Hi,
On Fri, Oct 24, 2014 at 9:17 AM, Mark Thomas <markt_at_apache.org> wrote:
> On 23/10/2014 21:52, arjan tijms wrote:
>>
>> DB> If you wanted to roll up your sleeves, we'd be more than happy to
>> see [Geronimo's JASPIC] ported or reimplemented in TomEE.
>> M> or Tomcat :)
>
> That is taking what I said rather out of context.
Sorry to hear that, although it was mostly David's quote there ;)
> I recommend that folks read the entire discussion but the short version
> is that there is very, very little user demand for it. To date, Arjan is
> the only Tomcat user asking for JASPIC support in Tomcat.
I'm strongly of the opinion that it's a vicious circle. Vendors don't
talk about JASPIC, people thus don't know about JASPIC, people don't
ask about JASPIC, vendors talk about it even less, etc.
I do actually have some (small) amount of users contacting me about
JASPIC and/or portable authentication in general. They're expressing
their wishes to have it more widely available and simplified and such.
I typically ask them to follow up at some public place, but
unfortunately they don't always do this.
As I think I mentioned somewhere before, JASPIC is not the end
solution to all things being security in Java EE. It's a fairly small
thing actually. But security in Java EE has been stuck for a long time
and I've been trying to get it to move forward. Even though just
having "additional authentication APIs" in Servlet standardized
wouldn't make a huge difference right away, it will in my opinion be a
nudge in the right direction upon which further improvements and
additional convenience APIs (which don't have to be, and frankly
shouldn't be in Servlet) can build.
So while I agree that demand for something as low-level as JASPIC will
naturally always be relatively low, the things it will eventually
enable are IMHO most definitely of interest to a much larger group of
users.
> Comparing this to WebSocket, we saw much, much more demand for WebSocket
> but no-one is talking about making WebSocket support mandatory for a
> Servlet container.
I know, but isn't that more like a new feature very directly aimed at
users? This particular thing is something Servlet containers are
already doing, but just asking to do that in a standardized way. This
standardized way already exists and many Servlet containers already
implement it.
Would you change your mind about this somewhat if I ported or
reimplemented the Geronimo JASPIC implementation for Tomcat?
Kind regards,
Arjan
> I remain of the opinion that JASPIC support should be optional for a
> Servlet container.
>
> Mark
>
>
>>
>> Having portable auth modules available is not only a concern for pure
>> Servlet, but is a topic that also frequently comes up when it comes to
>> securing JAX-RS endpoints. The following is an excellent examples of a
>> server auth module that works great with JAX-RS, but unfortunately can
>> only be used on full Java EE implementations now:
>> http://trajano.net/2014/07/oauth-2-0-jaspic-implementation
>>
>> I think there thus seems to be a reasonable precedent for this feature.
>>
>> Kind regards,
>> Arjan Tijms
>>
>