[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Aerogear-dev] AeroGear Security - call for participation



On 30 Jul 2012, at 21:13, Bruno Oliveira wrote:

> Hi Pete, just to make sure that we're on the same page, answers inline.
> 
> On Monday, July 30, 2012 at 8:27 AM, Pete Muir wrote:
> 
>> Looks good Bruno.
>> 
>> As discussed on security-dev, DeltaSpike will probably provide:
>> 
>> * a lightweight authorization API (e.g. for REST endpoints, aerogear controller endpoints etc). This is implemented as a CDI interceptor, and delegates all work to it's SPI,
> Do you mean something like SecurityInterceptor + annotation bindings?  https://github.com/apache/incubator-deltaspike/blob/5e4a7eb4de01004206f24ae22b9850e643bffe54/deltaspike/modules/security/impl/src/main/java/org/apache/deltaspike/security/impl/authorization/SecurityInterceptor.java

Yes. Except see next comment :-)

>> * we would probably want to write some extra integration for aerogear-controller and RESTEasy. This would allow us to do stuff like put the request and response in the InvocationContext. We might also want to add some support for wrapping any exceptions thrown in the right JAX-RS exception, adding response headers etc.
> 
> Do you have an example? I've been working on the integration with aerogear-controller and of course I'm interested on it.

The file you referenced is a good example. I'm not sure how you start pulling in extra info, without playing though.

But, let's say you had a way of getting hold of the response in that interceptor (which JAX-RS may give you, or we might need a custom hook?), then you could catch, wrap and extract any security exceptions thrown in the interceptor, and add some fields to the response, for eample.

>  
>> * I would suggest using a security binding, rather than @Secured, as this is somewhat more powerful.
> Something like this? https://github.com/aerogear/aerogear-controller-demo/blob/deltaspike/src/main/java/org/jboss/aerogear/controller/demo/idm/annotation/CustomSecurityBinding.java

Yes.

>  
>> * a lightweight authentication API, which could be used by your REST endpoints for login/logout, perhaps with some auto-population of credentials.
> Does DeltaSpike currently provide it? Let me know.

No. As per other message, let's push for something once 0.3 is out. I liked what we had in 0.2 personally.

>> 
>> On 27 Jul 2012, at 23:11, Bruno Oliveira wrote:
>> 
>>> Hi folks,
>>> 
>>> We've been discussing a lot about security on the server side this week and I would like to hear some feedback about the document below before going into more specific implementation details.
>>> 
>>> http://aerogear.abstractj.org/docs/AeroGearSecurity.html
>>> 
>>> Have a nice reading! :)
>>> --
>>> "The measure of a man is what he does with power" - Plato
>>> -
>>> @abstractj
>>> -
>>> Volenti Nihil Difficile
>>> _______________________________________________
>>> aerogear-dev mailing list
>>> aerogear-dev redhat com
>>> https://www.redhat.com/mailman/listinfo/aerogear-dev
> 



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]