+1 for Spring Security On Fri, Dec 4, 2015 at 9:36 AM, William Markito <[email protected]> wrote:
> Huge +1 for using Shiro / Spring Security and moving to a standard security > model. > > On Fri, Dec 4, 2015 at 9:33 AM, Jens Deppe <[email protected]> wrote: > > > Greetings. > > > > A while back work was done to implement the Integrated Security spec as > > described here > > <https://cwiki.apache.org/confluence/display/GEODE/Integrated+Security> > > [1]. > > > > This work is currently sitting in branch feature/GEODE-17. It includes > > changes for JMX security, REST security and, by extension, Pulse. > > > > I am OK with the approach for JMX, but I really don't like the > > implementation for REST. My proposal to move forward with this work is as > > follows: > > > > *Short-term: *Integrate the JMX work into develop. This should be > > achievable for a Geode 1.0 release. > > > > *Medium-term*: Explore expanding the use of Spring Security for REST. > This > > should allow for using Spring Security throughout the whole REST request > > lifecycle and integrate with our existing security callbacks. This would > > probably be beyond Geode 1.0. > > > > *Long-term*: Explore the possibility of using JAAS or another security > > framework like Apache Shiro as a unified security framework. Most > > frameworks are implemented using some thread local security context. > > Adopting such a model would allow us to reason about security in a > > consistent way regardless of how access to the system is being > established > > (client/server, JMX or REST - even redis and memcached). > > > > Thoughts, comments? > > > > --Jens > > > > [1] > https://cwiki.apache.org/confluence/display/GEODE/Integrated+Security > > > > > > -- > > William Markito Oliveira > -- For questions about Apache Geode, please write to > *[email protected] > <[email protected]>* > -- -John 503-504-8657 john.blum10101 (skype)
