Hi again,
>
> I think btw that the particular discussion we now find ourselves in is
> most closely related with the following existing issue;
> https://java.net/jira/browse/JAVAEE_SPEC-25
>
> Here Reza asks to essentially modernise/CDI-ify JAAS login modules
> (calling them "security providers, yet another term)
>
> David seems to be asking the same thing, but using an event per credential
> type, where Reza proposed an annotation and a different method signature
> per credential type. My own suggestion in the comments used a bean type per
> credential type.
>
> David, can you confirm that this is indeed what you wanted to discuss here?
>
>>
>>>
Yes, in the prototype David was talking about, we choose to create an
immutable CDI event.
https://github.com/apache/tomee/tree/tomee-1.7.x/examples/cdi-event-realm
https://github.com/apache/tomee/blob/tomee-1.7.x/examples/cdi-event-realm/src/main/java/org/superbiz/AuthBean.java
This applies to Tomcat realms, but the idea is there and we could get the
Java EE APIs using CDI events (as an alternative or to replace) the set of
callback, and all the handler stuff with the casts.
For those knowing Tomcat, I also implemented an event for adding
constraints on the fly because having only url pattern (+ http verb)
matching declared statically as annotations (or in the web.xml) is not
enough.
Just fired an event so the application can observe it and add more
constraints to the current request
public void findSecurityConstraints(@Observes FindSecurityConstraintsEvent
>> event) {
>
> event.addRoles("admin", "user");
>
> event.setUserConstraint("CONFIDENTIAL");
>
> }
>
>
JLouis