| categories | ||
|---|---|---|
|
WildFly Elytron uses the Elytron Client project to enable remote clients to authenticate using Elytron. Elytron client is already used by other WildFly clients allowing for both use of an Elytron API and pre-defined configurations in the xml file (wildfly-config.xml).
This requested feature is about making use of Elytron’s configuration on the client side of REST deployment so that the RESTEasy client supports the common framework available within the application server.
The implementation will involve loading of configuration from Elytron client, specifically credentials, bearer token and SSL context, and making those available to the RESTEasy client. Credentials will be used for HTTP Basic authentication and bearer token for Bearer Authentication.
Elytron configuration should be ignored if different configuration was already set. So if there was already Bearer token or credentials available this implementation will not overwrite it.
-
EAP7-1219 - EAP issue tracker
-
EAP7-1891 - Elytron project issue tracker
-
RESTEASY-2366 - RESTEasy project issue tracker
-
WFLY-11868 - Community documentation issue tracker
WildFly project will contain integration tests.
This RFE seeks to make use of credentials, bearer token and SSL context from the Elytron client in the RESTEasy client.
-
RESTEasy client will load Elytron config by default if this configuration is present in
wildfly-config.xml(or is provided in the client’s code by using Elytron API). -
Credentials (if present in form of username and password) will be used for
HTTP Basic authentication(this authentication will be preemptive). -
If Bearer token is present in Elytron client config, RESTEasy client will load it and use it in Authorization header for outgoing requests.
-
If both credentials and bearer token are present in Elytron client, only Bearer token will be used for RESTEasy client’s outgoing requests.
-
If SSLContext is configured in Elytron client for URI that the RESTEasy client is attempting to connect to, it will be automatically loaded and used
-
Any existing configuration the client already had configured should not be re-written.
Because we do not want RESTEasy to have Elytron dependency, new SPI for client configuration will be added to RESTEasy that Elytron will implement. This SPI will be used during configuration of client - in builder method in RESTEasyClientBuilder class.
To invoke requests, the RESTEasy client uses single instance of ClientHttpEngine interface implementation, which can have only one SSLContext defined. However, Elytron client configuration can have multiple credentials and SSL contexts specified and these are chosen based on rules, eg. URI. It will be necessary to intercept/filter the requests and choose credentials, bearer token or SSLContext based on the destination of the requests.
New RequestClientFilter will be registered for client if Elytron is on classpath. This RequestClientFilter will be used to set Authorization header if it is missing - with either HTTP Basic authentication or Bearer token. If both Bearer token and credentials are obtained from Elytron, only the Bearer token will be applied to outgoing request.
Tests in the RESTEasy testsuite will use mocked SPI implementation to avoid circular dependency with Elytron client. Integration tests that test Elytron client together with RESTEasy client will be added to WildFly integration testsuite.
Community documentation will be delivered in form of a PR to WildFly repository’s master branch.