Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jakarta.ee-community] About Profiles
Hi,

On Mon, May 21, 2018 at 12:35 PM, Mark Little <mlittle@xxxxxxxxxx> wrote:
I still feel that, with the possible exception of JSON-P, CDI and
JAX-RS are needed. Config? Yes. Security? Personally I feel that
microservices without security are an accident waiting to happen.

I argued right at the start for Security as well. Not just out of personal interest, but from a practical point of view as well (as an application developer, next to returning a JSON response, security is always the very first next thing that comes up).

MP now has some kind of security with MP JWT, but JWT is just -a- authentication mechanism. There isn't really a security backbone to fall back on or to refer to.

The problem is that most of the web security aspects in EE are concentrated in the Servlet Spec, augmented by the Servlet Container Profile of JASPIC (note, not full JASPIC, just the Servlet Container Profile).

Since MP decided not to include Servlet, it misses things like setting security constraints, an SPI for authentication mechanisms and some basic rules that are now just assumed (like does a request listener becomes for or after whatever filter that does authentication, and can (another) filter can come before the filter that does authentication, etc).

There's many ways to approach this omission, but as a first step I think we might want to define a JAX-RS Container Profile for security that does define some of those internal basics.

Kind regards,
Arjan



 


On Mon, May 21, 2018 at 12:28 PM, Dmitry Kornilov
<dmitry.kornilov@xxxxxxxxxx> wrote:
> Do you really think that microservices profile needs all of these? In my
> opinion core profile (if it needs to be at all) should have CDI and Config.
> Nothing else.
>
> — Dmitry
>
> On 18 May 2018, at 19:41, Richard Monson-Haefel <rmonson@xxxxxxxxxxxxx>
> wrote:
>
> As I said, at a minimum I think it needs to be CDI, Interceptors, Servlets,
> Configuration, Annotations, and Security.  There may be other things but
> that is what I'm cognitively starting with.
>
>
>
> _______________________________________________
> jakarta.ee-community mailing list
> jakarta.ee-community@eclipse.org
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit
> https://dev.eclipse.org/mailman/listinfo/jakarta.ee-community
>
_______________________________________________
jakarta.ee-community mailing list
jakarta.ee-community@eclipse.org
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jakarta.ee-community

Back to the top