Re: [security-dev] Fwd: security: why creating thg from scratch?

Thought if forward this one on to make sure we have it covered. Begin forwarded message: > *From:* Glh <gsouzeau(a)gmail.com <mailto:gsouzeau@gmail.com>> > *Date:* January 15, 2013, 3:50:32 MST > *To:* deltaspike-dev(a)incubator.apache.org > <mailto:deltaspike-dev@incubator.apache.org> > *Subject:* *Re: security: why creating thg from scratch?* > *Reply-To:* deltaspike-dev(a)incubator.apache.org > <mailto:deltaspike-dev@incubator.apache.org> > > Dear all, > > I start a JEE6 project (CDI/JPA/JSF) in a few months and security is a > problem. The 3 main frameworks handling security are (sorry if i miss > one): > > *- Spring Security:* not a good idea for a CDI-oriented architecture. > *- Apache Shiro:* very interesting but doesn't support multi-stage > authentication and need to be "POCed" because rather "exotic" (different > identity model, not based on JAAS). I lack of time to perform such a POC. > *- Seam Security:* has no future, lack of documentation. > > So if we consider that delta-spike security is the future but not > available > and not mature enough before a (too) long time; what should we do? > > I'm under the impression that you pick the best of several security > frameworks and add some features of your own so how can we choose a > security > framework that will not imply a costly refactoring when delta spike > will be > available? > I found some answers along this forum (and related-jiras such as "Discuss > Security Module"; yet we need a clear path: > > 1) please, what will exactly be the deltaspike security module? > 2) which existing security framework is the closest to the target? > 3) which one will imply the least refactoring? > > If the answer is accurate/clear, it would be useful to highlight it: > I think > a lot of architects are in the same trouble than me. > > I'm not yet very confortable with Apache process so please forgive me > if I > ask questions that have already been answered somewhere. > > Regards. > Glh > > P.S: I don't have the security requirements yet, I just know that > multi-authentication could be required. > >