviderclasses -
Ability to pass
REMOTE_USERattribute from undertow to Elytron (via elytron-web)
Nice-to-Have Requirements
Non-Requirements
-
Note: This RFE does not make changes to the mod_cluster subsystem but will update the documentation to describe how to use the External mechanism for authentication with the Elytron subsystem
Test Plan
-
Tests will be added to the wildfly/testsuite/integration/web testsuite to test successful HTTP authentication with the External mechanism
-
Tests will be added to the wildfly-elytron testsuite to test the new mechanism’s functionality
-
Tests will be added to the elytron-web/undertow testsuite to test successful HTTP authentication with the External mechanism
Community Documentation
-
Documentation will be added to General Elytron Architecture to reference the new mechanism being added.
-
Documentation will be added to mod_cluster Subsystem describing how to configure Elytron to authenticate a
REMOTE_USERvia the External HTTP Mechanism
Release Note Content
Users are now able to configure Elytron to use credentials established externally from the server to authenticate the client with HTTP. This will allow users to propagate authentication from mod-cluster/ajp to WildFly.