Hi,
On Mon, Nov 16, 2015 at 7:51 PM, Rudy De Busscher <rdebusscher_at_gmail.com>
wrote:
> @All,
>
> Just want to add one additional thing.
>
> There was a question about adding 'metadata' of the logged in user (like
> department, affiliate, ...) so that it can be used to determine if the
> user/caller is allowed to execute the specified action.
>
That's a bit in the domain of JSR 351, isn't it?
The default way of sorts to do this now I think is by using a custom
principal that has properties for this metadata. JASPIC already supports
setting a custom principal. See
https://github.com/javaee-samples/javaee7-samples/blob/master/jaspic/custom-principal/src/main/java/org/javaee7/jaspic/customprincipal/sam/TestServerAuthModule.java#L58
A custom principal would play well with EL, as the exact type doesn't have
to be known there.
E.g.
@EvaluateSecured("callerPrincipal.department == 'finance'")
We do have to discuss I believe how to support a custom principal with the
identity store interface. Perhaps an extra property on the return value of
the validate() method that takes precedence if not null?
Kind regards,
Arjan Tijms
>
> Hope to meet some more experts another time. :)
>
> Best regards
> Rudy
>
>
> On 16 November 2015 at 15:53, Jean-Louis Monteiro <
> jlmonteiro_at_tomitribe.com> wrote:
>
>> Hi everyone,
>>
>> Was last week at Devoxx BE. Got to meet Rudy from the expert group which
>> is nice.
>> The talk itself went great. Did reuse some of the materials already done
>> previously.
>>
>> Good participation during regular polls when I was talking.
>> Surprisingly no question during the Q/R which made me feel bad.
>>
>> But right after the applause, about 10 people jumped on stage to discuss
>> and congratulate me which made me feel a bit better.
>> Wasn't my best talk at all, but looks like at least some people found it
>> interesting.
>>
>> Some feedback
>>
>> - rather use user than caller for the consistency question
>>
>> - CDI must be in the landscape - @Transactional used as a comparison of
>> the thing to do. Antoine also opened the doors to collaborate.
>>
>> - Events - people overall really liked the event approach to either
>> collect information about the authN/authZ process, or also to authenticate
>> as we proposed in the playground.
>>
>> - Websocket - please do not forget it. What about HTTP/2 also.
>>
>> - Multi-tenancy - targeting the cloud is a great decision but
>> multi-tenancy must be addressed.
>>
>> Hope this helps our discussions.
>>
>> --
>> Jean-Louis Monteiro
>> http://twitter.com/jlouismonteiro
>> http://www.tomitribe.com
>>
>
>