[Pki-devel] [PATCH] [WIP] Add external authentication support

Hi all, GSS-API authentication support is in progress. The approach is detailed in the design proposal[1], which is not complete. The attached patch is provided for early review of the approach and implementation. It should not break existing behaviour for existing authentication methods, but is not yet fully usable for externally authenticated principals. Some brief implementation notes: - `ExternalAuthToken' class wraps an externally authenticated principal in order to provide reasonable values for common AuthToken attributes. Many attributes are not yet implemented, and some never will be (i.e. some call sites may need to weaken their assumptions). - There are ~9 explicit casts of principal from abstract `Principal' to `PKIPrincpial'; these sites need to be checked and probably updated in most cases, because (principal instanceof PKIPrincipal) is no longer a valid assumption. Some are definitely broken. - `AuthMethodInterceptor' currently treats all external authentication methods the same, allowing allowing access. If needed, different external authn methods can be distinguished, allowing different access rules for different external authn methods. - This patch does not configure the second tomcat AJP `Connector' required. Also, the `Connector' needs to be "locked down" to a only allow traffic from the Apache frontend. I need to confirm how to do this and clearly document it. Regarding the design document, there is a lot more to come re: authorization, especially for user-created objects such as secrets in KRA.