Hi,
On Mon, Apr 20, 2015 at 3:51 PM, Darran Lofthouse
<darran.lofthouse_at_redhat.com> wrote:
> +1 maybe this transition is just something that is handled at the app server
> level, one thing I am exploring as that as an application is being deployed
> it's security settings being overridden.
That too indeed. It may need a little discussion, but I think the spec
should definitely allow the server to override security settings that
are defined in the application.
E.g. suppose the application sets the authentication mechanism to
BASIC with an in-memory identity store. Then a system administrator
should be able to change the identity store to say LDAP while keeping
the authentication mechanism as-is, OR change BASIC to some custom
mechanism while keeping the identity store as-is, OR change them both.
All of this without prying open the war (let alone recompiling
anything).
Kind regards,
Arjan Tijms
>
>
>> Just my 2 cents ;)
>>
>> Kind regards,
>> Arjan Tijms
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>>
>>>
>>>> 2. token authentication with JAX-RS
>>>> 3. annotation based and runtime authorization (interceptors, permissions
>>>> etc.)
>>>> 4. enhancement of Principal with application specific payload
>>>> 5. logout
>>>> 6. user management
>>>>
>>>> I would like to create a simplistic Java EE application(s) (max 5
>>>> classes)
>>>> and try to implement the use cases above with minimal required code.
>>>> If necessary with proprietary APIs, which hopefully are going to be
>>>> replaced by standard spec as we progress.
>>>> We could use this application for further discussion and further
>>>> simplification and usability enhancement,
>>>>
>>>> what do you think?
>>>>
>>>> cheers,
>>>>
>>>> adam
>>>>
>>>
>