cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <>
Subject Re: Removing some old modules in 3.2.0-SNAPSHOT
Date Fri, 02 Sep 2016 20:57:36 GMT
Hi Andriy

Just something I'd like to clarify re CXF OAuth1 module. I was a mentor 
for the original GSOC project and spent quite a bit of time with it 
afterwards too.
After spending even more time with OAuth2 I see OAuth2
being actually simpler for a classical case originally covered by OAuth1 
- one less roundtrip. It is more secure and this work is ongoing. OAuth2 
got a lot of bad press after an exit of the OAuth1 author but a lot of 
that was originating from the users who either did not quite understand 
OAuth2 or were looking at the buggy implementations of Implicit Flow, etc.

These days Oauth2 is huge. But of you drill down into it and try to 
address a classical case it is simpler. And OAuth2 (with OIDC) will let 
one to scale to covering much more sophisticated cases. I'm definitely 
not planning to put more effort into CXF OAuth1 - and new users should 
be discouraged from trying it because they will go not far with it.

I did this talk few years back:

But as far as this module is concerned it has got a fair bit of 
attention a couple of years back. The last change I did there was 2 
years back. But I can accept someone is still using CXF OAuth1 client 
code against some OAuth1 server and more likely - protects CXF Server 
with CXF OAuth1 filter against some 3rd party OAuth1 client.

Cheers, Sergey

On 02/09/16 17:31, Sergey Beryozkin wrote:
> Hi Andriy
> Yeah, I just wanted to show I'm ready to depart with some of RS modules
> too :-). You are right though, likely some existing integrations are
> still around.
> Sergey
> On 02/09/16 17:27, Andrey Redko wrote:
>> Hey Sergey,
>> Great undertaking I think! From my side, I would put -1 to oauth module.
>> You are right, technically it is old spec but it is still
>> used widely (mostly because it is much simple to integrate comparing to
>> oauth2 f.e.).
>> Thanks.
>> Best Regards,
>>     Andriy Redko
>> On Fri, Sep 2, 2016 at 12:07 PM, Sergey Beryozkin <>
>> wrote:
>>> Hi
>>> CXF module base continues to grow - a lot of modules is available, with
>>> some of these modules being obsolete and never used.
>>> I'd like to propose to drop some of these modules in 3.2.0-SNAPSHOT to
>>> make the builds faster, the workspaces smaller and new users less
>>> overwhelmed :-). Once we agree on the final list I can remove them
>>> but as
>>> soon as we have at least a single user requesting the module back
>>> we'll put
>>> it back in 3.2.1. But in meantime we should give this clean-up a try
>>> :-).
>>> The proposed list is below. Dan, others, please add -1 under any item
>>> you
>>> feel like worth keeping (but note we will put any removed module back in
>>> 3.2.1 or later whenever it is needed again):
>>> 1. rt/management-web
>>> I was the one who added it, it was based on a GSOC project and I do
>>> think
>>> it is a unique project (users can see logging events in Atom
>>> readers), Aki
>>> did some good work around it a couple of years back, but I haven't
>>> seen any
>>> user actually asking questions or trying to use it.
>>> Thus it should go. I'll be the 1st one who will put it back if someone
>>> will want to push it further.
>>> 2. rt/rs/security/oauth-parent/oauth
>>> This module supports Oauth1 and is also based on the GSOC project.
>>> Removing it might be a bit sensitive as some users did use it few years
>>> back. But OAuth1 is technically deprecated and Oauth2 is now widely
>>> deployed which is where we put a lot of effort into in CXF. I haven;t
>>> heard
>>> any queries about it for the last few years.
>>> 3. maven-plugin/archetypes: Maven JAXWS and JAXRS prototypes. Can
>>> they be
>>> really useful to anyone ? May be we can drop them and put back if
>>> needed.
>>> 4. integration/jca - I don't even remember what JCA means :-). I vaguely
>>> recall it was some old container spec ?
>>> 5. rt/bindings/object
>>> I think I recall Dan explaining awhile back it is a more advanced
>>> version
>>> of coloc but I don't think it has ever been used by CXF users ?
>>> 6. rt/databindings/jibx
>>>    I believe JIBX has not been maintained for many years now, if yes
>>> then
>>> lets let it go
>>> 7. systests/jibx
>>> 8. rt/databindings/sdo
>>>    I know it was added on request from one of our previous employers,
>>> which was awhile back. Not sure if we need to keep it though
>>> 9. rt/databindings/xmlbeans
>>>    Not sure if it is still needed. Looks like SOAP users do JAXB,
>>> occasionally - Aegis
>>> 10. services/wsn ?
>>> 11. rt/ws/eventing ?
>>> 12. rt/ws/mex ?
>>> This is it for now. Please provide the feedback, we can keep this thread
>>> open for few weeks for sure
>>> Thanks, Sergey
>>> 10.

Sergey Beryozkin

Talend Community Coders

View raw message