Resource authentication

15 views
Skip to first unread message

Bruno Oliveira

unread,
Apr 5, 2012, 10:14:25 AM4/5/12
to deltasp...@incubator.apache.org, jbos...@googlegroups.com

Hi folks, I would like share some thoughts about aerogear development and security.

I did some changes in aerogear-security (https://github.com/abstractj/aerogear-security/tree/deltaspike) to integrate with DS 0.2. Our goal is to support REST resources authentication/authorization and provide some abstraction like SecurityInterceptor aims to do.

The point is that SecurityInterceptor must be finished/implemented and we need some abstraction instead of go straight to username/pwd (https://github.com/abstractj/incubator-deltaspike/blob/master/deltaspike/modules/security/impl/src/test/java/org/apache/deltaspike/test/security/impl/authentication/LoginLogoutTest.java#L95)

As is today it might not make a lot of sense to force fit DS usage for REST resources, or usr/pwd abstractions. This support is currently targeted for phase 3/4. What I'm thinking is that I can prototype some of this support, completely based on DS implementation, and create auth providers, and SecurityInterceptor with this functionality.

With this approach I can stay closely involved with DS, and work back updates, and patches. This should also give some valuable real world experience for the use-case that we can discuss as Phase 3,4 kicks off. I DO NOT want to create another security framework, it's just about timing.

What do you think?


--

-- 
"Know the rules well, so you can break them effectively" - Dalai Lama XIV
-
@abstractj
-
Volenti Nihil Difficile

Pete Muir

unread,
Apr 5, 2012, 10:47:35 AM4/5/12
to jbos...@googlegroups.com, deltasp...@incubator.apache.org
I would guess the work could be moved forward if we have a someone willing to work on it?

Jay Balunas

unread,
Apr 5, 2012, 2:47:25 PM4/5/12
to jbos...@googlegroups.com, deltasp...@incubator.apache.org
On Thursday, April 5, 2012 10:47:35 AM UTC-4, Pete wrote:
I would guess the work could be moved forward if we have a someone willing to work on it?

I think this is what Bruno is proposing, he's willing to start working on these parts, but for time reasons he'll do in through aerogear, and make sure to stay up with DS for integration when the time comes.

Bruno Oliveira

unread,
Apr 5, 2012, 7:11:08 PM4/5/12
to jbos...@googlegroups.com
+1 This is exactly what I'm proposing.

We will keep up DS development, don't worry.

- Bruno

Lincoln Baxter, III

unread,
Apr 5, 2012, 11:52:01 PM4/5/12
to jbos...@googlegroups.com
What exactly is the problem with the DeltaSpike security module? Why can't it be used for this? What is your specific need?

I think I missed something, and if it's something I can potentially address, well... let's have out with it!

~Lincoln
--
Lincoln Baxter, III
http://ocpsoft.org
"Simpler is better."

Bruno Oliveira

unread,
Apr 9, 2012, 11:25:25 AM4/9/12
to jbos...@googlegroups.com
On Fri, Apr 6, 2012 at 12:52 AM, Lincoln Baxter, III <lincol...@gmail.com> wrote:
What exactly is the problem with the DeltaSpike security module? Why can't it be used for this?

Hi Lincoln, there's no problem with DS security module and we know that some features are missing because involve review and discussion of some topics (https://issues.apache.org/jira/browse/DELTASPIKE/fixforversion/12319477). 
 
What is your specific need?

As I said SecurityInterceptor aims to provide loosely coupled tiers, mainly between aerogear-controller and aerogear-security, the point is that SecurityInterceptor must be finished/implemented/integrated with authentication providers & roles scheme. Currently I'm digging into seam-security sources  to send back patches, updates or ideas (that already has great ideas and some features backported to DS).
 


I think I missed something, and if it's something I can potentially address, well... let's have out with it!

Probably not, let me know what do you think. It's important to understand if something wasn't clear enough.

Lincoln Baxter, III

unread,
Apr 9, 2012, 7:24:16 PM4/9/12
to jbos...@googlegroups.com
Which specific features are missing? Is it the persistence integration?

~Lincoln

Bruno Oliveira

unread,
Apr 10, 2012, 4:45:56 PM4/10/12
to jbos...@googlegroups.com
Persistence is not a problem. The only authentication method supported in DS currently is based on user/pwd, we are interested in more flexible auth methods (https://github.com/seam/security/tree/develop/external/src/main/java/org/jboss/seam/security/external) like seam-security do (and probably it will be backported to DS I guess).

- Bruno

Jason Porter

unread,
Apr 10, 2012, 4:55:51 PM4/10/12
to jbos...@googlegroups.com
Yeah, those will probably end up being separate implementations in DS. Or perhaps some sort of chain. I could see a chain being welcome for some users (first check OpenID, then LDAP, then database, etc)
--
Jason Porter
http://lightguard-jp.blogspot.com
http://twitter.com/lightguardjp

Software Engineer
Open Source Advocate
Author of Seam Catch - Next Generation Java Exception Handling

PGP key id: 926CCFF5
PGP key available at: keyserver.net, pgp.mit.edu
Reply all
Reply to author
Forward
0 new messages