I know JWT a bit and I wonder whether doing the signing part is just a bit of 
Json (JSON-P) + commons-crypto?
After all JWT is especially designed to be lightweight and straight forward.

LieGrue,
strub



> Am 13.02.2018 um 15:33 schrieb Romain Manni-Bucau <rmannibu...@gmail.com>:
> 
> 2018-02-13 15:28 GMT+01:00 Jean-Louis Monteiro <jlmonte...@tomitribe.com>:
> 
>> Thanks for the feedback Jon.
>> 
>> I had a couple of exchanges with Rudy which is happy to contribute some
>> code as well.
>> From what I have understood and seen, most of the code is integration code
>> and there is at least from my current knowledge a little bit of code to put
>> together in a reusable manner in a reusable library (where ever it sits).
>> I was planning to do a quick prototype and get it to work from end to end
>> into a working branch so we can move the discussion forward and see exactly
>> where we go.
>> 
>> Regarding the signing library, I am kinda on the same page.
>> I don't see myself rewriting Johnzon to parse JSON and then Jose or Nimbus
>> to do signing. There is absolutely no point at least for the POC. Again,
>> we'll see if I get something working what we can do.
>> 
>> 
>> 
> Agreeing for a PoC but for a production ready software it is if it can
> conflict or bring drawbacks to the users to import the solution. The json
> lib should at least be pluggable - avoids to shade/rewrite anything but let
> the integrator use what he already has. Side note for json: for the overall
> consistency using JSON-P makes it easy to get a common API which doesn't
> need any investment and solves that "plug your impl" smoothly. For the
> signing part it is a bit different since it will easily bring a huge stack
> - how many bring jackson, simple-json, ... by default and are not
> pluggable. This is an issue and can even lead to not working installations.
> If you doubt I have like 700 components to show you it is not a random or
> theorical thought. Investment is also quite light so not sure it does worth
> speaking about it days.
> 
> 
>> 
>> 
>> 
>> --
>> Jean-Louis Monteiro
>> http://twitter.com/jlouismonteiro
>> http://www.tomitribe.com
>> 
>> On Tue, Feb 13, 2018 at 12:43 PM, John D. Ament <johndam...@apache.org>
>> wrote:
>> 
>>> 
>>> 
>>> On 2018/02/12 20:42:58, Jonathan Gallimore <jonathan.gallim...@gmail.com
>>> 
>>> wrote:
>>>> On Mon, Feb 12, 2018 at 8:20 PM, Romain Manni-Bucau <
>>> rmannibu...@gmail.com>
>>>> wrote:
>>>> 
>>>>> No Andy, as mentionned in the discussion Geronimo hosts the
>>> microprofile
>>>>> @asf. This is why jwt should probably be done in geronimo which is
>> the
>>> asf
>>>>> ee related project umbrella.
>>>>> 
>>>> 
>>>> I don't recall that discussion. Where did it take place?
>>> 
>>> I *think* he meant me.  The only time JWT came up on Geronimo was at [1].
>>> I had mentioned bringing over an impl based on Jose4J, Romain felt very
>>> strongly we mustn't rely on 3rd party libraries.  I'm not sure why that
>> is,
>>> but it seemed based on the discussion we had two different aims so it
>>> wasn't something I pushed forward on.  If there's interest within TomEE
>> to
>>> get a JWT impl up and running, I'd be happy to help (though I do feel
>>> strongly relying on a 3rd party lib for the actual signature validation +
>>> external sig support is important; to avoid that overhead).
>>> 
>>> RE MP @ TomEE/Geronimo.  I don't believe there's any hard or fast rules
>>> about what projects are allowed to host.  For example, there's interest
>>> within Skywalking to host the CDI and JAX-RS extensions to support
>> OpenApi;
>>> but this spec doesn't represent something any server vendor would support
>>> since its really about your APM solution.  CXF happily took on the MP
>> Rest
>>> Client when I proposed it; though I would hope TomEE relies on the CXF
>>> library instead of crafting their own client (selfish desires).  The JWT
>>> spec is weird, because it defined non MP runtime behavior in addition to
>> MP
>>> runtime behavior; so there may be more integration work in a fuller app
>>> server like TomEE.
>>> 
>>> </peanut-gallery>
>>> 
>>> John
>>> 
>>> [1]: https://lists.apache.org/thread.html/4edc997cfe2e45aaf25bb118bc6216
>>> 34c2832641cf3a9d954a6f7245@%3Cdev.geronimo.apache.org%3E
>>> 
>>>> 
>>>> 
>>>>> 
>>>>> I understand it is not the most convenient for tomitribe which
>> probably
>>>>> perfers to own the full project(s) but as a foundation member I d
>>> really
>>>>> like to not let company details pollute projects
>>>> 
>>>> 
>>>>> Also the discussion made clear to not do it in current repo whatever
>>>>> project is used as umbrella so we should revert that and finish the
>>>>> discussion before any action to not kill tomee project by a hard
>>> company
>>>>> driven management making it no more in the OSS spirit.
>>>>> 
>>>> 
>>>> I agree the discussion should happen first, and I note that the change
>>> has
>>>> been reverted. I recall that we agreed on this list that we'd create
>> new
>>>> git projects for Sheldon and Chatterbox under the TomEE umbrella.
>> Should
>>>> other components sit under TomEE, I imagine that they would follow the
>>> same
>>>> pattern - i.e. discuss first, agree location, create repo or move
>> things
>>>> around as appropriate.
>>>> 
>>>> I don't know what your specific issues are here, but I think you are
>>> making
>>>> some assumptions that are simply not true.
>>>> 
>>>> Jon
>>>> 
>>>> 
>>>> 
>>>>> 
>>>>> Le 12 févr. 2018 21:14, "Andy Gumbrecht" <agumbre...@tomitribe.com>
>> a
>>>>> écrit :
>>>>> 
>>>>>> "Parts of the components skeletons you just created"
>>>>>> 
>>>>>> They're just logically named empty modules for pending work?
>>>>>> 
>>>>>> 
>>>>>> On 12/02/18 20:42, Mark Struberg wrote:
>>>>>> 
>>>>>>> And what's that for?
>>>>>>> 
>>>>>>> Is there any behind the scene stuff going on at Tomitribe or can
>> we
>>>>>>> finally get back to discussing such things on the Apache lists?
>>>>>>> 
>>>>>>> Before we go on I'd would first finish the discussion how we want
>> to
>>>>> turn
>>>>>>> TomEE into an umbrella project or how the structure would be. And
>>>>>>> whether/how we want to integrate the modular Geronimo parts into
>> one
>>>>>>> project or not.
>>>>>>> 
>>>>>>> Parts of the components skeletons you just created do already
>> exist
>>> at
>>>>>>> the ASF.
>>>>>>> 
>>>>>>> LieGrue,
>>>>>>> strub
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> On Monday, 12 February 2018, 20:22:53 CET, Andy Gumbrecht <
>>>>>>> agumbre...@tomitribe.com> wrote:
>>>>>>> 
>>>>>>> 
>>>>>>> Added project stubs:
>>>>>>> https://github.com/apache/tomee/tree/master/microprofile
>>>>>>> 
>>>>>>> Andy.
>>>>>>> 
>>>>>>> 
>>>>>>> On 05/02/18 11:17, Jean-Louis Monteiro wrote:
>>>>>>>> Hi,
>>>>>>>> 
>>>>>>>> Ok thanks guys.
>>>>>>>> @Rudy, you are most welcome :)
>>>>>>>> 
>>>>>>>> --
>>>>>>>> Jean-Louis Monteiro
>>>>>>>> http://twitter.com/jlouismonteiro
>>>>>>>> http://www.tomitribe.com
>>>>>>>> 
>>>>>>>> On Fri, Feb 2, 2018 at 11:39 AM, Rudy De Busscher <
>>>>>>> rdebussc...@gmail.com <mailto:rdebussc...@gmail.com>>
>>>>>>>> wrote:
>>>>>>>> 
>>>>>>>>> I think it is a very important spec, also for non-microprofile
>>>>>>>>> implementations as it can enhance the interoperability of all
>>>>> servers.
>>>>>>>>> 
>>>>>>>>> I'm also very interested in the implementation (and want to
>> help
>>> a
>>>>> bit
>>>>>>> with
>>>>>>>>> it also :) )
>>>>>>>>> 
>>>>>>>>> regards
>>>>>>>>> Rudy
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> On 2 February 2018 at 11:23, Mark Struberg
>>> <strub...@yahoo.de.invalid
>>>>>>> <mailto:strub...@yahoo.de.invalid>>
>>>>>>>>> wrote:
>>>>>>>>> 
>>>>>>>>>> To clarify this even further:
>>>>>>>>>> The Geronimo Server is now officially dead.
>>>>>>>>>> But the Geronimo project is not. It alredy contains quite a
>> few
>>>>>>> modular
>>>>>>>>>> parts which are reused in many ASF projects and also outside.
>>>>>>>>>> Examples is the geronimo-transaction-manager,
>> geronimo-javamail,
>>>>>>>>>> geronimo-config, xbean-finder, etc
>>>>>>>>>> 
>>>>>>>>>> Of course it would probably make sense to fold those 2
>> projects
>>>>>>> together,
>>>>>>>>>> as already discussed in the past.
>>>>>>>>>> I'm still all open to it, but I have an important criterium to
>>>>> fulfil:
>>>>>>>>>> If we move those portable parts to TomEE, then this would mean
>>> that
>>>>>>> TomEE
>>>>>>>>>> would become an 'Umbrella project'.
>>>>>>>>>> And further that we would need a new name for those portable
>>> parts.
>>>>>>>>>> They would effectively be mainatained by the TomEE community
>>> (which
>>>>>>> has a
>>>>>>>>>> big overlap with Geronimo anyway) but those parts must clearly
>>> be
>>>>>>>>>> recognized separately from TomEE.
>>>>>>>>>> 
>>>>>>>>>> Otherwise people will assume that those parts only work within
>>>>> TomEE -
>>>>>>>>>> where in reality they would even work on WildFly or Liberty,
>>> etc. or
>>>>>>>>> even a
>>>>>>>>>> naked Tomcat.
>>>>>>>>>> Got me?
>>>>>>>>>> 
>>>>>>>>>> We might e.g. brand them as 'TomEE Geronimo Spare Parts
>>> Department'
>>>>> :)
>>>>>>>>>> 
>>>>>>>>>> LieGrue,
>>>>>>>>>> strub
>>>>>>>>>> 
>>>>>>>>>> PS: I'd also love to keep the org.apache.geronimo package name
>>> to
>>>>> ease
>>>>>>>>>> backward compatibility.
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>>> Am 02.02.2018 um 11:08 schrieb Romain Manni-Bucau <
>>>>>>>>> rmannibu...@gmail.com <mailto:rmannibu...@gmail.com>
>>>>>>>>>>> :
>>>>>>>>>>> 
>>>>>>>>>>> 2018-02-02 11:05 GMT+01:00 Otávio Gonçalves de Santana <
>>>>>>>>>>> osant...@tomitribe.com <mailto:osant...@tomitribe.com>>:
>>>>>>>>>>> 
>>>>>>>>>>>> Guys, I have a question:
>>>>>>>>>>>> 
>>>>>>>>>>>> Why not a project to each implementation?
>>>>>>>>>>>> 
>>>>>>>>>>> this is the case but geronimo is used as an umbrella project.
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>> This way I can use just a specific if I want also.
>>>>>>>>>>>> 
>>>>>>>>>>> exactly the goal and user usage AFAIK ;)
>>>>>>>>>>> 
>>>>>>>>>>> long story short: we learnt from the past errors and since
>>> always
>>>>> the
>>>>>>>>>> same
>>>>>>>>>>> people work on these projects it is better to not split it
>>> accross
>>>>> N
>>>>>>>>>>> communities since
>>>>>>>>>>> it leads to a lot of efforts for these people. Having a
>> single
>>>>>>> umbrella
>>>>>>>>>>> project with N subprojects reduces the administrative work
>> etc
>>> and
>>>>>>>>>> enhance
>>>>>>>>>>> the projects productivity.
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>> On Fri, Feb 2, 2018 at 7:44 AM, Romain Manni-Bucau <
>>>>>>>>>> rmannibu...@gmail.com <mailto:rmannibu...@gmail.com>>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>> 
>>>>>>>>>>>>> Hi JL,
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Microprofile apache effort is hosted in geronimo and John
>>> already
>>>>>>>>> spoke
>>>>>>>>>>>>> about it I think. Would probably saner to keep it all at
>> the
>>> same
>>>>>>>>> place
>>>>>>>>>>>> for
>>>>>>>>>>>>> the foundation.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
>>>>>>>>>>>>> <https://rmannibucau.metawerx.net/> | Old Blog
>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>> https://github.com/
>>>>>>>>>>>>> rmannibucau> |
>>>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
>>>>>>>>>>>>> <https://www.packtpub.com/application-development/java-
>>>>>>>>>>>>> ee-8-high-performance>
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 2018-02-02 9:39 GMT+01:00 Jean-Louis Monteiro <
>>>>>>>>>> jlmonte...@tomitribe.com <mailto:jlmonte...@tomitribe.com>
>>>>>>>>>>>>> :
>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Hi all,
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> I was wondering if we could have the Microprofile JWT
>>>>> implemented
>>>>>>> in
>>>>>>>>>>>>> TomEE.
>>>>>>>>>>>>>> What do you think?
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> I was reading the spec and I'd like to contribute that in.
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Jean-Louis
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Jean-Louis Monteiro
>>>>>>>>>>>>>> http://twitter.com/jlouismonteiro
>>>>>>>>>>>>>> http://www.tomitribe.com
>>>>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>> 
>>>>>>> --
>>>>>>> Andy Gumbrecht
>>>>>>> https://twitter.com/AndyGeeDe
>>>>>>> 
>>>>>>> http://www.tomitribe.com
>>>>>>> 
>>>>>>> https://www.tomitribe.io
>>>>>>> 
>>>>>>> 
>>>>>>> Ubique
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>> --
>>>>>> Andy Gumbrecht
>>>>>> https://twitter.com/AndyGeeDe
>>>>>> http://www.tomitribe.com
>>>>>> https://www.tomitribe.io
>>>>>> 
>>>>>> 
>>>>>> Ubique

Reply via email to