Hi,
Looks awesome!
Didn't yet study the code in detail, but the declarative approach is
indeed what should work best. Programmatic should be possible too, but
I think less people would want to use that (compare Servlet spec,
which has declarative annotations, declarative XML, and a programmatic
API to say register Servlets or Filters).
It should be a small step to make the ServerAuthModule implementation
a bean itself too. I.e.a runtime provided non-bean version can simply
obtain a bean version from the bean manager and delegate every method
to that 1:1.
Kind regards,
Arjan
On Sun, Apr 19, 2015 at 10:32 AM, Adam Bien <abien_at_adam-bien.com> wrote:
> Hi *,
>
> I was able to move the JASPIC initialization from application code into the SPI (org.omnifaces in our case) relying on lazy injection of authorization modules.
>
>
> @Inject
> Instance<ServerAuthModule> authModule;
>
> Two stereotypes: https://github.com/AdamBien/secspike/tree/master/todo/src/main/java/javax/annotation/security are marking the marking the corresponding module. This decouples the application code from SPI.
>
> To choose the authentication method, the application will have to choose the appropriate annotation in beans.xml:
>
> <beans xmlns="http://xmlns.jcp.org/xml/ns/javaee"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/beans_1_1.xsd"
> bean-discovery-mode="all">
> <alternatives>
> <!--
> <stereotype>javax.annotation.security.TokenAuthentication</stereotype>
> -->
> <stereotype>javax.annotation.security.BasicAuthentication</stereotype>
> </alternatives>
> </beans>
>
> The code works on GF 4.1.
>
> Any feedback is welcome!
>
> cheers,
>
> adam
>