I know JWT a bit and I wonder whether doing the signing part is just a bit of Json (JSON-P) + commons-crypto? After all JWT is especially designed to be lightweight and straight forward.
LieGrue, strub > Am 13.02.2018 um 15:33 schrieb Romain Manni-Bucau <[email protected]>: > > 2018-02-13 15:28 GMT+01:00 Jean-Louis Monteiro <[email protected]>: > >> Thanks for the feedback Jon. >> >> I had a couple of exchanges with Rudy which is happy to contribute some >> code as well. >> From what I have understood and seen, most of the code is integration code >> and there is at least from my current knowledge a little bit of code to put >> together in a reusable manner in a reusable library (where ever it sits). >> I was planning to do a quick prototype and get it to work from end to end >> into a working branch so we can move the discussion forward and see exactly >> where we go. >> >> Regarding the signing library, I am kinda on the same page. >> I don't see myself rewriting Johnzon to parse JSON and then Jose or Nimbus >> to do signing. There is absolutely no point at least for the POC. Again, >> we'll see if I get something working what we can do. >> >> >> > Agreeing for a PoC but for a production ready software it is if it can > conflict or bring drawbacks to the users to import the solution. The json > lib should at least be pluggable - avoids to shade/rewrite anything but let > the integrator use what he already has. Side note for json: for the overall > consistency using JSON-P makes it easy to get a common API which doesn't > need any investment and solves that "plug your impl" smoothly. For the > signing part it is a bit different since it will easily bring a huge stack > - how many bring jackson, simple-json, ... by default and are not > pluggable. This is an issue and can even lead to not working installations. > If you doubt I have like 700 components to show you it is not a random or > theorical thought. Investment is also quite light so not sure it does worth > speaking about it days. > > >> >> >> >> -- >> Jean-Louis Monteiro >> http://twitter.com/jlouismonteiro >> http://www.tomitribe.com >> >> On Tue, Feb 13, 2018 at 12:43 PM, John D. Ament <[email protected]> >> wrote: >> >>> >>> >>> On 2018/02/12 20:42:58, Jonathan Gallimore <[email protected] >>> >>> wrote: >>>> On Mon, Feb 12, 2018 at 8:20 PM, Romain Manni-Bucau < >>> [email protected]> >>>> wrote: >>>> >>>>> No Andy, as mentionned in the discussion Geronimo hosts the >>> microprofile >>>>> @asf. This is why jwt should probably be done in geronimo which is >> the >>> asf >>>>> ee related project umbrella. >>>>> >>>> >>>> I don't recall that discussion. Where did it take place? >>> >>> I *think* he meant me. The only time JWT came up on Geronimo was at [1]. >>> I had mentioned bringing over an impl based on Jose4J, Romain felt very >>> strongly we mustn't rely on 3rd party libraries. I'm not sure why that >> is, >>> but it seemed based on the discussion we had two different aims so it >>> wasn't something I pushed forward on. If there's interest within TomEE >> to >>> get a JWT impl up and running, I'd be happy to help (though I do feel >>> strongly relying on a 3rd party lib for the actual signature validation + >>> external sig support is important; to avoid that overhead). >>> >>> RE MP @ TomEE/Geronimo. I don't believe there's any hard or fast rules >>> about what projects are allowed to host. For example, there's interest >>> within Skywalking to host the CDI and JAX-RS extensions to support >> OpenApi; >>> but this spec doesn't represent something any server vendor would support >>> since its really about your APM solution. CXF happily took on the MP >> Rest >>> Client when I proposed it; though I would hope TomEE relies on the CXF >>> library instead of crafting their own client (selfish desires). The JWT >>> spec is weird, because it defined non MP runtime behavior in addition to >> MP >>> runtime behavior; so there may be more integration work in a fuller app >>> server like TomEE. >>> >>> </peanut-gallery> >>> >>> John >>> >>> [1]: https://lists.apache.org/thread.html/4edc997cfe2e45aaf25bb118bc6216 >>> 34c2832641cf3a9d954a6f7245@%3Cdev.geronimo.apache.org%3E >>> >>>> >>>> >>>>> >>>>> I understand it is not the most convenient for tomitribe which >> probably >>>>> perfers to own the full project(s) but as a foundation member I d >>> really >>>>> like to not let company details pollute projects >>>> >>>> >>>>> Also the discussion made clear to not do it in current repo whatever >>>>> project is used as umbrella so we should revert that and finish the >>>>> discussion before any action to not kill tomee project by a hard >>> company >>>>> driven management making it no more in the OSS spirit. >>>>> >>>> >>>> I agree the discussion should happen first, and I note that the change >>> has >>>> been reverted. I recall that we agreed on this list that we'd create >> new >>>> git projects for Sheldon and Chatterbox under the TomEE umbrella. >> Should >>>> other components sit under TomEE, I imagine that they would follow the >>> same >>>> pattern - i.e. discuss first, agree location, create repo or move >> things >>>> around as appropriate. >>>> >>>> I don't know what your specific issues are here, but I think you are >>> making >>>> some assumptions that are simply not true. >>>> >>>> Jon >>>> >>>> >>>> >>>>> >>>>> Le 12 févr. 2018 21:14, "Andy Gumbrecht" <[email protected]> >> a >>>>> écrit : >>>>> >>>>>> "Parts of the components skeletons you just created" >>>>>> >>>>>> They're just logically named empty modules for pending work? >>>>>> >>>>>> >>>>>> On 12/02/18 20:42, Mark Struberg wrote: >>>>>> >>>>>>> And what's that for? >>>>>>> >>>>>>> Is there any behind the scene stuff going on at Tomitribe or can >> we >>>>>>> finally get back to discussing such things on the Apache lists? >>>>>>> >>>>>>> Before we go on I'd would first finish the discussion how we want >> to >>>>> turn >>>>>>> TomEE into an umbrella project or how the structure would be. And >>>>>>> whether/how we want to integrate the modular Geronimo parts into >> one >>>>>>> project or not. >>>>>>> >>>>>>> Parts of the components skeletons you just created do already >> exist >>> at >>>>>>> the ASF. >>>>>>> >>>>>>> LieGrue, >>>>>>> strub >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Monday, 12 February 2018, 20:22:53 CET, Andy Gumbrecht < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>> >>>>>>> Added project stubs: >>>>>>> https://github.com/apache/tomee/tree/master/microprofile >>>>>>> >>>>>>> Andy. >>>>>>> >>>>>>> >>>>>>> On 05/02/18 11:17, Jean-Louis Monteiro wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> Ok thanks guys. >>>>>>>> @Rudy, you are most welcome :) >>>>>>>> >>>>>>>> -- >>>>>>>> Jean-Louis Monteiro >>>>>>>> http://twitter.com/jlouismonteiro >>>>>>>> http://www.tomitribe.com >>>>>>>> >>>>>>>> On Fri, Feb 2, 2018 at 11:39 AM, Rudy De Busscher < >>>>>>> [email protected] <mailto:[email protected]>> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> I think it is a very important spec, also for non-microprofile >>>>>>>>> implementations as it can enhance the interoperability of all >>>>> servers. >>>>>>>>> >>>>>>>>> I'm also very interested in the implementation (and want to >> help >>> a >>>>> bit >>>>>>> with >>>>>>>>> it also :) ) >>>>>>>>> >>>>>>>>> regards >>>>>>>>> Rudy >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On 2 February 2018 at 11:23, Mark Struberg >>> <[email protected] >>>>>>> <mailto:[email protected]>> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> To clarify this even further: >>>>>>>>>> The Geronimo Server is now officially dead. >>>>>>>>>> But the Geronimo project is not. It alredy contains quite a >> few >>>>>>> modular >>>>>>>>>> parts which are reused in many ASF projects and also outside. >>>>>>>>>> Examples is the geronimo-transaction-manager, >> geronimo-javamail, >>>>>>>>>> geronimo-config, xbean-finder, etc >>>>>>>>>> >>>>>>>>>> Of course it would probably make sense to fold those 2 >> projects >>>>>>> together, >>>>>>>>>> as already discussed in the past. >>>>>>>>>> I'm still all open to it, but I have an important criterium to >>>>> fulfil: >>>>>>>>>> If we move those portable parts to TomEE, then this would mean >>> that >>>>>>> TomEE >>>>>>>>>> would become an 'Umbrella project'. >>>>>>>>>> And further that we would need a new name for those portable >>> parts. >>>>>>>>>> They would effectively be mainatained by the TomEE community >>> (which >>>>>>> has a >>>>>>>>>> big overlap with Geronimo anyway) but those parts must clearly >>> be >>>>>>>>>> recognized separately from TomEE. >>>>>>>>>> >>>>>>>>>> Otherwise people will assume that those parts only work within >>>>> TomEE - >>>>>>>>>> where in reality they would even work on WildFly or Liberty, >>> etc. or >>>>>>>>> even a >>>>>>>>>> naked Tomcat. >>>>>>>>>> Got me? >>>>>>>>>> >>>>>>>>>> We might e.g. brand them as 'TomEE Geronimo Spare Parts >>> Department' >>>>> :) >>>>>>>>>> >>>>>>>>>> LieGrue, >>>>>>>>>> strub >>>>>>>>>> >>>>>>>>>> PS: I'd also love to keep the org.apache.geronimo package name >>> to >>>>> ease >>>>>>>>>> backward compatibility. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> Am 02.02.2018 um 11:08 schrieb Romain Manni-Bucau < >>>>>>>>> [email protected] <mailto:[email protected]> >>>>>>>>>>> : >>>>>>>>>>> >>>>>>>>>>> 2018-02-02 11:05 GMT+01:00 Otávio Gonçalves de Santana < >>>>>>>>>>> [email protected] <mailto:[email protected]>>: >>>>>>>>>>> >>>>>>>>>>>> Guys, I have a question: >>>>>>>>>>>> >>>>>>>>>>>> Why not a project to each implementation? >>>>>>>>>>>> >>>>>>>>>>> this is the case but geronimo is used as an umbrella project. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> This way I can use just a specific if I want also. >>>>>>>>>>>> >>>>>>>>>>> exactly the goal and user usage AFAIK ;) >>>>>>>>>>> >>>>>>>>>>> long story short: we learnt from the past errors and since >>> always >>>>> the >>>>>>>>>> same >>>>>>>>>>> people work on these projects it is better to not split it >>> accross >>>>> N >>>>>>>>>>> communities since >>>>>>>>>>> it leads to a lot of efforts for these people. Having a >> single >>>>>>> umbrella >>>>>>>>>>> project with N subprojects reduces the administrative work >> etc >>> and >>>>>>>>>> enhance >>>>>>>>>>> the projects productivity. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> On Fri, Feb 2, 2018 at 7:44 AM, Romain Manni-Bucau < >>>>>>>>>> [email protected] <mailto:[email protected]>> >>>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hi JL, >>>>>>>>>>>>> >>>>>>>>>>>>> Microprofile apache effort is hosted in geronimo and John >>> already >>>>>>>>> spoke >>>>>>>>>>>>> about it I think. Would probably saner to keep it all at >> the >>> same >>>>>>>>> place >>>>>>>>>>>> for >>>>>>>>>>>>> the foundation. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Romain Manni-Bucau >>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>>>>>>>>>>> <https://rmannibucau.metawerx.net/> | Old Blog >>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github < >>> https://github.com/ >>>>>>>>>>>>> rmannibucau> | >>>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book >>>>>>>>>>>>> <https://www.packtpub.com/application-development/java- >>>>>>>>>>>>> ee-8-high-performance> >>>>>>>>>>>>> >>>>>>>>>>>>> 2018-02-02 9:39 GMT+01:00 Jean-Louis Monteiro < >>>>>>>>>> [email protected] <mailto:[email protected]> >>>>>>>>>>>>> : >>>>>>>>>>>>> >>>>>>>>>>>>>> Hi all, >>>>>>>>>>>>>> >>>>>>>>>>>>>> I was wondering if we could have the Microprofile JWT >>>>> implemented >>>>>>> in >>>>>>>>>>>>> TomEE. >>>>>>>>>>>>>> What do you think? >>>>>>>>>>>>>> >>>>>>>>>>>>>> I was reading the spec and I'd like to contribute that in. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Jean-Louis >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Jean-Louis Monteiro >>>>>>>>>>>>>> http://twitter.com/jlouismonteiro >>>>>>>>>>>>>> http://www.tomitribe.com >>>>>>>>>>>>>> >>>>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Andy Gumbrecht >>>>>>> https://twitter.com/AndyGeeDe >>>>>>> >>>>>>> http://www.tomitribe.com >>>>>>> >>>>>>> https://www.tomitribe.io >>>>>>> >>>>>>> >>>>>>> Ubique >>>>>>> >>>>>>> >>>>>>> >>>>>> -- >>>>>> Andy Gumbrecht >>>>>> https://twitter.com/AndyGeeDe >>>>>> http://www.tomitribe.com >>>>>> https://www.tomitribe.io >>>>>> >>>>>> >>>>>> Ubique
