[cdi-dev] CDI in the new Java EE Security spec

arjan tijms arjan.tijms at gmail.com
Thu Nov 27 18:38:12 EST 2014


Hi,

On Thu, Nov 27, 2014 at 10:36 PM, Antonio Goncalves
<antonio.goncalves at gmail.com> wrote:
> I hope that it's more than juts a "consideration" ;o)  We might get in touch
> with the Expert Group to make sure we can help them in integrating CDI.

I think CDI is indeed very important in making a more modern security system.

A couple of random ideas where CDI can be leveraged:

* Auth modules using CDI to locate an appropriate user provided
authenticator as described here:

http://arjan-tijms.omnifaces.org/2014/11/header-based-stateless-token.html

* The @RolesAllowed annotation re-implemented as CDI interceptor.
There are many examples, I implemented one here (using BV actually,
but that's an interceptor as well):

https://github.com/omnifaces/omnisecurity/blob/master/src/main/java/org/omnifaces/security/constraints/RolesAllowedValidator.java

* Events that are fired at several moments of the authentication
dialog, with possibly the ability to abort the dialog from the event
handler. Examples of events are mentioned here:

https://java.net/jira/browse/JASPIC_SPEC-21

Discussion about events in security:
https://java.net/projects/javaee-spec/lists/users/archive/2014-11/message/17

A *crucial* aspect is that CDI is activated early during request
processing. Currently CDI is often activated via a servlet request
listener. Now the problem is that at some containers request listeners
run BEFORE authentication are executed (and see the HttpServletRequest
object), while on some other contains those request listeners execute
AFTER authentication modules execute.

Kind regards,
Arjan Tijms





>
>
> --
> Antonio Goncalves
> Software architect, Java Champion and Pluralsight author
>
> Web site | Twitter | LinkedIn | Pluralsight | Paris JUG | Devoxx France
>
> _______________________________________________
> cdi-dev mailing list
> cdi-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/cdi-dev
>
> Note that for all code provided on this list, the provider licenses the code
> under the Apache License, Version 2
> (http://www.apache.org/licenses/LICENSE-2.0.html). For all other ideas
> provided on this list, the provider waives all patent and other intellectual
> property rights inherent in such information.


More information about the cdi-dev mailing list