Arjan,
Thanks for this link. I've been looking for something like this forever. From what I've seen, most applications nowadays sit behind some kind of single-sign-on authentication system and rely on information passed from that system (typically through headers) to ultimately provide the user/role information. Your "Header based stateless tokenauthentication for JAX-RS" is much more simple than "Programmaticallyregistering JASPIC auth modules".
On Monday, April 10, 2017 5:53 PM, arjan tijms <arjan.tijms_at_gmail.com> wrote:
Could be a good idea indeed.
I'm of course strongly, strongly biased, but I know from application development and working with a lot of different devs in application development, that something like a basic security for JAX-RS endpoints in a fully portable and app controlled way is something that comes up each and every time.
Basically just something like defining this: (pre JSR 375 syntax)
http://arjan-tijms.omnifaces.org/2014/11/header-based-stateless-token.html
On Tue, Apr 11, 2017 at 12:47 AM, reza_rahman <reza_rahman_at_lycos.com> wrote:
If needed, I suggest doing a simple community poll (e.g. via Twitter) to help determine this. As I said, I suspect there is very strong desire for this functionality in all profiles.
What do other people in this EG think? I know activity has been sparse for quite a few months, but surely we all have some opinions on this?
-------- Original message --------From: reza_rahman <reza_rahman_at_lycos.com> Date: 4/10/17 4:38 PM (GMT-05:00) To: users_at_javaee-spec.java.net Subject: Re: [javaee-spec users] Re: [jsr366-experts] Java EE Security API
I actually think what we have now is pretty useful. Given the strong support for security in all the Java EE surveys, I think it sends the wrong message not to include it in the Web Profile. I don't see that there is any future where the security API does not wind up in pretty much all significant Java EE profiles.