I thought about it before. When I work on the demos, I found it's best to create a new repo for following reasons
1. The common parts distributed in ResourceServer, Gateway and AuthenticationServer, it's not easy to have only one dependency. 2. This project is focus on JWT based authentications for microservices and java-chassis, we are not planning to make it very common like spring security did. Because there are so many variants in security management, we have to focus on the most important part now. Create a new project will make us easier to have other different implementations in future. 3. This project will acting a reference implementation now, developers may use source code directly and possibly make some changes to the source code to fulfill business usage. In the near future, we may not release any formal version of the project. Although, our goal is to make this project the best authentication choice. 4. This project may be used in older versions of java-chassis, I will tag the project based on 1.2.0, or future version like 1.3.0. 5. This project depends on spring security, spring jwt and spring oauth2 now, but java-chassis runtime may not depends on spring. Make this project a module will take java-chassis very complicated. Because this is a new project, I only want to support the latest spring 5. -----邮件原件----- 发件人: Willem Jiang [mailto:[email protected]] 发送时间: 2019年5月13日 22:16 收件人: dev <[email protected]> 主题: Re: [PROPOSAL]start a new project to add security support for java-chassis Just a quick question why do we need to create a new git repo for the authentication? Can we just add a module in java-chassis? Willem Jiang Twitter: willemjiang Weibo: 姜宁willem On Mon, May 13, 2019 at 4:51 PM Liubao (A) <[email protected]> wrote: > > Hi, > > I am working on integrating spring security to java-chassis to make > developing authentication and authorization management easier. Now I have > finished the framework and basic authorization management. > > This work is shown in [1]. > > > 1. User's can create AuthenticationServer to manage users and roles and > their confidential information. > > 2. User's can add authentication in edge service. > > 3. User's can add authentication and authorization in ResouceServer. > This work project two ways to specify authorization, > > using microservice.yaml like : > > > > ``` > > servicecomb: > > authencation: > > access: > > needAuth: true > > roles: > > HandlerAuthEndpoint: > > adminSayHello: ADMIN > > ``` > > > > or using method security > > ``` > > @PostMapping(path = "/adminSayHello") > > @PreAuthorize("hasRole('ADMIN')") > > public String adminSayHello(String name) { > > return name; > > } ``` > > > This test cases are show in project Client, in AuthenticationTestCase.java . > > I suggest to create a new project, servicecomb-security(or some other name), > to hosting common components that can be reused to develop authentication and > authorization. > > Future plans of this project(informal): > > > 1. Make OAUTH2 as the default implementation. JWT is the most > effective authentication mechanism for miscroservices, I think OAUTH2(or > related Open Connect ID) is the best choice. (based on spring security > oauth2) > > 2. Add common framework to connect other OAUTH2 parties. (like > keycloak[2], or firebase[3]) > > 3. Others based on user's feedback. > > > [1] > https://github.com/apache/servicecomb-samples/tree/master/authenticati > on [2] https://www.keycloak.org/docs/latest/securing_apps/index.html > [3] https://firebase.google.com/docs/auth/ > > > > >
