I am starting to leverage pac4j for the actual authorization and authentication in my webapps; I use this to call out to an instance of UserGrid https://usergrid.apache.org/ to manage the actual User Information, including permissions
On Tue, Dec 13, 2016 at 11:41 AM, Rob <[email protected]> wrote: > I took a look at pac4j, but unless I'm missing something it seems like > there is no local/database identity provider? > > At first glance pac4j covers a lot of use cases, but that seems to come at > the expense of developer experience (i.e. its complex) -- but I'd love to > hear otherwise from those who are using it. I feel a modern security > framework should let you get up and running quickly with a minimum of > external dependencies. > > What about Apache Oltu - has anyone had a good experience with using that? > > To throw in my 2c worth, I used Apache Shiro on my last Dropwizard > project. Briefly: > > Pros: > - Simple, easy to understand - a breath of fresh air compared to something > like Spring Security. > - Minimal dependencies > > Cons: > - Uses Jetty servlet filters, and every now and then you get > non-deterministic errors where POSTs mysteriously fail somewhere deep in > the call stack; this makes me afraid of using it long-term. > - Releases have slowed down a lot; starting to feel its age; this is a > Java 6, 2010 era project. > - Doesn't support OpenID/OAuth2 > - Minor: old school stateful sessions only > - Minor: doesn't seem widely used these days, so little traffic on the > mailing list, few examples, etc. > > > > On Monday, December 12, 2016 at 4:35:16 PM UTC-7, Evan Meagher wrote: >> >> +1 to pac4j, and specifically dropwizard-pac4j >> <https://github.com/pac4j/dropwizard-pac4j>. It should be able to do >> whatever you want. >> >> On Mon, Dec 12, 2016 at 3:26 PM, Shan Syed <[email protected]> wrote: >> >>> check this out http://www.pac4j.org/ >>> >>> On Mon, Dec 12, 2016 at 6:12 PM, Rob <[email protected]> wrote: >>> >>>> I am taking a fresh look at how to best handle authorization and >>>> authentication in Dropwizard today. I think it would be a very helpful >>>> conversation for all of us if we could share what we're using for authn and >>>> authz, and what we feel would be the simplest/best/etc approach today. >>>> >>>> Here's my personal take on the requirements are for a modern authn and >>>> authz solution: >>>> >>>> 1) As few external dependencies as possible - e.g. no dependency on >>>> external service, such as KeyCloak, Auth0, etc. Should be able to use the >>>> app's database as the identity provider for users and role/permissions. >>>> >>>> 2) Simplicity - many security libraries try to handle every protocol or >>>> standard, and end up being hard to configure and troubleshoot. >>>> >>>> 3) Works cleanly with both indirect clients (views; web form-based >>>> login) and direct clients (APIs). Example use case: a view rendered >>>> server-side has some JS that fetches data from a resource. >>>> >>>> 4) Simple role and/or permission based access control. >>>> >>>> 5) User can optionally authenticate via Facebook, Google, etc. >>>> >>>> 6) If an account needs to be de-activated, user can be logged out >>>> across all devices/sessions within minutes. >>>> >>>> 7) The project is actively maintained and updated. >>>> >>>> Bonus: in theory stateless sessions would be nice option to have - >>>> although there are probably too many drawbacks to make the complexity worth >>>> it (e.g. JWT with short-lived access tokens and long-lived refresh >>>> tokens). >>>> >>>> I don't think there's any Java solution out there that meets the >>>> requirements above, but I'd love to hear if anyone has gotten close. >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "dropwizard-user" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "dropwizard-user" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> >> >> -- >> Evan Meagher >> > -- > You received this message because you are subscribed to the Google Groups > "dropwizard-user" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "dropwizard-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
