Greetings. A while back work was done to implement the Integrated Security spec as described here <https://cwiki.apache.org/confluence/display/GEODE/Integrated+Security> [1].
This work is currently sitting in branch feature/GEODE-17. It includes changes for JMX security, REST security and, by extension, Pulse. I am OK with the approach for JMX, but I really don't like the implementation for REST. My proposal to move forward with this work is as follows: *Short-term: *Integrate the JMX work into develop. This should be achievable for a Geode 1.0 release. *Medium-term*: Explore expanding the use of Spring Security for REST. This should allow for using Spring Security throughout the whole REST request lifecycle and integrate with our existing security callbacks. This would probably be beyond Geode 1.0. *Long-term*: Explore the possibility of using JAAS or another security framework like Apache Shiro as a unified security framework. Most frameworks are implemented using some thread local security context. Adopting such a model would allow us to reason about security in a consistent way regardless of how access to the system is being established (client/server, JMX or REST - even redis and memcached). Thoughts, comments? --Jens [1] https://cwiki.apache.org/confluence/display/GEODE/Integrated+Security
