users@javaee-security-spec.java.net

[javaee-security-spec users] [jsr375-experts] Re: [javaee-spec users] Re: [jsr366-experts] Java EE Security API

From: Werner Keil <werner.keil_at_gmail.com>
Date: Tue, 11 Apr 2017 11:50:36 +0200

On Tue, Apr 11, 2017 at 11:20 AM, Romain Manni-Bucau <rmannibucau_at_gmail.com>
wrote:

>
> 2017-04-11 11:16 GMT+02:00 Werner Keil <werner.keil_at_gmail.com>:
>
>>
>>
>> On Tue, Apr 11, 2017 at 10:53 AM, Romain Manni-Bucau <
>> rmannibucau_at_gmail.com> wrote:
>>
>>>
>>> 2017-04-11 10:44 GMT+02:00 Werner Keil <werner.keil_at_gmail.com>:
>>>
>>>> +1
>>>>
>>>> Security is important and too often ignored, so making 375 available in
>>>> the "smallest" Profile available is a must have IMO.
>>>>
>>>
>>> I would agree if it would be as easy as deploying a rest service but it
>>> is not. Any hope the entry cost is reduced before 1.0.0.final? If so a big
>>> +1, if not i'll keep the same opinion on that.
>>>
>>>
>>>> About download figures, I found Bintray especially helpful if used
>>>> properly. Security API and Soteria are made available with full download
>>>> stats.
>>>>
>>>> I know Apache itself is not so helpful. I raised it at ApacheCon but
>>>> heard, they could not do it because of mirrors. Whether Bintray includes
>>>> downloads via Mavencentral or not I can't tell, but even if it was
>>>> combined, the rejected "legacy" JSR275 has more than what we heard from
>>>> Deltaspike.
>>>>
>>>> The Most popular Eclipse projects in MarketPlace have 30-40k downloads
>>>> per Month, so should E.g. Microprofile Parts or custom implementations be
>>>> there it was easy to tell which are popular and which are less
>>>>
>>>
>>> We can close that, point was there are used libs which are not relying
>>> on "complex" state machine + protocol (notify*) coding in user land, then
>>> the detail of stats and which part is hidden if out of topic there (even if
>>> interesting ;)).
>>>
>>>
>>
>> I keep working in environments that rely on established standards, even
>> if some may be older or seem "complex". A few customers also use Spring
>> because it developed a support infrastructure they can rely on but that
>> whold "userland" and the most recent buzzword people may get to talk at
>> many conferences with is neither trustworthy nor useful to them.
>>
>> They have realtime and often safety critical systems people's lives can
>> depend on. And need Long Term Support for decades.
>> If they hear, that Angular 2 is totally incompatible with version 1 and
>> that in 10 or 20 years when their end customers still need this system to
>> function nobody knows, if "Angular 42" may exist or something totally
>> different they are scared and turn away from it ;-)
>>
>
> This is true but also saw that security was home made in 90% of the apps I
> worked on - even if there is an underlying standard close or far like
> oauth2 - cause any framework/API was not brining enough value.
>
>

That has been the case with several other aspects. Seen myriads of projects
that over the last 20 years or so created their own Money API and currency
conversion, etc. Some started adopting JSR 354 (also more "FinTechs" or
Cloud-affine companies like Netflix, Zalando,...), e.g. an Apache attempt
(Commons Money) never left Incubator.


>
>> Werner
>>
>>
>