Hi Andriy
Thanks, interesting to hear you are seeing quite a bit of life is left
in OAuth1 (it was indeed a real innovation at a time).
I did have some doubts about whether to include this module or not.
Some modules (ex, Corba related), are indeed much older, but they are
actually used these days so obviously I could not even offer for them be
dropped.
I haven't heard anything about OAuth1 recently from CXF users but
may be it is a sign that what already works is just working.
In the end of the day, it is a first try for us to clean up CXF a bit.
I'm happy enough to keep this module given your concern. I'll add it to
the list when we start a similar discussion in CXF 4.0 (whenever it
comes :-))
Sergey
On 03/09/16 00:23, Andriy Redko wrote:
Hey Sergey,
You are very right, OAuth2 is certainly step forward, unfortunately
this days OAuth1 is still used (have day by day examples of that). Great
talk, as always, thanks a lot for the slides, looking into them!
Thanks!
Best Regards,
Andriy Redko
*SB> Hi Andriy
SB> Just something I'd like to clarify re CXF OAuth1 module. I was a mentor
SB> for the original GSOC project and spent quite a bit of time with it
SB> afterwards too.
SB> After spending even more time with OAuth2 I see OAuth2
SB> being actually simpler for a classical case originally covered by
OAuth1
SB> - one less roundtrip. It is more secure and this work is ongoing.
OAuth2
SB> got a lot of bad press after an exit of the OAuth1 author but a lot of
SB> that was originating from the users who either did not quite understand
SB> OAuth2 or were looking at the buggy implementations of Implicit
Flow, etc.
SB> These days Oauth2 is huge. But of you drill down into it and try to
SB> address a classical case it is simpler. And OAuth2 (with OIDC) will let
SB> one to scale to covering much more sophisticated cases. I'm definitely
SB> not planning to put more effort into CXF OAuth1 - and new users should
SB> be discouraged from trying it because they will go not far with it.
SB> I did this talk few years back:
*SB>
http://events.linuxfoundation.org/sites/events/files/slides/ApacheEuCxfOauthHawk.pdf
<http://events.linuxfoundation.org/sites/events/files/slides/ApacheEuCxfOauthHawk.pdf>
*SB> But as far as this module is concerned it has got a fair bit of
SB> attention a couple of years back. The last change I did there was 2
SB> years back. But I can accept someone is still using CXF OAuth1 client
SB> code against some OAuth1 server and more likely - protects CXF Server
SB> with CXF OAuth1 filter against some 3rd party OAuth1 client.
SB> Cheers, Sergey
SB> On 02/09/16 17:31, Sergey Beryozkin wrote:
Hi Andriy
Yeah, I just wanted to show I'm ready to depart with some of RS modules
too :-). You are right though, likely some existing integrations are
still around.
Sergey
On 02/09/16 17:27, Andrey Redko wrote:
Hey Sergey,
Great undertaking I think! From my side, I would put -1 to oauth module.
You are right, technically it is old spec but it is still
used widely (mostly because it is much simple to integrate comparing to
oauth2 f.e.).
Thanks.
Best Regards,
Andriy Redko
On Fri, Sep 2, 2016 at 12:07 PM, Sergey Beryozkin <*[email protected]
<mailto:[email protected]>*>
wrote:
Hi
CXF module base continues to grow - a lot of modules is available, with
some of these modules being obsolete and never used.
I'd like to propose to drop some of these modules in 3.2.0-SNAPSHOT to
make the builds faster, the workspaces smaller and new users less
overwhelmed :-). Once we agree on the final list I can remove them
but as
soon as we have at least a single user requesting the module back
we'll put
it back in 3.2.1. But in meantime we should give this clean-up a try
:-).
The proposed list is below. Dan, others, please add -1 under any item
you
feel like worth keeping (but note we will put any removed module back in
3.2.1 or later whenever it is needed again):
1. rt/management-web
I was the one who added it, it was based on a GSOC project and I do
think
it is a unique project (users can see logging events in Atom
readers), Aki
did some good work around it a couple of years back, but I haven't
seen any
user actually asking questions or trying to use it.
Thus it should go. I'll be the 1st one who will put it back if someone
will want to push it further.
2. rt/rs/security/oauth-parent/oauth
This module supports Oauth1 and is also based on the GSOC project.
Removing it might be a bit sensitive as some users did use it few years
back. But OAuth1 is technically deprecated and Oauth2 is now widely
deployed which is where we put a lot of effort into in CXF. I haven;t
heard
any queries about it for the last few years.
3. maven-plugin/archetypes: Maven JAXWS and JAXRS prototypes. Can
they be
really useful to anyone ? May be we can drop them and put back if
needed.
4. integration/jca - I don't even remember what JCA means :-). I vaguely
recall it was some old container spec ?
5. rt/bindings/object
I think I recall Dan explaining awhile back it is a more advanced
version
of coloc but I don't think it has ever been used by CXF users ?
6. rt/databindings/jibx
I believe JIBX has not been maintained for many years now, if yes
then
lets let it go
7. systests/jibx
8. rt/databindings/sdo
I know it was added on request from one of our previous employers,
which was awhile back. Not sure if we need to keep it though
9. rt/databindings/xmlbeans
Not sure if it is still needed. Looks like SOAP users do JAXB,
occasionally - Aegis
10. services/wsn ?
11. rt/ws/eventing ?
12. rt/ws/mex ?
This is it for now. Please provide the feedback, we can keep this thread
open for few weeks for sure
Thanks, Sergey
10.
*
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
