Thought if forward this one on to make sure we have it covered. 

Begin forwarded message:

From: Glh <gsouzeau@gmail.com>
Date: January 15, 2013, 3:50:32 MST
To: deltaspike-dev@incubator.apache.org
Subject: Re: security: why creating thg from scratch?
Reply-To: deltaspike-dev@incubator.apache.org

Dear all,

I start a JEE6 project (CDI/JPA/JSF) in a few months and security is a
problem. The 3 main frameworks handling security are (sorry if i miss one):

*- Spring Security:* not a good idea for a CDI-oriented architecture.
*- Apache Shiro:* very interesting but doesn't support multi-stage
authentication and need to be "POCed" because rather "exotic" (different
identity model, not based on JAAS). I lack of time to perform such a POC.
*- Seam Security:* has no future, lack of documentation.

So if we consider that delta-spike security is the future but not available
and not mature enough before a (too) long time; what should we do?

I'm under the impression that you pick the best of several security
frameworks and add some features of your own so how can we choose a security
framework that will not imply a costly refactoring when delta spike will be
available?
I found some answers along this forum (and related-jiras such as "Discuss
Security Module"; yet we need a clear path:

1) please, what will exactly be the deltaspike security module?
2) which existing security framework is the closest to the target?
3) which one will imply the least refactoring?

If the answer is accurate/clear, it would be useful to highlight it: I think
a lot of architects are in the same trouble than me.

I'm not yet very confortable with Apache process so please forgive me if I
ask questions that have already been answered somewhere.

Regards.
Glh

P.S: I don't have the security requirements yet, I just know that
multi-authentication could be required.