I have a use case where we are already doing public key authentication against httpd. We currently have httpd configured to provide a REMOTE_USER header to proxied applications, basically that it has authenticated that user via PKI. I want to write an authentication plugin that takes REMOTE_USER, queries an external database (redmine) to get group membership, and returns an AuthenticationResult object. This is all based on the assumption that users can't get to scm-manager directly by going around httpd via jetty connector configuration (i.e. only listen to 127.0.0.1).
Also, in this workflow users could be authenticated immediately (i.e. SSO) if they get as far as scm-manager in the workflow.
I assume, I could just write an AuthenticationHandler that ignores user/password but it would't provide an easy flow from git/hg clients since typically a PKI key and username/password arn't used together in most clients.