Christian, I'm not sure I have specific advice about how to approach Shiro compatibility without spending some cycles on it. I think we could engage Les and Shiro community to help though. One possible approach might just be to have CXF use a pluggable approach so that it calls out to an API when it checks if a user is authentication/authorized. That way a JAAS implementation could be put in place but a Shiro or Spring Security implementation could also be put in place. This would have to be made OSGI friendly, but I bet it could be done.
I guess I just wanted to toss that out there so that any decisions that were made wouldn't preclude using frameworks other than JAAS. In my experience, using JAAS in an OSGI environments, with cross-service calls, is very problematic so I'd just hate to see CXF require usage of JAAS. One could argue that CXF didn't need to provide A&A at all in the core and external libraries can be used through filters/interceptors as the standard. I'll give it some more thought as this conversation continues. Chris On Sun, Jul 13, 2014 at 10:56 AM, Christian Schneider < [email protected]> wrote: > I think it would be great to stay compatible to the external security > frameworks. > > What do you think needs to be considered regarding shiro? > > Christian > > > Am 13.07.2014 17:50, schrieb Chris Geer: > > While authentication/authorization is being discussed it would also be >> good >> if compatibility with Apache Shiro was kept in mind. >> >> >> > -- > Christian Schneider > http://www.liquid-reality.de > > Open Source Architect > Talend Application Integration Division http://www.talend.com > >
