All,
related to the code snippets presented in the issue 20.
https://java.net/jira/browse/JAVAEE_SECURITY_SPEC-20
They seems to indicate 2 opposite directions of performing the
authentication.
*First example* with TokenAuthenticator injected
The injected authenticator is responsible for checking the credentials and
determines if the user/Subject is allowed.
if (authenticator.authenticate(token)) {
*Second example* with the CDI Event
The event payload receives the Credential information and the calling class
is responsible for verifying them.
But as I already pointed out in the comment of the issue, I find it odd to
fire an event to ask for some data.
And secondly, not all auth-methods have a username.
*Possible solution:* (but not ideal, still thinking about nicer one)
We inject a TokenRetrieval (or other descriptive name) object.
And the *retrieve* method return a concrete implementation of the return
type interface (which is very generic as there are many very different
types (username/password, token, ...)
The method calling the retrieve method should then decide if it can handle
that type of Credential.
At some point we have to deal with the fact that there are very different
types of Credentials. And I have also no nice solution how we can deal
with that and in which part of the flow/code it should be handled.
Regards
Rudy