Thanks for bringing things up Darran. Take a look at https://cwiki.apache.org/confluence/display/DeltaSpike/Security+Module+Drafts. If there's something missing in the use cases, please add some. Also note we've only gone as far as Part 1 right now. We're going to be continuing discussions and implementing the other stages as we continue.
On Thu, Apr 12, 2012 at 10:51, Darran Lofthouse <[email protected] > wrote: > Just been having a look at the Security Module page and had a couple of > comments related to experiences in JBoss AS - Pete suggested I post my > comments over here. > > A few of problems we have had historically in JBoss AS releases regarding > the authentication at the transport level are: - > - The assumption that everything has a username and a credential. > - That authentication takes a single step. > - That the duration an authentication is valid for can be pre-defined. > > Looking at the initial API I just wonder is it also starting to follow the > same assumptions. Picking username / password authentication as a first > step whilst it may be simple historically has led us into situations where > adding more complex scenarios end up being added as a workaround. > > I suppose the real question is where would this be used, is this something > that would only be used within apps that want to establish some form of > 'security context' with an identity or could this also be used in other > locations such as valves implementing http authentication. If the former > than maybe not a huge issue but if the latter this API could be repeating > the problems of the past. > > Regards, > Darran Lofthouse. > > -- Jason Porter http://lightguard-jp.blogspot.com http://twitter.com/lightguardjp Software Engineer Open Source Advocate Author of Seam Catch - Next Generation Java Exception Handling PGP key id: 926CCFF5 PGP key available at: keyserver.net, pgp.mit.edu
