On 02/20/2013 08:25 AM, Bruno Oliveira wrote:
Good morning slackers.

Today I was chatting with Dan about some cross-cutting concerns like CORS, XSS mitigation, HSTS, CSP. They have something related with security, but is not because it has "security" into the specification, that it MUST be inside AG-sec.

They're cross-cutting concerns and I'd like to have it in a single place to be used as dependency. So what are the alternatives?

I like all of these options, and I will reply with my thoughts inline.

1- Put it inside AG-Controller and AG sec will be just the bridge to providers like PicketLink
I enjoy monolithic libraries/applications because it is fewer jars to download/manage.  This also helps keep down some of the paradox of choice problems that happen in say Spring where exactly which library I want is a crapshoot so I just get them all.  Fortunately with Maven/Ivy/Gradle tooling my IDE can search for the pack which contains the classes/functionality I am referencing so that concern is mitigated somewhat.
2- Put it inside AG-Sec and decoupled from AG-Controller, if you want to add security on AG-Controller based apps, you just include AG-Sec as dependency
This give AG-security something which lets it tell a different story from Spring security (which I think is only Auth/Authz).  It keeps the controller "kernel" lighter and makes it easier for someone to understand what AG-Controller is doing under the hood.
3- And Matthias suggested the creation of ag-controller plugins.
Keeping everything really bite sized makes it very nice for hackers/tinkerers to understand how we are implementing a security feature.  This gives the community a lower barrier to entry (perhaps).  It has some of the problems I mentioned in 1. (IE the crapshoot of necessary jars) but has benefits too (smaller downloads, easier to get up and running etc)

So…...what do you think?


-- 
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Summers
Volenti Nihil Difficile


-- 
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile


_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev