Re: [jaspic-dev] registerServerAuthModule

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jaspic-dev] registerServerAuthModule

From: Darran Lofthouse <darran.lofthouse@xxxxxxxxx>
Date: Fri, 3 Dec 2021 13:15:31 +0000
Delivered-to: jaspic-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jaspic-dev/>
List-help: <mailto:jaspic-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jaspic-dev>, <mailto:jaspic-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jaspic-dev>, <mailto:jaspic-dev-request@eclipse.org?subject=unsubscribe>

On Fri, Dec 3, 2021 at 12:31 PM arjan tijms <arjan.tijms@xxxxxxxxx> wrote:

Hi,

On Fri, Dec 3, 2021 at 1:15 PM Darran Lofthouse <darran.lofthouse@xxxxxxxxx> wrote:
I thought I had replied to this one but doesn't look like I did in the end.

I think this one potentially has a close relationship with the need for permissions that we were discussing on the other thread - i.e. deployments manipulating the settings of other deployments. Once we start to have APIs for deployments self managing their security those prior needs reduce.

I think that the consensus seems to be, more or less, and at least according to the Java SE team, that deployments in a Jakarta EE server are not really independent applications that need to be protected against each other. They are more like cooperating modules of a single logical application.

So I didn't think permissions were really needed here at all in the first place, but soon those types of permissions won't be easily enforceable anyway.

That being said, deployments manipulating the settings of other deployments is a somewhat rare use case. The API puts this really front and centre, while in practice you mostly want to do things for the current application. Also notice that if deployment A contains a ServerAuthModule that it sets for deployment B, class loading issues may occur. Probably a .rar deployment can do this more correctly since I think it gets a lower level server classloader, but using .rars is also not that common these days.

Yes it really feels like the present emphasis is on self configuration for a deployment, the other cases seem very rare.

The server vendor can put this API of course to good use though, when the server itself reads e.g. a config file with e.g. server auth modules targeted at specific applications.

The vendor can but as the bootstrap code to handle the configuration would be vendor specific it wouldn't be a problem to use custom API for the initialisation - but maybe this is a good starting point for the servlet profile simplification to focus on the bootstrap possibly from config. Also in this area is the expected behaviour and interaction for multiple SAMs, this could be a good gap to address so the spec can define some consistent behaviour.

Kind regards,
Arjan

_______________________________________________
jaspic-dev mailing list
jaspic-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jaspic-dev

References:
- [jaspic-dev] registerServerAuthModule
  - From: arjan tijms
- Re: [jaspic-dev] registerServerAuthModule
  - From: Darran Lofthouse
- Re: [jaspic-dev] registerServerAuthModule
  - From: arjan tijms

Prev by Date: Re: [jaspic-dev] registerServerAuthModule
Next by Date: [jaspic-dev] Jakarta Authentication, Authorization and CDI
Previous by thread: Re: [jaspic-dev] registerServerAuthModule
Next by thread: [jaspic-dev] Committer Election for Darran Lofthouse on Jakarta Authentication has started
Index(es):
- Date
- Thread

Breadcrumbs