Huge +1 for using Shiro / Spring Security and moving to a standard security model.
On Fri, Dec 4, 2015 at 9:33 AM, Jens Deppe <[email protected]> wrote: > Greetings. > > A while back work was done to implement the Integrated Security spec as > described here > <https://cwiki.apache.org/confluence/display/GEODE/Integrated+Security> > [1]. > > This work is currently sitting in branch feature/GEODE-17. It includes > changes for JMX security, REST security and, by extension, Pulse. > > I am OK with the approach for JMX, but I really don't like the > implementation for REST. My proposal to move forward with this work is as > follows: > > *Short-term: *Integrate the JMX work into develop. This should be > achievable for a Geode 1.0 release. > > *Medium-term*: Explore expanding the use of Spring Security for REST. This > should allow for using Spring Security throughout the whole REST request > lifecycle and integrate with our existing security callbacks. This would > probably be beyond Geode 1.0. > > *Long-term*: Explore the possibility of using JAAS or another security > framework like Apache Shiro as a unified security framework. Most > frameworks are implemented using some thread local security context. > Adopting such a model would allow us to reason about security in a > consistent way regardless of how access to the system is being established > (client/server, JMX or REST - even redis and memcached). > > Thoughts, comments? > > --Jens > > [1] https://cwiki.apache.org/confluence/display/GEODE/Integrated+Security > -- William Markito Oliveira -- For questions about Apache Geode, please write to *[email protected] <[email protected]>*
