Just been having a look at the Security Module page and had a couple of
comments related to experiences in JBoss AS - Pete suggested I post my
comments over here.
A few of problems we have had historically in JBoss AS releases
regarding the authentication at the transport level are: -
- The assumption that everything has a username and a credential.
- That authentication takes a single step.
- That the duration an authentication is valid for can be pre-defined.
Looking at the initial API I just wonder is it also starting to follow
the same assumptions. Picking username / password authentication as a
first step whilst it may be simple historically has led us into
situations where adding more complex scenarios end up being added as a
workaround.
I suppose the real question is where would this be used, is this
something that would only be used within apps that want to establish
some form of 'security context' with an identity or could this also be
used in other locations such as valves implementing http authentication.
If the former than maybe not a huge issue but if the latter this API
could be repeating the problems of the past.
Regards,
Darran Lofthouse.
