From: Adam Bien <abien_at_adam-bien.com>
Date: Sun, 19 Apr 2015 10:32:01 +0200

Hi *,

I was able to move the JASPIC initialization from application code into the SPI (org.omnifaces in our case) relying on lazy injection of authorization modules.


   @Inject
    Instance<ServerAuthModule> authModule;

Two stereotypes: https://github.com/AdamBien/secspike/tree/master/todo/src/main/java/javax/annotation/security are marking the marking the corresponding module. This decouples the application code from SPI.

To choose the authentication method, the application will have to choose the appropriate annotation in beans.xml:

<beans xmlns="http://xmlns.jcp.org/xml/ns/javaee"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/beans_1_1.xsd"
       bean-discovery-mode="all">
    <alternatives>
        <!--
                <stereotype>javax.annotation.security.TokenAuthentication</stereotype>
        -->
        <stereotype>javax.annotation.security.BasicAuthentication</stereotype>
    </alternatives>
</beans>

The code works on GF 4.1.

Any feedback is welcome!

cheers,

adam