Darran Lofthouse wrote
Users are already used to providing a lot of their configuration
within
the deployments - maybe even including PicketLink definitions where they
do not want to use definitions defined within the AS config.
One extra case that I don't think was mentioned yet; with JASPIC it's also
possible to do a programmatic registration and configuration of an auth
module. See the first source listing at
http://arjan-tijms.blogspot.nl/2012/11/implementing-container-authenticat...
for an example of doing this in an ServletContextListener.
The support for this was even slightly improved for Java EE 7 (see
http://arjan-tijms.blogspot.nl/2013/04/whats-new-in-java-ee-7s-authentica...).
> JAAS can be one of the authentication mechanisms. Ideally we
should
> look at providing an SPI. I presume we will have an SPI.
To clarify some of the terminology I am using here when I talk about a
mechanism I am talking about the part that is sending and parsing the
HTTP messages for challenges and responses.
Isn't that exactly what the JASPIC SPI (more specifically the Servlet
Profile of it) in Java EE is already for? Would it perhaps be an option to
use that one directly?
--
View this message in context:
http://jboss-as7-development.1055759.n5.nabble.com/Web-Application-Securi...
Sent from the JBoss AS7 Development mailing list archive at
Nabble.com.