>
> I'm more worried about the authorisation and authentication interface.


I used JASPIC as it seemed to most natural way to feed the EE system
with authorisation
and authentication into the system.

But probably need deep integration with server code because otherwise, the
JWT authentication mechanism is an all or nothing system, which is not the
best solution (maybe less a problem with MicroServices but if you want to
use it in a more general way it is an obstacle)

Regards
Rudy


On 13 February 2018 at 16:58, Mark Struberg <strub...@yahoo.de.invalid>
wrote:

> Might do as well.
> But the JSON-P part is really well abstracted. So this is easy to plug-in.
>
> I'm more worried about the authorisation and authentication interface.
> Anything EE security seems way too heavyweight for me. This might work out
> for TomEE, but would kill it's use in any more lightweight approach.
> So probably introduce an own pluggable SPI for authentication and
> authorisation?
> Then it really could be done pretty much anywhere. Or do we have yet
> another 'interface area'?
>
> LieGrue,
> strub
>
>
> > Am 13.02.2018 um 16:52 schrieb Jean-Louis Monteiro <
> jlmonte...@tomitribe.com>:
> >
> > I was also thinking about a Johnzon extension (kinda)
> >
> > --
> > Jean-Louis Monteiro
> > http://twitter.com/jlouismonteiro
> > http://www.tomitribe.com
> >
> > On Tue, Feb 13, 2018 at 3:53 PM, Mark Struberg <strub...@yahoo.de.invalid
> >
> > wrote:
> >
> >> I know JWT a bit and I wonder whether doing the signing part is just a
> bit
> >> of Json (JSON-P) + commons-crypto?
> >> After all JWT is especially designed to be lightweight and straight
> >> forward.
> >>
> >> LieGrue,
> >> strub
> >>
> >>
> >>
> >>> Am 13.02.2018 um 15:33 schrieb Romain Manni-Bucau <
> rmannibu...@gmail.com
> >>> :
> >>>
> >>> 2018-02-13 15:28 GMT+01:00 Jean-Louis Monteiro <
> jlmonte...@tomitribe.com
> >>> :
> >>>
> >>>> Thanks for the feedback Jon.
> >>>>
> >>>> I had a couple of exchanges with Rudy which is happy to contribute
> some
> >>>> code as well.
> >>>> From what I have understood and seen, most of the code is integration
> >> code
> >>>> and there is at least from my current knowledge a little bit of code
> to
> >> put
> >>>> together in a reusable manner in a reusable library (where ever it
> >> sits).
> >>>> I was planning to do a quick prototype and get it to work from end to
> >> end
> >>>> into a working branch so we can move the discussion forward and see
> >> exactly
> >>>> where we go.
> >>>>
> >>>> Regarding the signing library, I am kinda on the same page.
> >>>> I don't see myself rewriting Johnzon to parse JSON and then Jose or
> >> Nimbus
> >>>> to do signing. There is absolutely no point at least for the POC.
> Again,
> >>>> we'll see if I get something working what we can do.
> >>>>
> >>>>
> >>>>
> >>> Agreeing for a PoC but for a production ready software it is if it can
> >>> conflict or bring drawbacks to the users to import the solution. The
> json
> >>> lib should at least be pluggable - avoids to shade/rewrite anything but
> >> let
> >>> the integrator use what he already has. Side note for json: for the
> >> overall
> >>> consistency using JSON-P makes it easy to get a common API which
> doesn't
> >>> need any investment and solves that "plug your impl" smoothly. For the
> >>> signing part it is a bit different since it will easily bring a huge
> >> stack
> >>> - how many bring jackson, simple-json, ... by default and are not
> >>> pluggable. This is an issue and can even lead to not working
> >> installations.
> >>> If you doubt I have like 700 components to show you it is not a random
> or
> >>> theorical thought. Investment is also quite light so not sure it does
> >> worth
> >>> speaking about it days.
> >>>
> >>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> Jean-Louis Monteiro
> >>>> http://twitter.com/jlouismonteiro
> >>>> http://www.tomitribe.com
> >>>>
> >>>> On Tue, Feb 13, 2018 at 12:43 PM, John D. Ament <
> johndam...@apache.org>
> >>>> wrote:
> >>>>
> >>>>>
> >>>>>
> >>>>> On 2018/02/12 20:42:58, Jonathan Gallimore <
> >> jonathan.gallim...@gmail.com
> >>>>>
> >>>>> wrote:
> >>>>>> On Mon, Feb 12, 2018 at 8:20 PM, Romain Manni-Bucau <
> >>>>> rmannibu...@gmail.com>
> >>>>>> wrote:
> >>>>>>
> >>>>>>> No Andy, as mentionned in the discussion Geronimo hosts the
> >>>>> microprofile
> >>>>>>> @asf. This is why jwt should probably be done in geronimo which is
> >>>> the
> >>>>> asf
> >>>>>>> ee related project umbrella.
> >>>>>>>
> >>>>>>
> >>>>>> I don't recall that discussion. Where did it take place?
> >>>>>
> >>>>> I *think* he meant me.  The only time JWT came up on Geronimo was at
> >> [1].
> >>>>> I had mentioned bringing over an impl based on Jose4J, Romain felt
> very
> >>>>> strongly we mustn't rely on 3rd party libraries.  I'm not sure why
> that
> >>>> is,
> >>>>> but it seemed based on the discussion we had two different aims so it
> >>>>> wasn't something I pushed forward on.  If there's interest within
> TomEE
> >>>> to
> >>>>> get a JWT impl up and running, I'd be happy to help (though I do feel
> >>>>> strongly relying on a 3rd party lib for the actual signature
> >> validation +
> >>>>> external sig support is important; to avoid that overhead).
> >>>>>
> >>>>> RE MP @ TomEE/Geronimo.  I don't believe there's any hard or fast
> rules
> >>>>> about what projects are allowed to host.  For example, there's
> interest
> >>>>> within Skywalking to host the CDI and JAX-RS extensions to support
> >>>> OpenApi;
> >>>>> but this spec doesn't represent something any server vendor would
> >> support
> >>>>> since its really about your APM solution.  CXF happily took on the MP
> >>>> Rest
> >>>>> Client when I proposed it; though I would hope TomEE relies on the
> CXF
> >>>>> library instead of crafting their own client (selfish desires).  The
> >> JWT
> >>>>> spec is weird, because it defined non MP runtime behavior in addition
> >> to
> >>>> MP
> >>>>> runtime behavior; so there may be more integration work in a fuller
> app
> >>>>> server like TomEE.
> >>>>>
> >>>>> </peanut-gallery>
> >>>>>
> >>>>> John
> >>>>>
> >>>>> [1]: https://lists.apache.org/thread.html/
> >> 4edc997cfe2e45aaf25bb118bc6216
> >>>>> 34c2832641cf3a9d954a6f7245@%3Cdev.geronimo.apache.org%3E
> >>>>>
> >>>>>>
> >>>>>>
> >>>>>>>
> >>>>>>> I understand it is not the most convenient for tomitribe which
> >>>> probably
> >>>>>>> perfers to own the full project(s) but as a foundation member I d
> >>>>> really
> >>>>>>> like to not let company details pollute projects
> >>>>>>
> >>>>>>
> >>>>>>> Also the discussion made clear to not do it in current repo
> whatever
> >>>>>>> project is used as umbrella so we should revert that and finish the
> >>>>>>> discussion before any action to not kill tomee project by a hard
> >>>>> company
> >>>>>>> driven management making it no more in the OSS spirit.
> >>>>>>>
> >>>>>>
> >>>>>> I agree the discussion should happen first, and I note that the
> change
> >>>>> has
> >>>>>> been reverted. I recall that we agreed on this list that we'd create
> >>>> new
> >>>>>> git projects for Sheldon and Chatterbox under the TomEE umbrella.
> >>>> Should
> >>>>>> other components sit under TomEE, I imagine that they would follow
> the
> >>>>> same
> >>>>>> pattern - i.e. discuss first, agree location, create repo or move
> >>>> things
> >>>>>> around as appropriate.
> >>>>>>
> >>>>>> I don't know what your specific issues are here, but I think you are
> >>>>> making
> >>>>>> some assumptions that are simply not true.
> >>>>>>
> >>>>>> Jon
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>
> >>>>>>> Le 12 févr. 2018 21:14, "Andy Gumbrecht" <agumbre...@tomitribe.com
> >
> >>>> a
> >>>>>>> écrit :
> >>>>>>>
> >>>>>>>> "Parts of the components skeletons you just created"
> >>>>>>>>
> >>>>>>>> They're just logically named empty modules for pending work?
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On 12/02/18 20:42, Mark Struberg wrote:
> >>>>>>>>
> >>>>>>>>> And what's that for?
> >>>>>>>>>
> >>>>>>>>> Is there any behind the scene stuff going on at Tomitribe or can
> >>>> we
> >>>>>>>>> finally get back to discussing such things on the Apache lists?
> >>>>>>>>>
> >>>>>>>>> Before we go on I'd would first finish the discussion how we want
> >>>> to
> >>>>>>> turn
> >>>>>>>>> TomEE into an umbrella project or how the structure would be. And
> >>>>>>>>> whether/how we want to integrate the modular Geronimo parts into
> >>>> one
> >>>>>>>>> project or not.
> >>>>>>>>>
> >>>>>>>>> Parts of the components skeletons you just created do already
> >>>> exist
> >>>>> at
> >>>>>>>>> the ASF.
> >>>>>>>>>
> >>>>>>>>> LieGrue,
> >>>>>>>>> strub
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> On Monday, 12 February 2018, 20:22:53 CET, Andy Gumbrecht <
> >>>>>>>>> agumbre...@tomitribe.com> wrote:
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Added project stubs:
> >>>>>>>>> https://github.com/apache/tomee/tree/master/microprofile
> >>>>>>>>>
> >>>>>>>>> Andy.
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> On 05/02/18 11:17, Jean-Louis Monteiro wrote:
> >>>>>>>>>> Hi,
> >>>>>>>>>>
> >>>>>>>>>> Ok thanks guys.
> >>>>>>>>>> @Rudy, you are most welcome :)
> >>>>>>>>>>
> >>>>>>>>>> --
> >>>>>>>>>> Jean-Louis Monteiro
> >>>>>>>>>> http://twitter.com/jlouismonteiro
> >>>>>>>>>> http://www.tomitribe.com
> >>>>>>>>>>
> >>>>>>>>>> On Fri, Feb 2, 2018 at 11:39 AM, Rudy De Busscher <
> >>>>>>>>> rdebussc...@gmail.com <mailto:rdebussc...@gmail.com>>
> >>>>>>>>>> wrote:
> >>>>>>>>>>
> >>>>>>>>>>> I think it is a very important spec, also for non-microprofile
> >>>>>>>>>>> implementations as it can enhance the interoperability of all
> >>>>>>> servers.
> >>>>>>>>>>>
> >>>>>>>>>>> I'm also very interested in the implementation (and want to
> >>>> help
> >>>>> a
> >>>>>>> bit
> >>>>>>>>> with
> >>>>>>>>>>> it also :) )
> >>>>>>>>>>>
> >>>>>>>>>>> regards
> >>>>>>>>>>> Rudy
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> On 2 February 2018 at 11:23, Mark Struberg
> >>>>> <strub...@yahoo.de.invalid
> >>>>>>>>> <mailto:strub...@yahoo.de.invalid>>
> >>>>>>>>>>> wrote:
> >>>>>>>>>>>
> >>>>>>>>>>>> To clarify this even further:
> >>>>>>>>>>>> The Geronimo Server is now officially dead.
> >>>>>>>>>>>> But the Geronimo project is not. It alredy contains quite a
> >>>> few
> >>>>>>>>> modular
> >>>>>>>>>>>> parts which are reused in many ASF projects and also outside.
> >>>>>>>>>>>> Examples is the geronimo-transaction-manager,
> >>>> geronimo-javamail,
> >>>>>>>>>>>> geronimo-config, xbean-finder, etc
> >>>>>>>>>>>>
> >>>>>>>>>>>> Of course it would probably make sense to fold those 2
> >>>> projects
> >>>>>>>>> together,
> >>>>>>>>>>>> as already discussed in the past.
> >>>>>>>>>>>> I'm still all open to it, but I have an important criterium to
> >>>>>>> fulfil:
> >>>>>>>>>>>> If we move those portable parts to TomEE, then this would mean
> >>>>> that
> >>>>>>>>> TomEE
> >>>>>>>>>>>> would become an 'Umbrella project'.
> >>>>>>>>>>>> And further that we would need a new name for those portable
> >>>>> parts.
> >>>>>>>>>>>> They would effectively be mainatained by the TomEE community
> >>>>> (which
> >>>>>>>>> has a
> >>>>>>>>>>>> big overlap with Geronimo anyway) but those parts must clearly
> >>>>> be
> >>>>>>>>>>>> recognized separately from TomEE.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Otherwise people will assume that those parts only work within
> >>>>>>> TomEE -
> >>>>>>>>>>>> where in reality they would even work on WildFly or Liberty,
> >>>>> etc. or
> >>>>>>>>>>> even a
> >>>>>>>>>>>> naked Tomcat.
> >>>>>>>>>>>> Got me?
> >>>>>>>>>>>>
> >>>>>>>>>>>> We might e.g. brand them as 'TomEE Geronimo Spare Parts
> >>>>> Department'
> >>>>>>> :)
> >>>>>>>>>>>>
> >>>>>>>>>>>> LieGrue,
> >>>>>>>>>>>> strub
> >>>>>>>>>>>>
> >>>>>>>>>>>> PS: I'd also love to keep the org.apache.geronimo package name
> >>>>> to
> >>>>>>> ease
> >>>>>>>>>>>> backward compatibility.
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>> Am 02.02.2018 um 11:08 schrieb Romain Manni-Bucau <
> >>>>>>>>>>> rmannibu...@gmail.com <mailto:rmannibu...@gmail.com>
> >>>>>>>>>>>>> :
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> 2018-02-02 11:05 GMT+01:00 Otávio Gonçalves de Santana <
> >>>>>>>>>>>>> osant...@tomitribe.com <mailto:osant...@tomitribe.com>>:
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>> Guys, I have a question:
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Why not a project to each implementation?
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>> this is the case but geronimo is used as an umbrella project.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>> This way I can use just a specific if I want also.
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>> exactly the goal and user usage AFAIK ;)
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> long story short: we learnt from the past errors and since
> >>>>> always
> >>>>>>> the
> >>>>>>>>>>>> same
> >>>>>>>>>>>>> people work on these projects it is better to not split it
> >>>>> accross
> >>>>>>> N
> >>>>>>>>>>>>> communities since
> >>>>>>>>>>>>> it leads to a lot of efforts for these people. Having a
> >>>> single
> >>>>>>>>> umbrella
> >>>>>>>>>>>>> project with N subprojects reduces the administrative work
> >>>> etc
> >>>>> and
> >>>>>>>>>>>> enhance
> >>>>>>>>>>>>> the projects productivity.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>> On Fri, Feb 2, 2018 at 7:44 AM, Romain Manni-Bucau <
> >>>>>>>>>>>> rmannibu...@gmail.com <mailto:rmannibu...@gmail.com>>
> >>>>>>>>>>>>>> wrote:
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Hi JL,
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Microprofile apache effort is hosted in geronimo and John
> >>>>> already
> >>>>>>>>>>> spoke
> >>>>>>>>>>>>>>> about it I think. Would probably saner to keep it all at
> >>>> the
> >>>>> same
> >>>>>>>>>>> place
> >>>>>>>>>>>>>> for
> >>>>>>>>>>>>>>> the foundation.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Romain Manni-Bucau
> >>>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> >>>>>>>>>>>>>>> <https://rmannibucau.metawerx.net/> | Old Blog
> >>>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
> >>>>> https://github.com/
> >>>>>>>>>>>>>>> rmannibucau> |
> >>>>>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
> >>>>>>>>>>>>>>> <https://www.packtpub.com/application-development/java-
> >>>>>>>>>>>>>>> ee-8-high-performance>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> 2018-02-02 9:39 GMT+01:00 Jean-Louis Monteiro <
> >>>>>>>>>>>> jlmonte...@tomitribe.com <mailto:jlmonte...@tomitribe.com>
> >>>>>>>>>>>>>>> :
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> Hi all,
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> I was wondering if we could have the Microprofile JWT
> >>>>>>> implemented
> >>>>>>>>> in
> >>>>>>>>>>>>>>> TomEE.
> >>>>>>>>>>>>>>>> What do you think?
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> I was reading the spec and I'd like to contribute that in.
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> Jean-Louis
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> --
> >>>>>>>>>>>>>>>> Jean-Louis Monteiro
> >>>>>>>>>>>>>>>> http://twitter.com/jlouismonteiro
> >>>>>>>>>>>>>>>> http://www.tomitribe.com
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> --
> >>>>>>>>> Andy Gumbrecht
> >>>>>>>>> https://twitter.com/AndyGeeDe
> >>>>>>>>>
> >>>>>>>>> http://www.tomitribe.com
> >>>>>>>>>
> >>>>>>>>> https://www.tomitribe.io
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Ubique
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>> --
> >>>>>>>> Andy Gumbrecht
> >>>>>>>> https://twitter.com/AndyGeeDe
> >>>>>>>> http://www.tomitribe.com
> >>>>>>>> https://www.tomitribe.io
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Ubique
> >>
> >>
>
>

Reply via email to