Return-Path: X-Original-To: apmail-cxf-dev-archive@www.apache.org Delivered-To: apmail-cxf-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A48E9112BE for ; Mon, 14 Jul 2014 01:01:47 +0000 (UTC) Received: (qmail 36949 invoked by uid 500); 14 Jul 2014 01:01:47 -0000 Delivered-To: apmail-cxf-dev-archive@cxf.apache.org Received: (qmail 36880 invoked by uid 500); 14 Jul 2014 01:01:47 -0000 Mailing-List: contact dev-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list dev@cxf.apache.org Received: (qmail 36853 invoked by uid 99); 14 Jul 2014 01:01:47 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 14 Jul 2014 01:01:47 +0000 X-ASF-Spam-Status: No, hits=2.2 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [209.85.220.45] (HELO mail-pa0-f45.google.com) (209.85.220.45) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 14 Jul 2014 01:01:45 +0000 Received: by mail-pa0-f45.google.com with SMTP id rd3so4432417pab.32 for ; Sun, 13 Jul 2014 18:01:19 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=0f8MqToF7YV4yUmDJAC1AWl5cn5T2Pd7bdt628Jsf58=; b=LeCdxmsL+thL0NK0bvc3uV4JWk9PUqDFeuFIgF72ZbxQIU3DQhfNkQeK50KPpH1bIP 2Ut9ykGdwVQy38Anc0q/N9mCFSWlWWpH6JyPfFO21hNUJsWH9PLNkSooRssi/fWv4ABb dg9BT7DN48eVHyYbJBXKbRE7QeL84HEnMQWGKchw3G2SKo9NxLPRbY+/t2fzVKJ8ptyS SNZyydE0EmHbwyBFonsahlnGjb1V/yAg0V+5aavZzp0GGitwMREoplXmTPCQixfCHmuK b2RLTBjaAef06eIWzjDBp3Fus41k41YylVZOXY/gaoE7SfVkfIFtUxJNAVjP5WdDYLa/ C5dw== X-Gm-Message-State: ALoCoQnbSYAo3ltBSWY6Ay/z2XEQ69N9RmCCcVZEo4wJUyaA9UunxkrL5yzmUtZydBm4vKEJ4s1j MIME-Version: 1.0 X-Received: by 10.68.251.201 with SMTP id zm9mr14139357pbc.22.1405299679492; Sun, 13 Jul 2014 18:01:19 -0700 (PDT) Received: by 10.70.64.165 with HTTP; Sun, 13 Jul 2014 18:01:19 -0700 (PDT) In-Reply-To: <53C2C851.9090600@die-schneider.net> References: <53BE551D.5000303@die-schneider.net> <53C2C851.9090600@die-schneider.net> Date: Sun, 13 Jul 2014 18:01:19 -0700 Message-ID: Subject: Re: Ideas for standardizing CXF authentication and authorization From: Chris Geer To: dev@cxf.apache.org Content-Type: multipart/alternative; boundary=047d7b2e3dea33172504fe1cd42c X-Virus-Checked: Checked by ClamAV on apache.org --047d7b2e3dea33172504fe1cd42c Content-Type: text/plain; charset=UTF-8 Christian, I'm not sure I have specific advice about how to approach Shiro compatibility without spending some cycles on it. I think we could engage Les and Shiro community to help though. One possible approach might just be to have CXF use a pluggable approach so that it calls out to an API when it checks if a user is authentication/authorized. That way a JAAS implementation could be put in place but a Shiro or Spring Security implementation could also be put in place. This would have to be made OSGI friendly, but I bet it could be done. I guess I just wanted to toss that out there so that any decisions that were made wouldn't preclude using frameworks other than JAAS. In my experience, using JAAS in an OSGI environments, with cross-service calls, is very problematic so I'd just hate to see CXF require usage of JAAS. One could argue that CXF didn't need to provide A&A at all in the core and external libraries can be used through filters/interceptors as the standard. I'll give it some more thought as this conversation continues. Chris On Sun, Jul 13, 2014 at 10:56 AM, Christian Schneider < chris@die-schneider.net> wrote: > I think it would be great to stay compatible to the external security > frameworks. > > What do you think needs to be considered regarding shiro? > > Christian > > > Am 13.07.2014 17:50, schrieb Chris Geer: > > While authentication/authorization is being discussed it would also be >> good >> if compatibility with Apache Shiro was kept in mind. >> >> >> > -- > Christian Schneider > http://www.liquid-reality.de > > Open Source Architect > Talend Application Integration Division http://www.talend.com > > --047d7b2e3dea33172504fe1cd42c--