Re: [cdi-dev] CDI in the new Java EE Security spec

Hi, On Thu, Nov 27, 2014 at 10:36 PM, Antonio Goncalves <antonio.goncalves(a)gmail.com&gt; wrote: I think CDI is indeed very important in making a more modern security system. A couple of random ideas where CDI can be leveraged: * Auth modules using CDI to locate an appropriate user provided authenticator as described here: http://arjan-tijms.omnifaces.org/2014/11/header-based-stateless-token.html * The @RolesAllowed annotation re-implemented as CDI interceptor. There are many examples, I implemented one here (using BV actually, but that's an interceptor as well): https://github.com/omnifaces/omnisecurity/blob/master/src/main/java/org/o... * Events that are fired at several moments of the authentication dialog, with possibly the ability to abort the dialog from the event handler. Examples of events are mentioned here: https://java.net/jira/browse/JASPIC_SPEC-21 Discussion about events in security: https://java.net/projects/javaee-spec/lists/users/archive/2014-11/message/17 A *crucial* aspect is that CDI is activated early during request processing. Currently CDI is often activated via a servlet request listener. Now the problem is that at some containers request listeners run BEFORE authentication are executed (and see the HttpServletRequest object), while on some other contains those request listeners execute AFTER authentication modules execute. Kind regards, Arjan Tijms