Let me know if something is not really clear.
On Thu, Mar 29, 2012 at 9:58 AM, Jay Balunas <jbalunas redhat com>
Overall great stuff. Note, some of the items are questions from me, and some are questions I could see being asked by others :-)
* HTTP Digest authentication - why this? What alternatives exist
The alternatives are: Basic (clear text), Digest (SHA1), WSSE, OAuth (to be discussed)
- Basic: The credentials will be sent in plain text, encrypt each HTTP transaction over SSL don't guarantee the protect the information integrity when the information arrives to the server from internal network snoops.
- Digest: Using SHA1 in combination with username + password + random + other information (to be discussed) that we could choose is safer than basic imo, the client won't send your information, but a combination. Signed URIs will be helpful to the next steps.
- OAuth: The winner, but we still must start the implementation.
* Client library support
* Where does Crypto.SHA1 come from
* We will want to collapse JS into mini-lib imo
+1 about have JS libs.
* can be point to other places?
Sure thing, it's just an example to test Authentication process. The requests will be intercepted and resources with @Secured annotation will be authenticated.
* phase 1
* authorization only right
authentication I guess)
* Can you use CDI to inject a user object?
* for further work.
I would like to understand your idea before. It's possible inject a user object, but I would like to think about how to integrate it with controller or expose authentication resources (Technically is possible we're already using CDI here)
* Web mobile --> web/mobile
* Define the domain a little better
* does getUser return a user object, or a Long?
getUser was a bad example and isn't related with aerogear security implementation. Replacing it with lookupMemberById.
* What happens when the you access secured resources and you're not logged inject
If we have plans to move forward with aerogear-security ideas, probably exception mapper must be implemented with resteasy.
* Where and how are users created, edited, removed?
Let me know if you have more concerns.
aerogear-dev mailing list
aerogear-dev redhat com