[jboss-as7-dev] security APIs/SPIs really need a redesign

[Anil Saldhana]

On 09/22/2011 05:56 PM, Bill Burke wrote:
> On 9/22/11 5:46 PM, David M. Lloyd wrote:
>> I'm going to put on my Bill hat here and say, "JSR 196 is crap".
>>
> Its not just JSR196.  SAML is crap. XACML is crap.  Its horrible
> horrible stuff.  The only reason we should implement it is to integrate
> with other vendor's products.
I am not preaching JSR 196 here. Because of EE6, my team has to 
implement it for AS7.1.  I don't magically get hours to figure out 
abstract uber APIs and slowly plug in the EE specs.

That way, security is a mess.  Too bad, you don't get a call when there 
is a major
issue with some security mechanism that was put in some weird corner of 
the JBoss ecosystem.

> Also plugging in your own authentication mechanism in AS7 is crap too,
> specially, modules are a mess.  Unless you fixed some things in the last
> month.  But thats another conversation I want to have.
>
Rather than just complaining, please provide feedback on what gives you 
a heartburn. Suggest alternatives.  It is not like I have a telepathic 
hat to just wear and understand you.
>> I've been saying this exact thing for over a year now.  And the response
>> has ever been "we'll have a call, we'll talk about it, we'll gather
>> requirements, let's write an agenda, get some minutes, talk talk talk talk".
>>
> Yup.  I can't wait any longer.  Too many of our users want our OAuth
> work integrated.  THere's a whole story around security, web-apps, and
> REST I'm trying to putting together as well.  The thing is we also need
> some *real* management on this stuff as well.
>
For your kind information, OAuth spec is not even final. I think they 
are at Draft 21 and hopefully in this millennium, they will finish the 
spec.  Same goes with OpenID also. OpenID schema types refer to 
www.axschema.org and that domain does not even exist.

> Bill
>