Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jakartaee-platform-dev] Moving MicroProfile JWT toJakartaSecurity?

My comments are inline.


On Mon, Nov 14, 2022 at 6:26 PM Werner Keil <werner.keil@xxxxxxx> wrote:

https://github.com/eclipse-ee4j/jakartaee-api/issues/125#issuecomment-1210611757

For jCA, the other link seems too short.

 

Von: Werner Keil
Gesendet: Montag, 14. November 2022 18:58
An: jakartaee-platform developer discussions
Betreff: Re: [jakartaee-platform-dev] Moving MicroProfile JWT toJakartaSecurity?

 

Emily,

 

>Another argument of not depending on MP Config, at the moment, there is no configuration solution as yet for Jakarta EE. MP Config is the only solution. It is absolutely viable for the spec to >spec the configuration support while the impl can freely choose which configuration they want.

 

As it looks now Jakarta Config will be quite different to MP Config, so throwing that onto users of Jakarta Security only to force them in a subsequent release to rewrite their config and code sounds rather disruptive. The older API dependencies also pose a risk which applications or even implementations may take but on the API level it is somewhat more severe.

Not really, the other spec only needs to clarify which properties should be configured. Maybe just settle on MP Config or use the available configuration specs.

 

> Look at CDI 4 for an instance. It introduced many compatible incompatible changes from CDI 3.0.

You provide a sound argument against consuming MP on an API (and even to a lesser extent implementation) Level because the available MP APIs and implementations are usually outdated while Jakarta EE Features like Security already rely on the next versions. E.g. MP Config and all the rest uses CDI 3.0 and as you said, 4.0 changed quite a bit, so Jakarta Security 3.1 relies on CDI 4 while the available MP Config or JWT is still on CDI 3.x.

 

MP Config 3.0 works with either CDI 3.0 or 4.0. The dependency on CDI is provided. If the runtime pulls in CDI 4.0, it will work with CDI 4.0 while it is happy with CDI 3.0 as well. The same thing holds true for JWT 2.1, which works with either CDI 3.0 or CDI 4.0.
 

Coincidentially Jakarta Security or Authentication may not be consumed by Microprofile Specs yet, but imagine REST or others ended up consuming MicroProfile, then this gets even worse by cyclic dependencies, which I assume is among the most critical Arguments why we did not want to go there in the first place.

As long as specifying the dependencies as provided, the runtime can work out the version. If Jakarta EE pulls in MP specs, maybe the spec should not introduce backward incompatible changes freely. I am sure we can work out the rules. Another possible solution is to include MP specs in the Jakarta EE web or core profile.
Thanks
Emily

One of the reasons why Java 9 and „Jigsaw“ JPMS took especially long was a big dependency mess in Java SE.

I’m not sure, what actions we had on these, but some probably remember the overview Jan gave of jQA, see https://github.com/eclipse-ee4j/jakartaee-api/issues/125.

 

Regards,

Werner

 

Von: Emily Jiang via jakartaee-platform-dev
Gesendet: Montag, 14. November 2022 11:30
An: jakartaee-platform developer discussions
Cc: Emily Jiang
Betreff: Re: [jakartaee-platform-dev] Moving MicroProfile JWT to JakartaSecurity?

 

I will add one more suggestion to the list:

  • Don't reinvent wheels by duplicating the effort. Encourage one or the other to consumer specs from the other.

I see allowing Jakarta EE directly consuming technologies from MP has minimal disruption to the end users. Having duplication in both communities does not bring value to the end users but confusion to them. In addition to that, it is a duplication effort to implement both and maintain them for the runtimes. 

 

It seems that the claim of Jakarta EE not allowing depending on MP was somehow accepted without asking why. I saw the argument of MP allowing backward incompatible changes while Jakarta EE does. That was incorrect. Look at CDI 4 for an instance. It introduced many compatible incompatible changes from CDI 3.0.

 

Another argument of not depending on MP Config, at the moment, there is no configuration solution as yet for Jakarta EE. MP Config is the only solution. It is absolutely viable for the spec to spec the configuration support while the impl can freely choose which configuration they want.

 

I think we had a long conversation without much agreement made. It might be better to have a call to discuss this further, so basically I am +1 on what David suggested to have a meeting to discuss the technical concerns. Anyone else?

 

Thanks

Emily

 

 

 

On Sat, Nov 12, 2022 at 10:46 PM Ondro Mihályi <mihalyi@xxxxxxxxxxx> wrote:

I would also like to understand whether we want MicroProfile and Jakarta EE to collaborate or compete. I hope we all want them to collaborate, it's just not clear to me what some people understand as collaboration.

 

For me:

·         Moving functionality or even whole specs between MicroProfile and Jakarta EE -> collaboration

·         Duplicating functionality -> competition

·         Forcing one or the other to consume specs from the other -> competition

I think the last point above is what is causing all the controversy and disputes in this thread. I believe that collaboration should be voluntary, not enforced. And therefore it's not collaborative to prohibit Jakarta Security to implement support for JWT, if the Security team wants to do so and even planned to do so even before MP JWT existed. And we all know that Jakarta EE cannot depend on MicroProfile specs, for various reasons already discussed elsewhere. It's simply not an option even though it may seem logical.

 

For me, collaborative means that both MP and EE try to find a solution that is suitable for both. I see one such solution, which I already mentioned:

·         JWT support is added to Jakarta Security, ideally with some support and feedback from the MP JWT team

·         Jakarta Security creates a Lite profile (with just JWT, or maybe some other things suitable for MicroProfile)

·         MicroProfile can then replace MP JWT with Jakarta Security Lite to unify the API, but doesn't have to, if EE Security Lite spec isn't (yet) good enough to replace MP JWT. MicroProfile would certainly be consulted before EE Security Lite is added to EE Core Profile.

All steps here are voluntary and don't require that both MicroProfile and Jakarta EE agree on anything. But with this approach, there are also a lot of options how MP and EE can collaborate to improve the final solution for both.

 

Or am I wrong in how I understand collaboration vs. competition?


All the best,

Ondro Mihalyi

 

Director, Jakarta EE expert

OmniFish - Jakarta EE Consulting & Support | www.omnifish.ee

Omnifish OÜ, Narva mnt 5, 10117 Tallinn, Estonia | VAT: EE102487932

 

On Fri, Nov 11, 2022 at 9:22 AM Mark Little <markclittle@xxxxxxxxx> wrote:

Well said, David. I know I feel the same way and before I ask Red Hat engineering to do further work in Jakarta or MicroProfile I want to know whether it's under a collaborative or competitive basis as that will impact where we do such work, if at all.

Sent from my iPhone

> On 10 Nov 2022, at 20:02, David Blevins <dblevins@xxxxxxxxxxxxx> wrote:
>
> 
>> On Nov 10, 2022, at 11:09 AM, Mike Milinkovich <mike.milinkovich@xxxxxxxxxxxxxxxxxxxxxx> wrote:
>> Good points. There are indeed non-technical differentiators between MircoProfile and Jakarta EE. No one would dispute that.
>>
>> But since we are discussing important philosophical points, let us add the fact that the Eclipse Foundation has always and will always permit competing projects, and that extends to specifications as well. We will never endorse the allocation of a market to one coalition of vendors over another set of vendors. So just because MicroProfile has a specification in a particular domain in no way prevents Jakarta EE from creating a similar spec. That work may or may not be based on prior work done at MicroProfile, so "move" doesn't really factor into the discussion.
>>
>> As you point out, there are important non-technical differences between the two. Any one of those could be a good reason why Jakarta EE may wish to have its own specifications which overlap or compete with MicroProfile specs.  In other words, there can be a myriad of reasons why competing specs may occur: business, technical, community, vendor support, etc etc. But "MicroProfile did it first" does not provide it with any sort of veto.
>>
>
> I think these are all very fair points and it's healthy to remind people and have that conversation.
>
> I think it really comes down to if we want to continue to ensure both can live in the same box as many of us have been doing.  If we think that's important, then there are some values we would need to maintain.
>
> If we don't want that and do want them to compete, then it might be better for us to explicitly decide that so everyone is fully aware and can plan accordingly.
>
> Given the status quo has been they co-exist in the same box and don't compete, I'd greatly prefer an explicit decision that they will now compete vs slowly making them compete one spec at a time with no explicit conversation or decision that the two will now compete.
>
> Now, I certainly don't always get what I want, but I find if I do my best to make myself at least understood I tend to feel a lot better about the outcome when things don't go my way.
>
> My $0.02
>
>
> -David
>
> _______________________________________________
> jakartaee-platform-dev mailing list
> jakartaee-platform-dev@xxxxxxxxxxx
> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jakartaee-platform-dev
_______________________________________________
jakartaee-platform-dev mailing list
jakartaee-platform-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jakartaee-platform-dev

_______________________________________________
jakartaee-platform-dev mailing list
jakartaee-platform-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jakartaee-platform-dev



--

Thanks
Emily

 

 

_______________________________________________
jakartaee-platform-dev mailing list
jakartaee-platform-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jakartaee-platform-dev


--
Thanks
Emily


Back to the top