<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Thought if forward this one on to make sure we have it covered. <br><br></div><div>Begin forwarded message:<br><br></div><blockquote type="cite"><div><b>From:</b> Glh <<a href="mailto:gsouzeau@gmail.com">gsouzeau@gmail.com</a>><br><b>Date:</b> January 15, 2013, 3:50:32 MST<br><b>To:</b> <a href="mailto:deltaspike-dev@incubator.apache.org">deltaspike-dev@incubator.apache.org</a><br><b>Subject:</b> <b>Re: security: why creating thg from scratch?</b><br><b>Reply-To:</b> <a href="mailto:deltaspike-dev@incubator.apache.org">deltaspike-dev@incubator.apache.org</a><br><br></div></blockquote><div><span></span></div><blockquote type="cite"><div><span>Dear all,</span><br><span></span><br><span>I start a JEE6 project (CDI/JPA/JSF) in a few months and security is a</span><br><span>problem. The 3 main frameworks handling security are (sorry if i miss one):</span><br><span></span><br><span>*- Spring Security:* not a good idea for a CDI-oriented architecture.</span><br><span>*- Apache Shiro:* very interesting but doesn't support multi-stage</span><br><span>authentication and need to be "POCed" because rather "exotic" (different</span><br><span>identity model, not based on JAAS). I lack of time to perform such a POC.</span><br><span>*- Seam Security:* has no future, lack of documentation.</span><br><span></span><br><span>So if we consider that delta-spike security is the future but not available</span><br><span>and not mature enough before a (too) long time; what should we do?</span><br><span></span><br><span>I'm under the impression that you pick the best of several security</span><br><span>frameworks and add some features of your own so how can we choose a security</span><br><span>framework that will not imply a costly refactoring when delta spike will be</span><br><span>available?</span><br><span>I found some answers along this forum (and related-jiras such as "Discuss</span><br><span>Security Module"; yet we need a clear path: </span><br><span></span><br><span>1) please, what will exactly be the deltaspike security module? </span><br><span>2) which existing security framework is the closest to the target? </span><br><span>3) which one will imply the least refactoring?</span><br><span></span><br><span>If the answer is accurate/clear, it would be useful to highlight it: I think</span><br><span>a lot of architects are in the same trouble than me.</span><br><span></span><br><span>I'm not yet very confortable with Apache process so please forgive me if I</span><br><span>ask questions that have already been answered somewhere.</span><br><span></span><br><span>Regards.</span><br><span>Glh</span><br><span></span><br><span>P.S: I don't have the security requirements yet, I just know that</span><br><span>multi-authentication could be required.</span><br><span></span><br><span></span><br><span></span><br><span>--</span><br><span>View this message in context: <a href="http://apache-deltaspike-incubator-discussions.2316169.n4.nabble.com/security-why-creating-thg-from-scratch-tp4653216p4654382.html">http://apache-deltaspike-incubator-discussions.2316169.n4.nabble.com/security-why-creating-thg-from-scratch-tp4653216p4654382.html</a></span><br><span>Sent from the Apache DeltaSpike Incubator Discussions mailing list archive at <a href="http://Nabble.com">Nabble.com</a>.</span><br></div></blockquote></body></html>