Hi guys,
I'd like to kick off a discussion around the security features for
DeltaSpike. Originally we had planned to migrate Seam Security [1] to
the PicketLink project [2], and combine it with an updated version of
PicketLink IDM [3] to create an all-round CDI-based application security
solution for Java EE6. After a number of internal discussions, we
decided that this effort would serve the developer community much better
if it were carried out under the DeltaSpike umbrella.
With that in mind, I'd like to introduce Bolek Dawidowicz (who has
already joined the DeltaSpike dev mailing list) who is the original
author of PicketLink IDM (for anyone that's confused about what IDM is,
it stands for IDentity Management and simply means the management of
users, roles, groups etc within an application via a well defined API).
Bolek has already done some initial design work on the API for
PicketLink IDM 2.0 [4], which we are hoping to leverage for DeltaSpike.
I'd also like to kickstart a discussion on the more general security
features of DeltaSpike. We've already discussed @Secured and
@SecurityBindingType, however have not touched on any of the other
authentication and authorization APIs. My proposal is to largely base
the design on Seam Security (code at [5]), which is already mature and
proven, and provides a robust, extensible API for users to plug in their
own authentication and authorization logic, and also integrates very
easily with federated identity services such as OpenID, oAuth and SAML.
At this stage we can keep the discussion on general terms, however I'm
happy to delve in deeper to any of the security APIs if anyone is
interested in a more technical discussion.
Thanks,
Shane
[1] http://www.seamframework.org/Seam3/SecurityModule
[2] http://www.jboss.org/picketlink
[3] http://www.jboss.org/picketlink/IDM.html
[4] https://github.com/picketlink/idm
[5] https://github.com/seam/security
