Hi Jacob, Exactly. Initially I too had considered Spring Security (which provides http complaint and pluggable way for authentication filters so that user can choose). Even Pulse extensions for GEODE-17 are Spring Security based.
Neelkanth can provide more details why he felt Token based approach was better. regards, Tushar On Fri, Aug 7, 2015 at 10:09 PM, Jacob Barrett <[email protected]> wrote: > Performance vs. security should never be considered. Security trumps > everything. > > We should adopt standards where available. We should use other open source > libraries where applicable. As part of the Apache ecosystem now we need to > look at Apache projects that may provide these capabilities. We rarely want > to reinvent something, especially in security. > > -Jake > > — > Jacob Barrett > Manager > GemFire Advanced Customer Engineering (ACE) > Pivotal > > [email protected] > 503-533-3763 > > For immediate support please contact Pivotal Support at > http://support.pivotal.io/ > > > > On Fri, Aug 7, 2015 at 9:28 AM, Anthony Baker <[email protected]> wrote: > >> Am I missing something? Not verifying the integrity of a security token >> creates a vulnerability, right? >> >> Have you quantified the performance impact of Spring Security? >> >> Anthony >> >> > >> > Agreed. Initially I had spec'd it out based on Spring Security. But >> Neelkanth felt token based approach is better for performance where we >> check only for presence of Token but not its Integrity >> > >> > >> > - Tushar >> > >> >> > -- Regards, Tushar Khairnar
