<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 02/20/2013 08:25 AM, Bruno Oliveira
wrote:<br>
</div>
<blockquote
cite="mid:000469B7F6CC42EDB186CA11929FF755@abstractj.org"
type="cite">
<div>
<div>Good morning slackers.</div>
<div><br>
</div>
<div>Today I was chatting with Dan about some cross-cutting
concerns like CORS, XSS mitigation, HSTS, CSP. They have
something related with security, but is not because it has
"security" into the specification, that it MUST be inside
AG-sec.</div>
<div><br>
</div>
<div>They're cross-cutting concerns and I'd like to have it in a
single place to be used as dependency. So what are the
alternatives?</div>
</div>
</blockquote>
<br>
I like all of these options, and I will reply with my thoughts
inline.<br>
<blockquote
cite="mid:000469B7F6CC42EDB186CA11929FF755@abstractj.org"
type="cite">
<div>
<div><br>
</div>
<div>1- Put it inside AG-Controller and AG sec will be just the
bridge to providers like PicketLink</div>
</div>
</blockquote>
I enjoy monolithic libraries/applications because it is fewer jars
to download/manage. This also helps keep down some of the paradox
of choice problems that happen in say Spring where exactly which
library I want is a crapshoot so I just get them all. Fortunately
with Maven/Ivy/Gradle tooling my IDE can search for the pack which
contains the classes/functionality I am referencing so that concern
is mitigated somewhat.<br>
<blockquote
cite="mid:000469B7F6CC42EDB186CA11929FF755@abstractj.org"
type="cite">
<div>
<div>2- Put it inside AG-Sec and decoupled from AG-Controller,
if you want to add security on AG-Controller based apps, you
just include AG-Sec as dependency</div>
</div>
</blockquote>
This give AG-security something which lets it tell a different story
from Spring security (which I think is only Auth/Authz). It keeps
the controller "kernel" lighter and makes it easier for someone to
understand what AG-Controller is doing under the hood.<br>
<blockquote
cite="mid:000469B7F6CC42EDB186CA11929FF755@abstractj.org"
type="cite">
<div>
<div>3- And Matthias suggested the creation of ag-controller
plugins.</div>
</div>
</blockquote>
Keeping everything really bite sized makes it very nice for
hackers/tinkerers to understand how we are implementing a security
feature. This gives the community a lower barrier to entry
(perhaps). It has some of the problems I mentioned in 1. (IE the
crapshoot of necessary jars) but has benefits too (smaller
downloads, easier to get up and running etc)<br>
<blockquote
cite="mid:000469B7F6CC42EDB186CA11929FF755@abstractj.org"
type="cite">
<div>
<div><br>
</div>
<div>So…...what do you think?</div>
</div>
</blockquote>
<blockquote
cite="mid:000469B7F6CC42EDB186CA11929FF755@abstractj.org"
type="cite">
<div>
<div>
<div><br>
</div>
<div>
<div><br>
</div>
<div>-- </div>
<div>"The measure of a man is what he does with power" -
Plato</div>
<div>-</div>
<div>@abstractj</div>
<div>-</div>
</div>
</div>
</div>
</blockquote>
Summers<br>
<blockquote
cite="mid:000469B7F6CC42EDB186CA11929FF755@abstractj.org"
type="cite">
<div>
<div>
<div>
<div>Volenti Nihil Difficile</div>
</div>
</div>
</div>
<div>
<div><br>
</div>
<div><br>
</div>
<div>
<div>-- </div>
<div>"The measure of a man is what he does with power" - Plato</div>
<div>-</div>
<div>@abstractj</div>
<div>-</div>
<div>Volenti Nihil Difficile</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
aerogear-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/aerogear-dev">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a></pre>
</blockquote>
<br>
</body>
</html>