users@javaee-spec.java.net

[javaee-spec users] Re: [jsr366-experts] Java EE Security API

From: Michael Remijan <mjremijan_at_yahoo.com>
Date: Tue, 11 Apr 2017 14:08:44 +0000 (UTC)

Arjan,
Thanks for this link.  I've been looking for something like this forever.  From what I've seen, most applications nowadays sit behind some kind of single-sign-on authentication system and rely on information passed from that system (typically through headers) to ultimately provide the user/role information.  Your "Header based stateless tokenauthentication for JAX-RS" is much more simple than "Programmaticallyregistering JASPIC auth modules".  

    On Monday, April 10, 2017 5:53 PM, arjan tijms <arjan.tijms_at_gmail.com> wrote:
 

 Could be a good idea indeed.
I'm of course strongly, strongly biased, but I know from application development and working with a lot of different devs in application development, that something like a basic security for JAX-RS endpoints in a fully portable and app controlled way is something that comes up each and every time.
Basically just something like defining this: (pre JSR 375 syntax)
http://arjan-tijms.omnifaces.org/2014/11/header-based-stateless-token.html



On Tue, Apr 11, 2017 at 12:47 AM, reza_rahman <reza_rahman_at_lycos.com> wrote:

If needed, I suggest doing a simple community poll (e.g. via Twitter) to help determine this. As I said, I suspect there is very strong desire for this functionality in all profiles.
What do other people in this EG think? I know activity has been sparse for quite a few months, but surely we all have some opinions on this?
-------- Original message --------From: reza_rahman <reza_rahman_at_lycos.com> Date: 4/10/17 4:38 PM (GMT-05:00) To: users_at_javaee-spec.java.net Subject: Re: [javaee-spec users] Re: [jsr366-experts] Java EE Security API
I actually think what we have now is pretty useful. Given the strong support for security in all the Java EE surveys, I think it sends the wrong message not to include it in the Web Profile. I don't see that there is any future where the security API does not wind up in pretty much all significant Java EE profiles.