Romain Manni-Bucau wrote > Personally i find it a bit too complicated compared to some not javaee > alternative to be a choice for the future. > > Today something based on CDI sounds really more reasonable.
Well, the actual server auth module (SAM) interface really is not that complicated to use. For the author of such module it's not that different from a plain Servlet Filter, with the major difference that you can hand the container a username and a bunch of roles. For intercepting a request, redirecting to a new page etc this works really well. Of course at some point the actual user data has to be loaded from somewhere and for this CDI would be perfect. JASPIC doesn't support it yet, but there's an issue created for this already: https://java.net/jira/browse/JASPIC_SPEC-14 At the moment JASPIC does support delegating the actual loading of the user and roles to a JAAS login module, but as we all know JAAS is complex and was never really intended for the kind of use cases that are typical in Java EE. An alternative "login module/realm/whatever you wanna call it" based on CDI would be a much better and modern solution. -- View this message in context: http://openejb.979440.n4.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-TomEE-tp4660480p4664629.html Sent from the OpenEJB Dev mailing list archive at Nabble.com.
