cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andriy Redko <drr...@gmail.com>
Subject Re: Removing some old modules in 3.2.0-SNAPSHOT
Date Sun, 04 Sep 2016 17:31:32 GMT
Hey Sergey,

Sounds awesome, the time to deprecate OAuth1 will certainly come :-)
Thanks a lot!

Best Regards,
    Andriy Redko

SB> Hi Andriy

SB> Thanks, interesting to hear you are seeing quite a bit of life is left 
SB> in OAuth1 (it was indeed a real innovation at a time).
SB> I did have some doubts about whether to include this module or not.
SB> Some modules (ex, Corba related), are indeed much older, but they are 
SB> actually used these days so obviously I could not even offer for them be 
SB> dropped.
SB> I haven't heard anything about OAuth1 recently from CXF users but
SB> may be it is a sign that what already works is just working.
SB> In the end of the day, it is a first try for us to clean up CXF a bit.
SB> I'm happy enough to keep this module given your concern. I'll add it to 
SB> the list when we start a similar discussion in CXF 4.0 (whenever it 
SB> comes :-))

SB> Sergey

SB> On 03/09/16 00:23, Andriy Redko wrote:
>> Hey Sergey,

>> You are very right, OAuth2 is certainly step forward, unfortunately
>> this days OAuth1 is still used (have day by day examples of that). Great
>> talk, as always, thanks a lot for the slides, looking into them!

>> Thanks!

>> Best Regards,
>>     Andriy Redko

>> *SB> Hi Andriy

>> SB> Just something I'd like to clarify re CXF OAuth1 module. I was a mentor
>> SB> for the original GSOC project and spent quite a bit of time with it
>> SB> afterwards too.
>> SB> After spending even more time with OAuth2 I see OAuth2
>> SB> being actually simpler for a classical case originally covered by
>> OAuth1
>> SB> - one less roundtrip. It is more secure and this work is ongoing.
>> OAuth2
>> SB> got a lot of bad press after an exit of the OAuth1 author but a lot of
>> SB> that was originating from the users who either did not quite understand
>> SB> OAuth2 or were looking at the buggy implementations of Implicit
>> Flow, etc.

>> SB> These days Oauth2 is huge. But of you drill down into it and try to
>> SB> address a classical case it is simpler. And OAuth2 (with OIDC) will let
>> SB> one to scale to covering much more sophisticated cases. I'm definitely
>> SB> not planning to put more effort into CXF OAuth1 - and new users should
>> SB> be discouraged from trying it because they will go not far with it.

>> SB> I did this talk few years back:
>> *SB>
>> http://events.linuxfoundation.org/sites/events/files/slides/ApacheEuCxfOauthHawk.pdf
>> <http://events.linuxfoundation.org/sites/events/files/slides/ApacheEuCxfOauthHawk.pdf>

>> *SB> But as far as this module is concerned it has got a fair bit of
>> SB> attention a couple of years back. The last change I did there was 2
>> SB> years back. But I can accept someone is still using CXF OAuth1 client
>> SB> code against some OAuth1 server and more likely - protects CXF Server
>> SB> with CXF OAuth1 filter against some 3rd party OAuth1 client.

>> SB> Cheers, Sergey



>> SB> On 02/09/16 17:31, Sergey Beryozkin wrote:
>>>> Hi Andriy

>>>> Yeah, I just wanted to show I'm ready to depart with some of RS modules
>>>> too :-). You are right though, likely some existing integrations are
>>>> still around.

>>>> Sergey
>>>> On 02/09/16 17:27, Andrey Redko wrote:
>>>>> Hey Sergey,

>>>>> Great undertaking I think! From my side, I would put -1 to oauth module.
>>>>> You are right, technically it is old spec but it is still
>>>>> used widely (mostly because it is much simple to integrate comparing
to
>>>>> oauth2 f.e.).

>>>>> Thanks.

>>>>> Best Regards,
>>>>>     Andriy Redko

>>>>> On Fri, Sep 2, 2016 at 12:07 PM, Sergey Beryozkin <*sberyozkin@gmail.com
<mailto:sberyozkin@gmail.com>*>
>>>>> wrote:

>>>>>> Hi

>>>>>> CXF module base continues to grow - a lot of modules is available,
with
>>>>>> some of these modules being obsolete and never used.

>>>>>> I'd like to propose to drop some of these modules in 3.2.0-SNAPSHOT
to
>>>>>> make the builds faster, the workspaces smaller and new users less
>>>>>> overwhelmed :-). Once we agree on the final list I can remove them
>>>>>> but as
>>>>>> soon as we have at least a single user requesting the module back
>>>>>> we'll put
>>>>>> it back in 3.2.1. But in meantime we should give this clean-up a
try
>>>>>> :-).

>>>>>> The proposed list is below. Dan, others, please add -1 under any
item
>>>>>> you
>>>>>> feel like worth keeping (but note we will put any removed module
back in
>>>>>> 3.2.1 or later whenever it is needed again):

>>>>>> 1. rt/management-web

>>>>>> I was the one who added it, it was based on a GSOC project and I
do
>>>>>> think
>>>>>> it is a unique project (users can see logging events in Atom
>>>>>> readers), Aki
>>>>>> did some good work around it a couple of years back, but I haven't
>>>>>> seen any
>>>>>> user actually asking questions or trying to use it.
>>>>>> Thus it should go. I'll be the 1st one who will put it back if someone
>>>>>> will want to push it further.

>>>>>> 2. rt/rs/security/oauth-parent/oauth

>>>>>> This module supports Oauth1 and is also based on the GSOC project.
>>>>>> Removing it might be a bit sensitive as some users did use it few
years
>>>>>> back. But OAuth1 is technically deprecated and Oauth2 is now widely
>>>>>> deployed which is where we put a lot of effort into in CXF. I haven;t
>>>>>> heard
>>>>>> any queries about it for the last few years.

>>>>>> 3. maven-plugin/archetypes: Maven JAXWS and JAXRS prototypes. Can
>>>>>> they be
>>>>>> really useful to anyone ? May be we can drop them and put back if
>>>>>> needed.

>>>>>> 4. integration/jca - I don't even remember what JCA means :-). I
vaguely
>>>>>> recall it was some old container spec ?


>>>>>> 5. rt/bindings/object

>>>>>> I think I recall Dan explaining awhile back it is a more advanced
>>>>>> version
>>>>>> of coloc but I don't think it has ever been used by CXF users ?

>>>>>> 6. rt/databindings/jibx
>>>>>>    I believe JIBX has not been maintained for many years now, if
yes
>>>>>> then
>>>>>> lets let it go

>>>>>> 7. systests/jibx

>>>>>> 8. rt/databindings/sdo

>>>>>>    I know it was added on request from one of our previous employers,
>>>>>> which was awhile back. Not sure if we need to keep it though

>>>>>> 9. rt/databindings/xmlbeans

>>>>>>    Not sure if it is still needed. Looks like SOAP users do JAXB,
>>>>>> occasionally - Aegis

>>>>>> 10. services/wsn ?

>>>>>> 11. rt/ws/eventing ?

>>>>>> 12. rt/ws/mex ?


>>>>>> This is it for now. Please provide the feedback, we can keep this
thread
>>>>>> open for few weeks for sure

>>>>>> Thanks, Sergey

>>>>>> 10.









>> *




Mime
View raw message