I'm trying to implement a custom credential-store (with custom CredentialStoreSpi implementation) to integrate with data-sources through credential-reference.
The idea is to use a vault service with rotating passwords, and, for now, when I start WildFly, it calls CredentialStoreSpi.retrieve() and initializes data-source with current password, but if I flush data-source and request a new connection there are no calls to .retrieve(). And if I rotate password, then, it fails to create connection with username/password error, and still do not call for a new password.
There is any way to change this behavior and force that any new connection should require password directly from credential-store?
Looking in specs I see that data-source connection security has a config to some "Reauth Plugin Class Name", but I can't find any clues on what is that.
Found this spec: https://docs.wildfly.org/20/wildscribe/subsystem/datasources/data-source/ExampleDS/index.html#attr-reauth-plugin-class-name
- reauth-plugin-class-name The fully qualified class name of the reauthentication plugin implementation
Looking at web but find no documentation on this.
Anyone knows what is that? Could it help in this use case?
Edit 2023-04-03
I found this implementation: https://github.com/ironjacamar/ironjacamar/blob/263826e4fc49bb6f51257fbbeb227d0480a05a7c/adapters/src/main/java/org/jboss/jca/adapters/jdbc/BaseWrapperManagedConnectionFactory.java#L1232
This method is called always when a connection is obtained from pool. In my tests it always enter on WrappedConnectionRequestInfo test (line 1253).
From what I understand, I could try to override ManagedConnectionFactory or ConnectionRequestInfo:
- ConnectionRequestInfo: can't find any way to override this;
- ManagedConnectionFactory: apparently I can override it, but found only old docs and it appears to be discouraged.
