Re: [aerogear-dev] AeroGear Security and friends deprecation

Ahoy, answers inline -- abstractj On March 25, 2014 at 5:51:46 AM, Matthias Wessendorf (matzew(a)apache.org) wrote: It shouldn’t exist once we are server agnostic I would say that’s a wrong assumption. Our client libraries rely on RESTful endpoints, not AG Security. For example, I could run AG Android against https://github.com/abstractj/example-jaxrs-shiro (Plain Shiro with RESTful endpoints)  If we’ve been doing it, that’s wrong. Because you tie the client with the server. I think the correct would be the opposite or some balance. For plain database authentication, the server could adapt its endpoints for what AeroGear expects. Or, the client should allow our dev to configure parameters. AGIOS-35 seems to be hard-coded parameters, which ties the client with the server. For basic and digest authentication, both must follow the protocol specification. I can be dead wrong, but this deprecation doesn’t mean to much to me. Why? AG Security is just few classes to fill in the gaps from PicketLink in the past. Our offerings should not be tied to the server side, at least for authentication. How could I authenticate with AeroGear and Node.js? In the worst case scenario, AG Security still exists. But we will no longer support it, so people can fork, copy and whatever they want.  Yes, they just need to be adapted and have AG Security removed. Today, we don’t need anymore 2 jars only for login/logout. Just stick with Apache Shiro, PicketLink or Keycloak and that’s all. I don’t think so, our focus relies on the client side and offerings for mobile on the server side. Security on the server is Keycloak and Picketlink responsibility, and yes, we will help on it. It doesn’t matter if is iOS, Android or JS, every project was supposed to be server agnostic. (Is just my opinion)