[aerogear-dev] AeroGear Controller, Security…(SoC), oh my

Summers Pittman supittma at redhat.com
Wed Feb 20 09:55:34 EST 2013 

On 02/20/2013 08:25 AM, Bruno Oliveira wrote:
> Good morning slackers.
>
> Today I was chatting with Dan about some cross-cutting concerns like 
> CORS, XSS mitigation, HSTS, CSP. They have something related with 
> security, but is not because it has "security" into the specification, 
> that it MUST be inside AG-sec.
>
> They're cross-cutting concerns and I'd like to have it in a single 
> place to be used as dependency. So what are the alternatives?

I like all of these options, and I will reply with my thoughts inline.
>
> 1- Put it inside AG-Controller and AG sec will be just the bridge to 
> providers like PicketLink
I enjoy monolithic libraries/applications because it is fewer jars to 
download/manage.  This also helps keep down some of the paradox of 
choice problems that happen in say Spring where exactly which library I 
want is a crapshoot so I just get them all.  Fortunately with 
Maven/Ivy/Gradle tooling my IDE can search for the pack which contains 
the classes/functionality I am referencing so that concern is mitigated 
somewhat.
> 2- Put it inside AG-Sec and decoupled from AG-Controller, if you want 
> to add security on AG-Controller based apps, you just include AG-Sec 
> as dependency
This give AG-security something which lets it tell a different story 
from Spring security (which I think is only Auth/Authz).  It keeps the 
controller "kernel" lighter and makes it easier for someone to 
understand what AG-Controller is doing under the hood.
> 3- And Matthias suggested the creation of ag-controller plugins.
Keeping everything really bite sized makes it very nice for 
hackers/tinkerers to understand how we are implementing a security 
feature.  This gives the community a lower barrier to entry (perhaps).  
It has some of the problems I mentioned in 1. (IE the crapshoot of 
necessary jars) but has benefits too (smaller downloads, easier to get 
up and running etc)
>
> So…...what do you think?
>
>
> -- 
> "The measure of a man is what he does with power" - Plato
> -
> @abstractj
> -
Summers
> Volenti Nihil Difficile
>
>
> -- 
> "The measure of a man is what he does with power" - Plato
> -
> @abstractj
> -
> Volenti Nihil Difficile
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130220/281f9c42/attachment-0001.html

More information about the aerogear-dev mailing list