cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Geer <>
Subject Re: Ideas for standardizing CXF authentication and authorization
Date Mon, 14 Jul 2014 01:01:19 GMT

I'm not sure I have specific advice about how to approach Shiro
compatibility without spending some cycles on it. I think we could engage
Les and Shiro community to help though. One possible approach might just be
to have CXF use a pluggable approach so that it calls out to an API when it
checks if a user is authentication/authorized. That way a JAAS
implementation could be put in place but a Shiro or Spring Security
implementation could also be put in place. This would have to be made OSGI
friendly, but I bet it could be done.

I guess I just wanted to toss that out there so that any decisions that
were made wouldn't preclude using frameworks other than JAAS. In my
experience, using JAAS in an OSGI environments, with cross-service calls,
is very problematic so I'd just hate to see CXF require usage of JAAS. One
could argue that CXF didn't need to provide A&A at all in the core and
external libraries can be used through filters/interceptors as the

I'll give it some more thought as this conversation continues.


On Sun, Jul 13, 2014 at 10:56 AM, Christian Schneider <> wrote:

> I think it would be great to stay compatible to the external security
> frameworks.
> What do you think needs to be considered regarding shiro?
> Christian
> Am 13.07.2014 17:50, schrieb Chris Geer:
>  While authentication/authorization is being discussed it would also be
>> good
>> if compatibility with Apache Shiro was kept in mind.
> --
>  Christian Schneider
> Open Source Architect
> Talend Application Integration Division

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message