I agree, it's some great ideas.
Considering that none of the JEE8 specs have even started to form, maybe
now's a good time to brain storm on ideas for security?
BTW, it should probably be outside the platform team, the same way CDI is
outside the platform team. Makes it more reusable.
John
On Mon, Jul 15, 2013 at 8:17 AM, arjan tijms <arjan.tijms_at_gmail.com> wrote:
> Hi,
>
> Thanks for posting that link! Modernizing the security framework(s) is an
> important topic I think. The link goes into some more details, but briefly
> said it would be cool if there was an overall security framework in Java EE
> building on the more modern APIs (specifically CDI), with some more
> high-level/convenience functionality.
>
> There seems to be some level of support for this. E.g. Reza Rahman and me
> proposed nearly identical functionality in
> https://java.net/jira/browse/JAVAEE_SPEC-25?focusedCommentId=364516&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#action_364516
>
> Something like that could be implemented in a reasonably trivial way,
> provided that JASPIC supports CDI and is part of the web profile. A
> possible new overall security framework could then build on JASPIC and CDI
> to provide the requested ease-of-use functionality.
>
> I think having a general injectable SecurityContext as a replacement for
> Servlet, EJB and JAX-RS specific functionality like checking if a user has
> a given role would also present a much stronger feeling of unity.
>
> Kind regards,
> Arjan Tijms
>