[VOTE] Explore creating a reusable JWT Library

classic Classic list List threaded Threaded
57 messages Options
123
Reply | Threaded
Open this post in threaded view
|

[VOTE] Explore creating a reusable JWT Library

David Blevins-2
The vote for merging PR 123 does not address community will on what to do with the code beyond merging it.  One can realistically vote +1 to merge the code, but then desire to see the code cleaned up and moved elsewhere.  One can realistically desire seeing an attempt to clean up the code to find what is reusable and may wish to withhold a final decision until we see how fruitful such a module would be.

Out of respect for people who may not know exactly how they feel (TomEE or Geronimo), this is a vote for the latter.

Vote: Should we attempt to extract code from the JWT PR to see what is reusable and how successful such a jar would be?

 +1 Let's give it a shot here
 +-0
 -1 Let's do this elsewhere

If the vote is +1 to attempt an extraction of reusable code here, final conclusion of if that extraction is worth it or where it should live is not being voted on.  People are welcome to decide differently based on the results of the exercise.


-David

Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Explore creating a reusable JWT Library

Romain Manni-Bucau
Hey David,

How does this vote relates to the geronimo one you launched?

Are they purely concurrent or can they be conditional one for the other?


Le 19 mars 2018 01:03, "David Blevins" <[hidden email]> a écrit :

> The vote for merging PR 123 does not address community will on what to do
> with the code beyond merging it.  One can realistically vote +1 to merge
> the code, but then desire to see the code cleaned up and moved elsewhere.
> One can realistically desire seeing an attempt to clean up the code to find
> what is reusable and may wish to withhold a final decision until we see how
> fruitful such a module would be.
>
> Out of respect for people who may not know exactly how they feel (TomEE or
> Geronimo), this is a vote for the latter.
>
> Vote: Should we attempt to extract code from the JWT PR to see what is
> reusable and how successful such a jar would be?
>
>  +1 Let's give it a shot here
>  +-0
>  -1 Let's do this elsewhere
>
> If the vote is +1 to attempt an extraction of reusable code here, final
> conclusion of if that extraction is worth it or where it should live is not
> being voted on.  People are welcome to decide differently based on the
> results of the exercise.
>
>
> -David
>
>
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Explore creating a reusable JWT Library

agumbrecht
In reply to this post by David Blevins-2
+1.

I'd like to see the code merged and evolve a little within the the TomEE
context. It's relatively easy to discuss/extract reuse later, but I'd
like to see TomEE move forward first.

The same goes for the config PR from Roberto.

Andy.


On 19/03/18 01:02, David Blevins wrote:

> The vote for merging PR 123 does not address community will on what to do with the code beyond merging it.  One can realistically vote +1 to merge the code, but then desire to see the code cleaned up and moved elsewhere.  One can realistically desire seeing an attempt to clean up the code to find what is reusable and may wish to withhold a final decision until we see how fruitful such a module would be.
>
> Out of respect for people who may not know exactly how they feel (TomEE or Geronimo), this is a vote for the latter.
>
> Vote: Should we attempt to extract code from the JWT PR to see what is reusable and how successful such a jar would be?
>
>   +1 Let's give it a shot here
>   +-0
>   -1 Let's do this elsewhere
>
> If the vote is +1 to attempt an extraction of reusable code here, final conclusion of if that extraction is worth it or where it should live is not being voted on.  People are welcome to decide differently based on the results of the exercise.
>
>
> -David
>
>

--
Andy Gumbrecht
https://twitter.com/AndyGeeDe
http://www.tomitribe.com
https://www.tomitribe.io


Ubique

    --
    Andy Gumbrecht

    http://www.tomitribe.com
    agumbrecht@tomitribe.com
    https://twitter.com/AndyGeeDe

    TomEE treibt Tomitribe ! | http://tomee.apache.org
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Explore creating a reusable JWT Library

jgallimore
In reply to this post by Romain Manni-Bucau
What's the other vote ("Geronimo one")?

Jon

On Mon, Mar 19, 2018 at 6:33 AM, Romain Manni-Bucau <[hidden email]>
wrote:

> Hey David,
>
> How does this vote relates to the geronimo one you launched?
>
> Are they purely concurrent or can they be conditional one for the other?
>
>
> Le 19 mars 2018 01:03, "David Blevins" <[hidden email]> a écrit :
>
> > The vote for merging PR 123 does not address community will on what to do
> > with the code beyond merging it.  One can realistically vote +1 to merge
> > the code, but then desire to see the code cleaned up and moved elsewhere.
> > One can realistically desire seeing an attempt to clean up the code to
> find
> > what is reusable and may wish to withhold a final decision until we see
> how
> > fruitful such a module would be.
> >
> > Out of respect for people who may not know exactly how they feel (TomEE
> or
> > Geronimo), this is a vote for the latter.
> >
> > Vote: Should we attempt to extract code from the JWT PR to see what is
> > reusable and how successful such a jar would be?
> >
> >  +1 Let's give it a shot here
> >  +-0
> >  -1 Let's do this elsewhere
> >
> > If the vote is +1 to attempt an extraction of reusable code here, final
> > conclusion of if that extraction is worth it or where it should live is
> not
> > being voted on.  People are welcome to decide differently based on the
> > results of the exercise.
> >
> >
> > -David
> >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Explore creating a reusable JWT Library

chongma
does this mean a reusable JWT library external to TomEE, or within the
TomEE project?
i have to agree with previous statements i read that TomEE is a bundle
of libraries and not really the place to locate reusable pluggable
projects.  it is more like the place where you might plug a project in
once it is working

On 19/03/2018 11:39, Jonathan Gallimore wrote:

> What's the other vote ("Geronimo one")?
>
> Jon
>
> On Mon, Mar 19, 2018 at 6:33 AM, Romain Manni-Bucau <[hidden email]>
> wrote:
>
>> Hey David,
>>
>> How does this vote relates to the geronimo one you launched?
>>
>> Are they purely concurrent or can they be conditional one for the other?
>>
>>
>> Le 19 mars 2018 01:03, "David Blevins" <[hidden email]> a écrit :
>>
>>> The vote for merging PR 123 does not address community will on what to do
>>> with the code beyond merging it.  One can realistically vote +1 to merge
>>> the code, but then desire to see the code cleaned up and moved elsewhere.
>>> One can realistically desire seeing an attempt to clean up the code to
>> find
>>> what is reusable and may wish to withhold a final decision until we see
>> how
>>> fruitful such a module would be.
>>>
>>> Out of respect for people who may not know exactly how they feel (TomEE
>> or
>>> Geronimo), this is a vote for the latter.
>>>
>>> Vote: Should we attempt to extract code from the JWT PR to see what is
>>> reusable and how successful such a jar would be?
>>>
>>>   +1 Let's give it a shot here
>>>   +-0
>>>   -1 Let's do this elsewhere
>>>
>>> If the vote is +1 to attempt an extraction of reusable code here, final
>>> conclusion of if that extraction is worth it or where it should live is
>> not
>>> being voted on.  People are welcome to decide differently based on the
>>> results of the exercise.
>>>
>>>
>>> -David
>>>
>>>

Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Explore creating a reusable JWT Library

Jean-Louis MONTEIRO
What about this vote David?

Roberto's PR for MP-Config integration and mine about MP-JWT are still not
merged.
Most of the JWT code is server independent and therefor could be extracted
into a separate library.

So where the code sits is definitely a question we need to address.
I don't believe the current TomEE repo is a good home.

TomEE as the Apache TLP can on the other hand become an home.
We only need another another repo where we could put some reusable code.

There are a couple of utility classes in TomEE that could also become a
reusable library.
I have prepared and pushed the 2 PRs for Chatterbox and Sheldon donation.

So I would probably propose to create a dedicated git repo where we could
put all the reusable parts.
One benefit I see is that we could make the TomEE codebase a bit lighter.

What do you guys think?



--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com

On Thu, Mar 22, 2018 at 10:47 AM, Matthew Broadhead <
[hidden email]> wrote:

> does this mean a reusable JWT library external to TomEE, or within the
> TomEE project?
> i have to agree with previous statements i read that TomEE is a bundle of
> libraries and not really the place to locate reusable pluggable projects.
> it is more like the place where you might plug a project in once it is
> working
>
>
> On 19/03/2018 11:39, Jonathan Gallimore wrote:
>
>> What's the other vote ("Geronimo one")?
>>
>> Jon
>>
>> On Mon, Mar 19, 2018 at 6:33 AM, Romain Manni-Bucau <
>> [hidden email]>
>> wrote:
>>
>> Hey David,
>>>
>>> How does this vote relates to the geronimo one you launched?
>>>
>>> Are they purely concurrent or can they be conditional one for the other?
>>>
>>>
>>> Le 19 mars 2018 01:03, "David Blevins" <[hidden email]> a
>>> écrit :
>>>
>>> The vote for merging PR 123 does not address community will on what to do
>>>> with the code beyond merging it.  One can realistically vote +1 to merge
>>>> the code, but then desire to see the code cleaned up and moved
>>>> elsewhere.
>>>> One can realistically desire seeing an attempt to clean up the code to
>>>>
>>> find
>>>
>>>> what is reusable and may wish to withhold a final decision until we see
>>>>
>>> how
>>>
>>>> fruitful such a module would be.
>>>>
>>>> Out of respect for people who may not know exactly how they feel (TomEE
>>>>
>>> or
>>>
>>>> Geronimo), this is a vote for the latter.
>>>>
>>>> Vote: Should we attempt to extract code from the JWT PR to see what is
>>>> reusable and how successful such a jar would be?
>>>>
>>>>   +1 Let's give it a shot here
>>>>   +-0
>>>>   -1 Let's do this elsewhere
>>>>
>>>> If the vote is +1 to attempt an extraction of reusable code here, final
>>>> conclusion of if that extraction is worth it or where it should live is
>>>>
>>> not
>>>
>>>> being voted on.  People are welcome to decide differently based on the
>>>> results of the exercise.
>>>>
>>>>
>>>> -David
>>>>
>>>>
>>>>
>
   --
    Jean-Louis Monteiro
    http://twitter.com/jlouismonteiro
    http://www.tomitribe.com
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Explore creating a reusable JWT Library

jgallimore
If it can sit in its own repository, and that improves re-usability, that
sounds like a good thing to me. I'd be happy with that under the TomEE TLP.
I am sure some folks will prefer to see it under Geronimo. I am a TomEE
committer, I am not yet a Geronimo committer (maybe someday....) so I would
lean towards TomEE. Wherever it sits, it needs to be possible to work on it
without being blocked.

Jon

On Tue, Mar 27, 2018 at 10:27 PM, Jean-Louis Monteiro <
[hidden email]> wrote:

> What about this vote David?
>
> Roberto's PR for MP-Config integration and mine about MP-JWT are still not
> merged.
> Most of the JWT code is server independent and therefor could be extracted
> into a separate library.
>
> So where the code sits is definitely a question we need to address.
> I don't believe the current TomEE repo is a good home.
>
> TomEE as the Apache TLP can on the other hand become an home.
> We only need another another repo where we could put some reusable code.
>
> There are a couple of utility classes in TomEE that could also become a
> reusable library.
> I have prepared and pushed the 2 PRs for Chatterbox and Sheldon donation.
>
> So I would probably propose to create a dedicated git repo where we could
> put all the reusable parts.
> One benefit I see is that we could make the TomEE codebase a bit lighter.
>
> What do you guys think?
>
>
>
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
>
> On Thu, Mar 22, 2018 at 10:47 AM, Matthew Broadhead <
> [hidden email]> wrote:
>
> > does this mean a reusable JWT library external to TomEE, or within the
> > TomEE project?
> > i have to agree with previous statements i read that TomEE is a bundle of
> > libraries and not really the place to locate reusable pluggable projects.
> > it is more like the place where you might plug a project in once it is
> > working
> >
> >
> > On 19/03/2018 11:39, Jonathan Gallimore wrote:
> >
> >> What's the other vote ("Geronimo one")?
> >>
> >> Jon
> >>
> >> On Mon, Mar 19, 2018 at 6:33 AM, Romain Manni-Bucau <
> >> [hidden email]>
> >> wrote:
> >>
> >> Hey David,
> >>>
> >>> How does this vote relates to the geronimo one you launched?
> >>>
> >>> Are they purely concurrent or can they be conditional one for the
> other?
> >>>
> >>>
> >>> Le 19 mars 2018 01:03, "David Blevins" <[hidden email]> a
> >>> écrit :
> >>>
> >>> The vote for merging PR 123 does not address community will on what to
> do
> >>>> with the code beyond merging it.  One can realistically vote +1 to
> merge
> >>>> the code, but then desire to see the code cleaned up and moved
> >>>> elsewhere.
> >>>> One can realistically desire seeing an attempt to clean up the code to
> >>>>
> >>> find
> >>>
> >>>> what is reusable and may wish to withhold a final decision until we
> see
> >>>>
> >>> how
> >>>
> >>>> fruitful such a module would be.
> >>>>
> >>>> Out of respect for people who may not know exactly how they feel
> (TomEE
> >>>>
> >>> or
> >>>
> >>>> Geronimo), this is a vote for the latter.
> >>>>
> >>>> Vote: Should we attempt to extract code from the JWT PR to see what is
> >>>> reusable and how successful such a jar would be?
> >>>>
> >>>>   +1 Let's give it a shot here
> >>>>   +-0
> >>>>   -1 Let's do this elsewhere
> >>>>
> >>>> If the vote is +1 to attempt an extraction of reusable code here,
> final
> >>>> conclusion of if that extraction is worth it or where it should live
> is
> >>>>
> >>> not
> >>>
> >>>> being voted on.  People are welcome to decide differently based on the
> >>>> results of the exercise.
> >>>>
> >>>>
> >>>> -David
> >>>>
> >>>>
> >>>>
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Explore creating a reusable JWT Library

Romain Manni-Bucau
Roberto PR *is* merged JL.
He did the work to be able to consume any CDI "container" lib.

So I'd just extract the code as we discussed together in G before that mess
and move forward to keep TCK and add the lib in the MP distro Roberto
created to fit that design.

As soon as you imported the lib in G, I will make sure to help to make it
releasable.

As the ee concurrency utilities dev I can guarantee you it is wrong to put
it in TomEE :( - mea culpa here.

I can understand the "i cant commit" but you can PR and several of these
objections are coming from people willing RTC which leads to the same
blocking state so not sure I get the rational to break projects here and
make them messy which would deserve asf IMHO.

Le 27 mars 2018 23:37, "Jonathan Gallimore" <[hidden email]>
a écrit :

> If it can sit in its own repository, and that improves re-usability, that
> sounds like a good thing to me. I'd be happy with that under the TomEE TLP.
> I am sure some folks will prefer to see it under Geronimo. I am a TomEE
> committer, I am not yet a Geronimo committer (maybe someday....) so I would
> lean towards TomEE. Wherever it sits, it needs to be possible to work on it
> without being blocked.
>
> Jon
>
> On Tue, Mar 27, 2018 at 10:27 PM, Jean-Louis Monteiro <
> [hidden email]> wrote:
>
> > What about this vote David?
> >
> > Roberto's PR for MP-Config integration and mine about MP-JWT are still
> not
> > merged.
> > Most of the JWT code is server independent and therefor could be
> extracted
> > into a separate library.
> >
> > So where the code sits is definitely a question we need to address.
> > I don't believe the current TomEE repo is a good home.
> >
> > TomEE as the Apache TLP can on the other hand become an home.
> > We only need another another repo where we could put some reusable code.
> >
> > There are a couple of utility classes in TomEE that could also become a
> > reusable library.
> > I have prepared and pushed the 2 PRs for Chatterbox and Sheldon donation.
> >
> > So I would probably propose to create a dedicated git repo where we could
> > put all the reusable parts.
> > One benefit I see is that we could make the TomEE codebase a bit lighter.
> >
> > What do you guys think?
> >
> >
> >
> > --
> > Jean-Louis Monteiro
> > http://twitter.com/jlouismonteiro
> > http://www.tomitribe.com
> >
> > On Thu, Mar 22, 2018 at 10:47 AM, Matthew Broadhead <
> > [hidden email]> wrote:
> >
> > > does this mean a reusable JWT library external to TomEE, or within the
> > > TomEE project?
> > > i have to agree with previous statements i read that TomEE is a bundle
> of
> > > libraries and not really the place to locate reusable pluggable
> projects.
> > > it is more like the place where you might plug a project in once it is
> > > working
> > >
> > >
> > > On 19/03/2018 11:39, Jonathan Gallimore wrote:
> > >
> > >> What's the other vote ("Geronimo one")?
> > >>
> > >> Jon
> > >>
> > >> On Mon, Mar 19, 2018 at 6:33 AM, Romain Manni-Bucau <
> > >> [hidden email]>
> > >> wrote:
> > >>
> > >> Hey David,
> > >>>
> > >>> How does this vote relates to the geronimo one you launched?
> > >>>
> > >>> Are they purely concurrent or can they be conditional one for the
> > other?
> > >>>
> > >>>
> > >>> Le 19 mars 2018 01:03, "David Blevins" <[hidden email]> a
> > >>> écrit :
> > >>>
> > >>> The vote for merging PR 123 does not address community will on what
> to
> > do
> > >>>> with the code beyond merging it.  One can realistically vote +1 to
> > merge
> > >>>> the code, but then desire to see the code cleaned up and moved
> > >>>> elsewhere.
> > >>>> One can realistically desire seeing an attempt to clean up the code
> to
> > >>>>
> > >>> find
> > >>>
> > >>>> what is reusable and may wish to withhold a final decision until we
> > see
> > >>>>
> > >>> how
> > >>>
> > >>>> fruitful such a module would be.
> > >>>>
> > >>>> Out of respect for people who may not know exactly how they feel
> > (TomEE
> > >>>>
> > >>> or
> > >>>
> > >>>> Geronimo), this is a vote for the latter.
> > >>>>
> > >>>> Vote: Should we attempt to extract code from the JWT PR to see what
> is
> > >>>> reusable and how successful such a jar would be?
> > >>>>
> > >>>>   +1 Let's give it a shot here
> > >>>>   +-0
> > >>>>   -1 Let's do this elsewhere
> > >>>>
> > >>>> If the vote is +1 to attempt an extraction of reusable code here,
> > final
> > >>>> conclusion of if that extraction is worth it or where it should live
> > is
> > >>>>
> > >>> not
> > >>>
> > >>>> being voted on.  People are welcome to decide differently based on
> the
> > >>>> results of the exercise.
> > >>>>
> > >>>>
> > >>>> -David
> > >>>>
> > >>>>
> > >>>>
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Explore creating a reusable JWT Library

chongma
is this about JSON web tokens or some other JWT?
is this JWT library similar to something like the keycloak tomcat
adapter?
http://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/tomcat-adapter.html
if so is there a specification on this and do different IDPs handle this
differently.  i.e. if TomEE had a JWT adapter would it no longer need
the keycloak adapter?
for instance the keycloak includes structures like UserRepresentation,
RoleRepresentation, CredentialRepresentation. would this be handled in a
new JWT lib?

On 28/03/2018 07:13, Romain Manni-Bucau wrote:

> Roberto PR *is* merged JL.
> He did the work to be able to consume any CDI "container" lib.
>
> So I'd just extract the code as we discussed together in G before that mess
> and move forward to keep TCK and add the lib in the MP distro Roberto
> created to fit that design.
>
> As soon as you imported the lib in G, I will make sure to help to make it
> releasable.
>
> As the ee concurrency utilities dev I can guarantee you it is wrong to put
> it in TomEE :( - mea culpa here.
>
> I can understand the "i cant commit" but you can PR and several of these
> objections are coming from people willing RTC which leads to the same
> blocking state so not sure I get the rational to break projects here and
> make them messy which would deserve asf IMHO.
>
> Le 27 mars 2018 23:37, "Jonathan Gallimore" <[hidden email]>
> a écrit :
>
>> If it can sit in its own repository, and that improves re-usability, that
>> sounds like a good thing to me. I'd be happy with that under the TomEE TLP.
>> I am sure some folks will prefer to see it under Geronimo. I am a TomEE
>> committer, I am not yet a Geronimo committer (maybe someday....) so I would
>> lean towards TomEE. Wherever it sits, it needs to be possible to work on it
>> without being blocked.
>>
>> Jon
>>
>> On Tue, Mar 27, 2018 at 10:27 PM, Jean-Louis Monteiro <
>> [hidden email]> wrote:
>>
>>> What about this vote David?
>>>
>>> Roberto's PR for MP-Config integration and mine about MP-JWT are still
>> not
>>> merged.
>>> Most of the JWT code is server independent and therefor could be
>> extracted
>>> into a separate library.
>>>
>>> So where the code sits is definitely a question we need to address.
>>> I don't believe the current TomEE repo is a good home.
>>>
>>> TomEE as the Apache TLP can on the other hand become an home.
>>> We only need another another repo where we could put some reusable code.
>>>
>>> There are a couple of utility classes in TomEE that could also become a
>>> reusable library.
>>> I have prepared and pushed the 2 PRs for Chatterbox and Sheldon donation.
>>>
>>> So I would probably propose to create a dedicated git repo where we could
>>> put all the reusable parts.
>>> One benefit I see is that we could make the TomEE codebase a bit lighter.
>>>
>>> What do you guys think?
>>>
>>>
>>>
>>> --
>>> Jean-Louis Monteiro
>>> http://twitter.com/jlouismonteiro
>>> http://www.tomitribe.com
>>>
>>> On Thu, Mar 22, 2018 at 10:47 AM, Matthew Broadhead <
>>> [hidden email]> wrote:
>>>
>>>> does this mean a reusable JWT library external to TomEE, or within the
>>>> TomEE project?
>>>> i have to agree with previous statements i read that TomEE is a bundle
>> of
>>>> libraries and not really the place to locate reusable pluggable
>> projects.
>>>> it is more like the place where you might plug a project in once it is
>>>> working
>>>>
>>>>
>>>> On 19/03/2018 11:39, Jonathan Gallimore wrote:
>>>>
>>>>> What's the other vote ("Geronimo one")?
>>>>>
>>>>> Jon
>>>>>
>>>>> On Mon, Mar 19, 2018 at 6:33 AM, Romain Manni-Bucau <
>>>>> [hidden email]>
>>>>> wrote:
>>>>>
>>>>> Hey David,
>>>>>> How does this vote relates to the geronimo one you launched?
>>>>>>
>>>>>> Are they purely concurrent or can they be conditional one for the
>>> other?
>>>>>>
>>>>>> Le 19 mars 2018 01:03, "David Blevins" <[hidden email]> a
>>>>>> écrit :
>>>>>>
>>>>>> The vote for merging PR 123 does not address community will on what
>> to
>>> do
>>>>>>> with the code beyond merging it.  One can realistically vote +1 to
>>> merge
>>>>>>> the code, but then desire to see the code cleaned up and moved
>>>>>>> elsewhere.
>>>>>>> One can realistically desire seeing an attempt to clean up the code
>> to
>>>>>> find
>>>>>>
>>>>>>> what is reusable and may wish to withhold a final decision until we
>>> see
>>>>>> how
>>>>>>
>>>>>>> fruitful such a module would be.
>>>>>>>
>>>>>>> Out of respect for people who may not know exactly how they feel
>>> (TomEE
>>>>>> or
>>>>>>
>>>>>>> Geronimo), this is a vote for the latter.
>>>>>>>
>>>>>>> Vote: Should we attempt to extract code from the JWT PR to see what
>> is
>>>>>>> reusable and how successful such a jar would be?
>>>>>>>
>>>>>>>    +1 Let's give it a shot here
>>>>>>>    +-0
>>>>>>>    -1 Let's do this elsewhere
>>>>>>>
>>>>>>> If the vote is +1 to attempt an extraction of reusable code here,
>>> final
>>>>>>> conclusion of if that extraction is worth it or where it should live
>>> is
>>>>>> not
>>>>>>
>>>>>>> being voted on.  People are welcome to decide differently based on
>> the
>>>>>>> results of the exercise.
>>>>>>>
>>>>>>>
>>>>>>> -David
>>>>>>>
>>>>>>>
>>>>>>>

Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Explore creating a reusable JWT Library

Romain Manni-Bucau
Hi Matthew,

it is an impl of https://github.com/eclipse/microprofile-jwt-auth

Normally with a JWT you can drop these things as well - can need some
wrapper to handle the representation in a less raw way but nothing crazy.


Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://rmannibucau.metawerx.net/> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
<https://www.packtpub.com/application-development/java-ee-8-high-performance>

2018-03-28 10:10 GMT+02:00 Matthew Broadhead <[hidden email]
>:

> is this about JSON web tokens or some other JWT?
> is this JWT library similar to something like the keycloak tomcat adapter?
> http://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/j
> ava/tomcat-adapter.html
> if so is there a specification on this and do different IDPs handle this
> differently.  i.e. if TomEE had a JWT adapter would it no longer need the
> keycloak adapter?
> for instance the keycloak includes structures like UserRepresentation,
> RoleRepresentation, CredentialRepresentation. would this be handled in a
> new JWT lib?
>
>
> On 28/03/2018 07:13, Romain Manni-Bucau wrote:
>
>> Roberto PR *is* merged JL.
>> He did the work to be able to consume any CDI "container" lib.
>>
>> So I'd just extract the code as we discussed together in G before that
>> mess
>> and move forward to keep TCK and add the lib in the MP distro Roberto
>> created to fit that design.
>>
>> As soon as you imported the lib in G, I will make sure to help to make it
>> releasable.
>>
>> As the ee concurrency utilities dev I can guarantee you it is wrong to put
>> it in TomEE :( - mea culpa here.
>>
>> I can understand the "i cant commit" but you can PR and several of these
>> objections are coming from people willing RTC which leads to the same
>> blocking state so not sure I get the rational to break projects here and
>> make them messy which would deserve asf IMHO.
>>
>> Le 27 mars 2018 23:37, "Jonathan Gallimore" <[hidden email]
>> >
>> a écrit :
>>
>> If it can sit in its own repository, and that improves re-usability, that
>>> sounds like a good thing to me. I'd be happy with that under the TomEE
>>> TLP.
>>> I am sure some folks will prefer to see it under Geronimo. I am a TomEE
>>> committer, I am not yet a Geronimo committer (maybe someday....) so I
>>> would
>>> lean towards TomEE. Wherever it sits, it needs to be possible to work on
>>> it
>>> without being blocked.
>>>
>>> Jon
>>>
>>> On Tue, Mar 27, 2018 at 10:27 PM, Jean-Louis Monteiro <
>>> [hidden email]> wrote:
>>>
>>> What about this vote David?
>>>>
>>>> Roberto's PR for MP-Config integration and mine about MP-JWT are still
>>>>
>>> not
>>>
>>>> merged.
>>>> Most of the JWT code is server independent and therefor could be
>>>>
>>> extracted
>>>
>>>> into a separate library.
>>>>
>>>> So where the code sits is definitely a question we need to address.
>>>> I don't believe the current TomEE repo is a good home.
>>>>
>>>> TomEE as the Apache TLP can on the other hand become an home.
>>>> We only need another another repo where we could put some reusable code.
>>>>
>>>> There are a couple of utility classes in TomEE that could also become a
>>>> reusable library.
>>>> I have prepared and pushed the 2 PRs for Chatterbox and Sheldon
>>>> donation.
>>>>
>>>> So I would probably propose to create a dedicated git repo where we
>>>> could
>>>> put all the reusable parts.
>>>> One benefit I see is that we could make the TomEE codebase a bit
>>>> lighter.
>>>>
>>>> What do you guys think?
>>>>
>>>>
>>>>
>>>> --
>>>> Jean-Louis Monteiro
>>>> http://twitter.com/jlouismonteiro
>>>> http://www.tomitribe.com
>>>>
>>>> On Thu, Mar 22, 2018 at 10:47 AM, Matthew Broadhead <
>>>> [hidden email]> wrote:
>>>>
>>>> does this mean a reusable JWT library external to TomEE, or within the
>>>>> TomEE project?
>>>>> i have to agree with previous statements i read that TomEE is a bundle
>>>>>
>>>> of
>>>
>>>> libraries and not really the place to locate reusable pluggable
>>>>>
>>>> projects.
>>>
>>>> it is more like the place where you might plug a project in once it is
>>>>> working
>>>>>
>>>>>
>>>>> On 19/03/2018 11:39, Jonathan Gallimore wrote:
>>>>>
>>>>> What's the other vote ("Geronimo one")?
>>>>>>
>>>>>> Jon
>>>>>>
>>>>>> On Mon, Mar 19, 2018 at 6:33 AM, Romain Manni-Bucau <
>>>>>> [hidden email]>
>>>>>> wrote:
>>>>>>
>>>>>> Hey David,
>>>>>>
>>>>>>> How does this vote relates to the geronimo one you launched?
>>>>>>>
>>>>>>> Are they purely concurrent or can they be conditional one for the
>>>>>>>
>>>>>> other?
>>>>
>>>>>
>>>>>>> Le 19 mars 2018 01:03, "David Blevins" <[hidden email]> a
>>>>>>> écrit :
>>>>>>>
>>>>>>> The vote for merging PR 123 does not address community will on what
>>>>>>>
>>>>>> to
>>>
>>>> do
>>>>
>>>>> with the code beyond merging it.  One can realistically vote +1 to
>>>>>>>>
>>>>>>> merge
>>>>
>>>>> the code, but then desire to see the code cleaned up and moved
>>>>>>>> elsewhere.
>>>>>>>> One can realistically desire seeing an attempt to clean up the code
>>>>>>>>
>>>>>>> to
>>>
>>>> find
>>>>>>>
>>>>>>> what is reusable and may wish to withhold a final decision until we
>>>>>>>>
>>>>>>> see
>>>>
>>>>> how
>>>>>>>
>>>>>>> fruitful such a module would be.
>>>>>>>>
>>>>>>>> Out of respect for people who may not know exactly how they feel
>>>>>>>>
>>>>>>> (TomEE
>>>>
>>>>> or
>>>>>>>
>>>>>>> Geronimo), this is a vote for the latter.
>>>>>>>>
>>>>>>>> Vote: Should we attempt to extract code from the JWT PR to see what
>>>>>>>>
>>>>>>> is
>>>
>>>> reusable and how successful such a jar would be?
>>>>>>>>
>>>>>>>>    +1 Let's give it a shot here
>>>>>>>>    +-0
>>>>>>>>    -1 Let's do this elsewhere
>>>>>>>>
>>>>>>>> If the vote is +1 to attempt an extraction of reusable code here,
>>>>>>>>
>>>>>>> final
>>>>
>>>>> conclusion of if that extraction is worth it or where it should live
>>>>>>>>
>>>>>>> is
>>>>
>>>>> not
>>>>>>>
>>>>>>> being voted on.  People are welcome to decide differently based on
>>>>>>>>
>>>>>>> the
>>>
>>>> results of the exercise.
>>>>>>>>
>>>>>>>>
>>>>>>>> -David
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Explore creating a reusable JWT Library

jgallimore
In reply to this post by Romain Manni-Bucau
On Wed, Mar 28, 2018 at 6:13 AM, Romain Manni-Bucau <[hidden email]>
wrote:

> Roberto PR *is* merged JL.
> He did the work to be able to consume any CDI "container" lib.
>
> So I'd just extract the code as we discussed together in G before that mess
> and move forward to keep TCK and add the lib in the MP distro Roberto
> created to fit that design.
>
> As soon as you imported the lib in G, I will make sure to help to make it
> releasable.
>

What does that mean? What are the changes you're proposing, and why can't
Jean-Louis do them?

Jon
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Explore creating a reusable JWT Library

Romain Manni-Bucau
2018-03-28 10:17 GMT+02:00 Jonathan Gallimore <[hidden email]>
:

> On Wed, Mar 28, 2018 at 6:13 AM, Romain Manni-Bucau <[hidden email]
> >
> wrote:
>
> > Roberto PR *is* merged JL.
> > He did the work to be able to consume any CDI "container" lib.
> >
> > So I'd just extract the code as we discussed together in G before that
> mess
> > and move forward to keep TCK and add the lib in the MP distro Roberto
> > created to fit that design.
> >
> > As soon as you imported the lib in G, I will make sure to help to make it
> > releasable.
> >
>
> What does that mean? What are the changes you're proposing, and why can't
> Jean-Louis do them?
>

Just move the "main" code to the repo created @G and import the new lib in
tomee MP as Roberto did for config. Nothing blocking JL to do them at all.


>
> Jon
>
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Explore creating a reusable JWT Library

chongma
In reply to this post by Romain Manni-Bucau
would it allow configuration of an oauth endpoint in TomEE and then
defining security-constraint in the web.xml of a webapp?  seems like a
good plan if it drops the need for 3rd party libs

On 28/03/2018 10:15, Romain Manni-Bucau wrote:

> Hi Matthew,
>
> it is an impl of https://github.com/eclipse/microprofile-jwt-auth
>
> Normally with a JWT you can drop these things as well - can need some
> wrapper to handle the representation in a less raw way but nothing crazy.
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> <https://rmannibucau.metawerx.net/> | Old Blog
> <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
> <https://www.packtpub.com/application-development/java-ee-8-high-performance>
>
> 2018-03-28 10:10 GMT+02:00 Matthew Broadhead <[hidden email]
>> :
>> is this about JSON web tokens or some other JWT?
>> is this JWT library similar to something like the keycloak tomcat adapter?
>> http://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/j
>> ava/tomcat-adapter.html
>> if so is there a specification on this and do different IDPs handle this
>> differently.  i.e. if TomEE had a JWT adapter would it no longer need the
>> keycloak adapter?
>> for instance the keycloak includes structures like UserRepresentation,
>> RoleRepresentation, CredentialRepresentation. would this be handled in a
>> new JWT lib?
>>
>>
>> On 28/03/2018 07:13, Romain Manni-Bucau wrote:
>>
>>> Roberto PR *is* merged JL.
>>> He did the work to be able to consume any CDI "container" lib.
>>>
>>> So I'd just extract the code as we discussed together in G before that
>>> mess
>>> and move forward to keep TCK and add the lib in the MP distro Roberto
>>> created to fit that design.
>>>
>>> As soon as you imported the lib in G, I will make sure to help to make it
>>> releasable.
>>>
>>> As the ee concurrency utilities dev I can guarantee you it is wrong to put
>>> it in TomEE :( - mea culpa here.
>>>
>>> I can understand the "i cant commit" but you can PR and several of these
>>> objections are coming from people willing RTC which leads to the same
>>> blocking state so not sure I get the rational to break projects here and
>>> make them messy which would deserve asf IMHO.
>>>
>>> Le 27 mars 2018 23:37, "Jonathan Gallimore" <[hidden email]
>>> a écrit :
>>>
>>> If it can sit in its own repository, and that improves re-usability, that
>>>> sounds like a good thing to me. I'd be happy with that under the TomEE
>>>> TLP.
>>>> I am sure some folks will prefer to see it under Geronimo. I am a TomEE
>>>> committer, I am not yet a Geronimo committer (maybe someday....) so I
>>>> would
>>>> lean towards TomEE. Wherever it sits, it needs to be possible to work on
>>>> it
>>>> without being blocked.
>>>>
>>>> Jon
>>>>
>>>> On Tue, Mar 27, 2018 at 10:27 PM, Jean-Louis Monteiro <
>>>> [hidden email]> wrote:
>>>>
>>>> What about this vote David?
>>>>> Roberto's PR for MP-Config integration and mine about MP-JWT are still
>>>>>
>>>> not
>>>>
>>>>> merged.
>>>>> Most of the JWT code is server independent and therefor could be
>>>>>
>>>> extracted
>>>>
>>>>> into a separate library.
>>>>>
>>>>> So where the code sits is definitely a question we need to address.
>>>>> I don't believe the current TomEE repo is a good home.
>>>>>
>>>>> TomEE as the Apache TLP can on the other hand become an home.
>>>>> We only need another another repo where we could put some reusable code.
>>>>>
>>>>> There are a couple of utility classes in TomEE that could also become a
>>>>> reusable library.
>>>>> I have prepared and pushed the 2 PRs for Chatterbox and Sheldon
>>>>> donation.
>>>>>
>>>>> So I would probably propose to create a dedicated git repo where we
>>>>> could
>>>>> put all the reusable parts.
>>>>> One benefit I see is that we could make the TomEE codebase a bit
>>>>> lighter.
>>>>>
>>>>> What do you guys think?
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Jean-Louis Monteiro
>>>>> http://twitter.com/jlouismonteiro
>>>>> http://www.tomitribe.com
>>>>>
>>>>> On Thu, Mar 22, 2018 at 10:47 AM, Matthew Broadhead <
>>>>> [hidden email]> wrote:
>>>>>
>>>>> does this mean a reusable JWT library external to TomEE, or within the
>>>>>> TomEE project?
>>>>>> i have to agree with previous statements i read that TomEE is a bundle
>>>>>>
>>>>> of
>>>>> libraries and not really the place to locate reusable pluggable
>>>>> projects.
>>>>> it is more like the place where you might plug a project in once it is
>>>>>> working
>>>>>>
>>>>>>
>>>>>> On 19/03/2018 11:39, Jonathan Gallimore wrote:
>>>>>>
>>>>>> What's the other vote ("Geronimo one")?
>>>>>>> Jon
>>>>>>>
>>>>>>> On Mon, Mar 19, 2018 at 6:33 AM, Romain Manni-Bucau <
>>>>>>> [hidden email]>
>>>>>>> wrote:
>>>>>>>
>>>>>>> Hey David,
>>>>>>>
>>>>>>>> How does this vote relates to the geronimo one you launched?
>>>>>>>>
>>>>>>>> Are they purely concurrent or can they be conditional one for the
>>>>>>>>
>>>>>>> other?
>>>>>>>> Le 19 mars 2018 01:03, "David Blevins" <[hidden email]> a
>>>>>>>> écrit :
>>>>>>>>
>>>>>>>> The vote for merging PR 123 does not address community will on what
>>>>>>>>
>>>>>>> to
>>>>> do
>>>>>
>>>>>> with the code beyond merging it.  One can realistically vote +1 to
>>>>>>>> merge
>>>>>> the code, but then desire to see the code cleaned up and moved
>>>>>>>>> elsewhere.
>>>>>>>>> One can realistically desire seeing an attempt to clean up the code
>>>>>>>>>
>>>>>>>> to
>>>>> find
>>>>>>>> what is reusable and may wish to withhold a final decision until we
>>>>>>>> see
>>>>>> how
>>>>>>>> fruitful such a module would be.
>>>>>>>>> Out of respect for people who may not know exactly how they feel
>>>>>>>>>
>>>>>>>> (TomEE
>>>>>> or
>>>>>>>> Geronimo), this is a vote for the latter.
>>>>>>>>> Vote: Should we attempt to extract code from the JWT PR to see what
>>>>>>>>>
>>>>>>>> is
>>>>> reusable and how successful such a jar would be?
>>>>>>>>>     +1 Let's give it a shot here
>>>>>>>>>     +-0
>>>>>>>>>     -1 Let's do this elsewhere
>>>>>>>>>
>>>>>>>>> If the vote is +1 to attempt an extraction of reusable code here,
>>>>>>>>>
>>>>>>>> final
>>>>>> conclusion of if that extraction is worth it or where it should live
>>>>>>>> is
>>>>>> not
>>>>>>>> being voted on.  People are welcome to decide differently based on
>>>>>>>> the
>>>>> results of the exercise.
>>>>>>>>>
>>>>>>>>> -David
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>

Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Explore creating a reusable JWT Library

jgallimore
In reply to this post by Romain Manni-Bucau
I don't think you have answered my question. You specifically said: "I will
make sure to help to make it releasable." If this code is moved to a blank
repository, irrespective of what is the TLP for that repo, what actions
were you going to take to "make it releasable"?

Jon

On Wed, Mar 28, 2018 at 9:21 AM, Romain Manni-Bucau <[hidden email]>
wrote:

> 2018-03-28 10:17 GMT+02:00 Jonathan Gallimore <
> [hidden email]>
> :
>
> > On Wed, Mar 28, 2018 at 6:13 AM, Romain Manni-Bucau <
> [hidden email]
> > >
> > wrote:
> >
> > > Roberto PR *is* merged JL.
> > > He did the work to be able to consume any CDI "container" lib.
> > >
> > > So I'd just extract the code as we discussed together in G before that
> > mess
> > > and move forward to keep TCK and add the lib in the MP distro Roberto
> > > created to fit that design.
> > >
> > > As soon as you imported the lib in G, I will make sure to help to make
> it
> > > releasable.
> > >
> >
> > What does that mean? What are the changes you're proposing, and why can't
> > Jean-Louis do them?
> >
>
> Just move the "main" code to the repo created @G and import the new lib in
> tomee MP as Roberto did for config. Nothing blocking JL to do them at all.
>
>
> >
> > Jon
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Explore creating a reusable JWT Library

Romain Manni-Bucau
In reply to this post by chongma
2018-03-28 10:22 GMT+02:00 Matthew Broadhead <[hidden email]
>:

> would it allow configuration of an oauth endpoint in TomEE and then
> defining security-constraint in the web.xml of a webapp?  seems like a good
> plan if it drops the need for 3rd party libs


It is a "client" lib and in web.xml you can put "MP-JWT" to ensure the JWT
are validated and propagated to the request. (= validation side, not
emittion)


>
>
> On 28/03/2018 10:15, Romain Manni-Bucau wrote:
>
>> Hi Matthew,
>>
>> it is an impl of https://github.com/eclipse/microprofile-jwt-auth
>>
>> Normally with a JWT you can drop these things as well - can need some
>> wrapper to handle the representation in a less raw way but nothing crazy.
>>
>>
>> Romain Manni-Bucau
>> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
>> <https://rmannibucau.metawerx.net/> | Old Blog
>> <http://rmannibucau.wordpress.com> | Github <
>> https://github.com/rmannibucau> |
>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
>> <https://www.packtpub.com/application-development/java-ee-8-
>> high-performance>
>>
>>
>> 2018-03-28 10:10 GMT+02:00 Matthew Broadhead <
>> [hidden email]
>>
>>> :
>>> is this about JSON web tokens or some other JWT?
>>> is this JWT library similar to something like the keycloak tomcat
>>> adapter?
>>> http://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/j
>>> ava/tomcat-adapter.html
>>> if so is there a specification on this and do different IDPs handle this
>>> differently.  i.e. if TomEE had a JWT adapter would it no longer need the
>>> keycloak adapter?
>>> for instance the keycloak includes structures like UserRepresentation,
>>> RoleRepresentation, CredentialRepresentation. would this be handled in a
>>> new JWT lib?
>>>
>>>
>>> On 28/03/2018 07:13, Romain Manni-Bucau wrote:
>>>
>>> Roberto PR *is* merged JL.
>>>> He did the work to be able to consume any CDI "container" lib.
>>>>
>>>> So I'd just extract the code as we discussed together in G before that
>>>> mess
>>>> and move forward to keep TCK and add the lib in the MP distro Roberto
>>>> created to fit that design.
>>>>
>>>> As soon as you imported the lib in G, I will make sure to help to make
>>>> it
>>>> releasable.
>>>>
>>>> As the ee concurrency utilities dev I can guarantee you it is wrong to
>>>> put
>>>> it in TomEE :( - mea culpa here.
>>>>
>>>> I can understand the "i cant commit" but you can PR and several of these
>>>> objections are coming from people willing RTC which leads to the same
>>>> blocking state so not sure I get the rational to break projects here and
>>>> make them messy which would deserve asf IMHO.
>>>>
>>>> Le 27 mars 2018 23:37, "Jonathan Gallimore" <
>>>> [hidden email]
>>>> a écrit :
>>>>
>>>> If it can sit in its own repository, and that improves re-usability,
>>>> that
>>>>
>>>>> sounds like a good thing to me. I'd be happy with that under the TomEE
>>>>> TLP.
>>>>> I am sure some folks will prefer to see it under Geronimo. I am a TomEE
>>>>> committer, I am not yet a Geronimo committer (maybe someday....) so I
>>>>> would
>>>>> lean towards TomEE. Wherever it sits, it needs to be possible to work
>>>>> on
>>>>> it
>>>>> without being blocked.
>>>>>
>>>>> Jon
>>>>>
>>>>> On Tue, Mar 27, 2018 at 10:27 PM, Jean-Louis Monteiro <
>>>>> [hidden email]> wrote:
>>>>>
>>>>> What about this vote David?
>>>>>
>>>>>> Roberto's PR for MP-Config integration and mine about MP-JWT are still
>>>>>>
>>>>>> not
>>>>>
>>>>> merged.
>>>>>> Most of the JWT code is server independent and therefor could be
>>>>>>
>>>>>> extracted
>>>>>
>>>>> into a separate library.
>>>>>>
>>>>>> So where the code sits is definitely a question we need to address.
>>>>>> I don't believe the current TomEE repo is a good home.
>>>>>>
>>>>>> TomEE as the Apache TLP can on the other hand become an home.
>>>>>> We only need another another repo where we could put some reusable
>>>>>> code.
>>>>>>
>>>>>> There are a couple of utility classes in TomEE that could also become
>>>>>> a
>>>>>> reusable library.
>>>>>> I have prepared and pushed the 2 PRs for Chatterbox and Sheldon
>>>>>> donation.
>>>>>>
>>>>>> So I would probably propose to create a dedicated git repo where we
>>>>>> could
>>>>>> put all the reusable parts.
>>>>>> One benefit I see is that we could make the TomEE codebase a bit
>>>>>> lighter.
>>>>>>
>>>>>> What do you guys think?
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Jean-Louis Monteiro
>>>>>> http://twitter.com/jlouismonteiro
>>>>>> http://www.tomitribe.com
>>>>>>
>>>>>> On Thu, Mar 22, 2018 at 10:47 AM, Matthew Broadhead <
>>>>>> [hidden email]> wrote:
>>>>>>
>>>>>> does this mean a reusable JWT library external to TomEE, or within the
>>>>>>
>>>>>>> TomEE project?
>>>>>>> i have to agree with previous statements i read that TomEE is a
>>>>>>> bundle
>>>>>>>
>>>>>>> of
>>>>>> libraries and not really the place to locate reusable pluggable
>>>>>> projects.
>>>>>> it is more like the place where you might plug a project in once it is
>>>>>>
>>>>>>> working
>>>>>>>
>>>>>>>
>>>>>>> On 19/03/2018 11:39, Jonathan Gallimore wrote:
>>>>>>>
>>>>>>> What's the other vote ("Geronimo one")?
>>>>>>>
>>>>>>>> Jon
>>>>>>>>
>>>>>>>> On Mon, Mar 19, 2018 at 6:33 AM, Romain Manni-Bucau <
>>>>>>>> [hidden email]>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Hey David,
>>>>>>>>
>>>>>>>> How does this vote relates to the geronimo one you launched?
>>>>>>>>>
>>>>>>>>> Are they purely concurrent or can they be conditional one for the
>>>>>>>>>
>>>>>>>>> other?
>>>>>>>>
>>>>>>>>> Le 19 mars 2018 01:03, "David Blevins" <[hidden email]> a
>>>>>>>>> écrit :
>>>>>>>>>
>>>>>>>>> The vote for merging PR 123 does not address community will on what
>>>>>>>>>
>>>>>>>>> to
>>>>>>>>
>>>>>>> do
>>>>>>
>>>>>> with the code beyond merging it.  One can realistically vote +1 to
>>>>>>>
>>>>>>>> merge
>>>>>>>>>
>>>>>>>> the code, but then desire to see the code cleaned up and moved
>>>>>>>
>>>>>>>> elsewhere.
>>>>>>>>>> One can realistically desire seeing an attempt to clean up the
>>>>>>>>>> code
>>>>>>>>>>
>>>>>>>>>> to
>>>>>>>>>
>>>>>>>> find
>>>>>>
>>>>>>> what is reusable and may wish to withhold a final decision until we
>>>>>>>>> see
>>>>>>>>>
>>>>>>>> how
>>>>>>>
>>>>>>>> fruitful such a module would be.
>>>>>>>>>
>>>>>>>>>> Out of respect for people who may not know exactly how they feel
>>>>>>>>>>
>>>>>>>>>> (TomEE
>>>>>>>>>
>>>>>>>> or
>>>>>>>
>>>>>>>> Geronimo), this is a vote for the latter.
>>>>>>>>>
>>>>>>>>>> Vote: Should we attempt to extract code from the JWT PR to see
>>>>>>>>>> what
>>>>>>>>>>
>>>>>>>>>> is
>>>>>>>>>
>>>>>>>> reusable and how successful such a jar would be?
>>>>>>
>>>>>>>     +1 Let's give it a shot here
>>>>>>>>>>     +-0
>>>>>>>>>>     -1 Let's do this elsewhere
>>>>>>>>>>
>>>>>>>>>> If the vote is +1 to attempt an extraction of reusable code here,
>>>>>>>>>>
>>>>>>>>>> final
>>>>>>>>>
>>>>>>>> conclusion of if that extraction is worth it or where it should live
>>>>>>>
>>>>>>>> is
>>>>>>>>>
>>>>>>>> not
>>>>>>>
>>>>>>>> being voted on.  People are welcome to decide differently based on
>>>>>>>>> the
>>>>>>>>>
>>>>>>>> results of the exercise.
>>>>>>
>>>>>>>
>>>>>>>>>> -David
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Explore creating a reusable JWT Library

Jean-Louis MONTEIRO
In reply to this post by chongma
Yes it would allow that.

--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com

On Wed, Mar 28, 2018 at 10:22 AM, Matthew Broadhead <
[hidden email]> wrote:

> would it allow configuration of an oauth endpoint in TomEE and then
> defining security-constraint in the web.xml of a webapp?  seems like a good
> plan if it drops the need for 3rd party libs
>
>
> On 28/03/2018 10:15, Romain Manni-Bucau wrote:
>
>> Hi Matthew,
>>
>> it is an impl of https://github.com/eclipse/microprofile-jwt-auth
>>
>> Normally with a JWT you can drop these things as well - can need some
>> wrapper to handle the representation in a less raw way but nothing crazy.
>>
>>
>> Romain Manni-Bucau
>> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
>> <https://rmannibucau.metawerx.net/> | Old Blog
>> <http://rmannibucau.wordpress.com> | Github <
>> https://github.com/rmannibucau> |
>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
>> <https://www.packtpub.com/application-development/java-ee-8-
>> high-performance>
>>
>> 2018-03-28 10:10 GMT+02:00 Matthew Broadhead <
>> [hidden email]
>>
>>> :
>>> is this about JSON web tokens or some other JWT?
>>> is this JWT library similar to something like the keycloak tomcat
>>> adapter?
>>> http://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/j
>>> ava/tomcat-adapter.html
>>> if so is there a specification on this and do different IDPs handle this
>>> differently.  i.e. if TomEE had a JWT adapter would it no longer need the
>>> keycloak adapter?
>>> for instance the keycloak includes structures like UserRepresentation,
>>> RoleRepresentation, CredentialRepresentation. would this be handled in a
>>> new JWT lib?
>>>
>>>
>>> On 28/03/2018 07:13, Romain Manni-Bucau wrote:
>>>
>>> Roberto PR *is* merged JL.
>>>> He did the work to be able to consume any CDI "container" lib.
>>>>
>>>> So I'd just extract the code as we discussed together in G before that
>>>> mess
>>>> and move forward to keep TCK and add the lib in the MP distro Roberto
>>>> created to fit that design.
>>>>
>>>> As soon as you imported the lib in G, I will make sure to help to make
>>>> it
>>>> releasable.
>>>>
>>>> As the ee concurrency utilities dev I can guarantee you it is wrong to
>>>> put
>>>> it in TomEE :( - mea culpa here.
>>>>
>>>> I can understand the "i cant commit" but you can PR and several of these
>>>> objections are coming from people willing RTC which leads to the same
>>>> blocking state so not sure I get the rational to break projects here and
>>>> make them messy which would deserve asf IMHO.
>>>>
>>>> Le 27 mars 2018 23:37, "Jonathan Gallimore" <
>>>> [hidden email]
>>>> a écrit :
>>>>
>>>> If it can sit in its own repository, and that improves re-usability,
>>>> that
>>>>
>>>>> sounds like a good thing to me. I'd be happy with that under the TomEE
>>>>> TLP.
>>>>> I am sure some folks will prefer to see it under Geronimo. I am a TomEE
>>>>> committer, I am not yet a Geronimo committer (maybe someday....) so I
>>>>> would
>>>>> lean towards TomEE. Wherever it sits, it needs to be possible to work
>>>>> on
>>>>> it
>>>>> without being blocked.
>>>>>
>>>>> Jon
>>>>>
>>>>> On Tue, Mar 27, 2018 at 10:27 PM, Jean-Louis Monteiro <
>>>>> [hidden email]> wrote:
>>>>>
>>>>> What about this vote David?
>>>>>
>>>>>> Roberto's PR for MP-Config integration and mine about MP-JWT are still
>>>>>>
>>>>>> not
>>>>>
>>>>> merged.
>>>>>> Most of the JWT code is server independent and therefor could be
>>>>>>
>>>>>> extracted
>>>>>
>>>>> into a separate library.
>>>>>>
>>>>>> So where the code sits is definitely a question we need to address.
>>>>>> I don't believe the current TomEE repo is a good home.
>>>>>>
>>>>>> TomEE as the Apache TLP can on the other hand become an home.
>>>>>> We only need another another repo where we could put some reusable
>>>>>> code.
>>>>>>
>>>>>> There are a couple of utility classes in TomEE that could also become
>>>>>> a
>>>>>> reusable library.
>>>>>> I have prepared and pushed the 2 PRs for Chatterbox and Sheldon
>>>>>> donation.
>>>>>>
>>>>>> So I would probably propose to create a dedicated git repo where we
>>>>>> could
>>>>>> put all the reusable parts.
>>>>>> One benefit I see is that we could make the TomEE codebase a bit
>>>>>> lighter.
>>>>>>
>>>>>> What do you guys think?
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Jean-Louis Monteiro
>>>>>> http://twitter.com/jlouismonteiro
>>>>>> http://www.tomitribe.com
>>>>>>
>>>>>> On Thu, Mar 22, 2018 at 10:47 AM, Matthew Broadhead <
>>>>>> [hidden email]> wrote:
>>>>>>
>>>>>> does this mean a reusable JWT library external to TomEE, or within the
>>>>>>
>>>>>>> TomEE project?
>>>>>>> i have to agree with previous statements i read that TomEE is a
>>>>>>> bundle
>>>>>>>
>>>>>>> of
>>>>>> libraries and not really the place to locate reusable pluggable
>>>>>> projects.
>>>>>> it is more like the place where you might plug a project in once it is
>>>>>>
>>>>>>> working
>>>>>>>
>>>>>>>
>>>>>>> On 19/03/2018 11:39, Jonathan Gallimore wrote:
>>>>>>>
>>>>>>> What's the other vote ("Geronimo one")?
>>>>>>>
>>>>>>>> Jon
>>>>>>>>
>>>>>>>> On Mon, Mar 19, 2018 at 6:33 AM, Romain Manni-Bucau <
>>>>>>>> [hidden email]>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Hey David,
>>>>>>>>
>>>>>>>> How does this vote relates to the geronimo one you launched?
>>>>>>>>>
>>>>>>>>> Are they purely concurrent or can they be conditional one for the
>>>>>>>>>
>>>>>>>>> other?
>>>>>>>>
>>>>>>>>> Le 19 mars 2018 01:03, "David Blevins" <[hidden email]> a
>>>>>>>>> écrit :
>>>>>>>>>
>>>>>>>>> The vote for merging PR 123 does not address community will on what
>>>>>>>>>
>>>>>>>>> to
>>>>>>>>
>>>>>>> do
>>>>>>
>>>>>> with the code beyond merging it.  One can realistically vote +1 to
>>>>>>>
>>>>>>>> merge
>>>>>>>>>
>>>>>>>> the code, but then desire to see the code cleaned up and moved
>>>>>>>
>>>>>>>> elsewhere.
>>>>>>>>>> One can realistically desire seeing an attempt to clean up the
>>>>>>>>>> code
>>>>>>>>>>
>>>>>>>>>> to
>>>>>>>>>
>>>>>>>> find
>>>>>>
>>>>>>> what is reusable and may wish to withhold a final decision until we
>>>>>>>>> see
>>>>>>>>>
>>>>>>>> how
>>>>>>>
>>>>>>>> fruitful such a module would be.
>>>>>>>>>
>>>>>>>>>> Out of respect for people who may not know exactly how they feel
>>>>>>>>>>
>>>>>>>>>> (TomEE
>>>>>>>>>
>>>>>>>> or
>>>>>>>
>>>>>>>> Geronimo), this is a vote for the latter.
>>>>>>>>>
>>>>>>>>>> Vote: Should we attempt to extract code from the JWT PR to see
>>>>>>>>>> what
>>>>>>>>>>
>>>>>>>>>> is
>>>>>>>>>
>>>>>>>> reusable and how successful such a jar would be?
>>>>>>
>>>>>>>     +1 Let's give it a shot here
>>>>>>>>>>     +-0
>>>>>>>>>>     -1 Let's do this elsewhere
>>>>>>>>>>
>>>>>>>>>> If the vote is +1 to attempt an extraction of reusable code here,
>>>>>>>>>>
>>>>>>>>>> final
>>>>>>>>>
>>>>>>>> conclusion of if that extraction is worth it or where it should live
>>>>>>>
>>>>>>>> is
>>>>>>>>>
>>>>>>>> not
>>>>>>>
>>>>>>>> being voted on.  People are welcome to decide differently based on
>>>>>>>>> the
>>>>>>>>>
>>>>>>>> results of the exercise.
>>>>>>
>>>>>>>
>>>>>>>>>> -David
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>
   --
    Jean-Louis Monteiro
    http://twitter.com/jlouismonteiro
    http://www.tomitribe.com
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Explore creating a reusable JWT Library

Romain Manni-Bucau
@Jon: drop some SE style code to move to CDI style and allow apps to
override "naturally" impls + droppring jose dep are the main ones. Some
optim in the Bean impl should pby be planned too but can need some more
investment and are less blocking for a 1.0.0.


Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://rmannibucau.metawerx.net/> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
<https://www.packtpub.com/application-development/java-ee-8-high-performance>

2018-03-28 10:46 GMT+02:00 Jean-Louis Monteiro <[hidden email]>:

> Yes it would allow that.
>
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
>
> On Wed, Mar 28, 2018 at 10:22 AM, Matthew Broadhead <
> [hidden email]> wrote:
>
> > would it allow configuration of an oauth endpoint in TomEE and then
> > defining security-constraint in the web.xml of a webapp?  seems like a
> good
> > plan if it drops the need for 3rd party libs
> >
> >
> > On 28/03/2018 10:15, Romain Manni-Bucau wrote:
> >
> >> Hi Matthew,
> >>
> >> it is an impl of https://github.com/eclipse/microprofile-jwt-auth
> >>
> >> Normally with a JWT you can drop these things as well - can need some
> >> wrapper to handle the representation in a less raw way but nothing
> crazy.
> >>
> >>
> >> Romain Manni-Bucau
> >> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> >> <https://rmannibucau.metawerx.net/> | Old Blog
> >> <http://rmannibucau.wordpress.com> | Github <
> >> https://github.com/rmannibucau> |
> >> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
> >> <https://www.packtpub.com/application-development/java-ee-8-
> >> high-performance>
> >>
> >> 2018-03-28 10:10 GMT+02:00 Matthew Broadhead <
> >> [hidden email]
> >>
> >>> :
> >>> is this about JSON web tokens or some other JWT?
> >>> is this JWT library similar to something like the keycloak tomcat
> >>> adapter?
> >>> http://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/j
> >>> ava/tomcat-adapter.html
> >>> if so is there a specification on this and do different IDPs handle
> this
> >>> differently.  i.e. if TomEE had a JWT adapter would it no longer need
> the
> >>> keycloak adapter?
> >>> for instance the keycloak includes structures like UserRepresentation,
> >>> RoleRepresentation, CredentialRepresentation. would this be handled in
> a
> >>> new JWT lib?
> >>>
> >>>
> >>> On 28/03/2018 07:13, Romain Manni-Bucau wrote:
> >>>
> >>> Roberto PR *is* merged JL.
> >>>> He did the work to be able to consume any CDI "container" lib.
> >>>>
> >>>> So I'd just extract the code as we discussed together in G before that
> >>>> mess
> >>>> and move forward to keep TCK and add the lib in the MP distro Roberto
> >>>> created to fit that design.
> >>>>
> >>>> As soon as you imported the lib in G, I will make sure to help to make
> >>>> it
> >>>> releasable.
> >>>>
> >>>> As the ee concurrency utilities dev I can guarantee you it is wrong to
> >>>> put
> >>>> it in TomEE :( - mea culpa here.
> >>>>
> >>>> I can understand the "i cant commit" but you can PR and several of
> these
> >>>> objections are coming from people willing RTC which leads to the same
> >>>> blocking state so not sure I get the rational to break projects here
> and
> >>>> make them messy which would deserve asf IMHO.
> >>>>
> >>>> Le 27 mars 2018 23:37, "Jonathan Gallimore" <
> >>>> [hidden email]
> >>>> a écrit :
> >>>>
> >>>> If it can sit in its own repository, and that improves re-usability,
> >>>> that
> >>>>
> >>>>> sounds like a good thing to me. I'd be happy with that under the
> TomEE
> >>>>> TLP.
> >>>>> I am sure some folks will prefer to see it under Geronimo. I am a
> TomEE
> >>>>> committer, I am not yet a Geronimo committer (maybe someday....) so I
> >>>>> would
> >>>>> lean towards TomEE. Wherever it sits, it needs to be possible to work
> >>>>> on
> >>>>> it
> >>>>> without being blocked.
> >>>>>
> >>>>> Jon
> >>>>>
> >>>>> On Tue, Mar 27, 2018 at 10:27 PM, Jean-Louis Monteiro <
> >>>>> [hidden email]> wrote:
> >>>>>
> >>>>> What about this vote David?
> >>>>>
> >>>>>> Roberto's PR for MP-Config integration and mine about MP-JWT are
> still
> >>>>>>
> >>>>>> not
> >>>>>
> >>>>> merged.
> >>>>>> Most of the JWT code is server independent and therefor could be
> >>>>>>
> >>>>>> extracted
> >>>>>
> >>>>> into a separate library.
> >>>>>>
> >>>>>> So where the code sits is definitely a question we need to address.
> >>>>>> I don't believe the current TomEE repo is a good home.
> >>>>>>
> >>>>>> TomEE as the Apache TLP can on the other hand become an home.
> >>>>>> We only need another another repo where we could put some reusable
> >>>>>> code.
> >>>>>>
> >>>>>> There are a couple of utility classes in TomEE that could also
> become
> >>>>>> a
> >>>>>> reusable library.
> >>>>>> I have prepared and pushed the 2 PRs for Chatterbox and Sheldon
> >>>>>> donation.
> >>>>>>
> >>>>>> So I would probably propose to create a dedicated git repo where we
> >>>>>> could
> >>>>>> put all the reusable parts.
> >>>>>> One benefit I see is that we could make the TomEE codebase a bit
> >>>>>> lighter.
> >>>>>>
> >>>>>> What do you guys think?
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> Jean-Louis Monteiro
> >>>>>> http://twitter.com/jlouismonteiro
> >>>>>> http://www.tomitribe.com
> >>>>>>
> >>>>>> On Thu, Mar 22, 2018 at 10:47 AM, Matthew Broadhead <
> >>>>>> [hidden email]> wrote:
> >>>>>>
> >>>>>> does this mean a reusable JWT library external to TomEE, or within
> the
> >>>>>>
> >>>>>>> TomEE project?
> >>>>>>> i have to agree with previous statements i read that TomEE is a
> >>>>>>> bundle
> >>>>>>>
> >>>>>>> of
> >>>>>> libraries and not really the place to locate reusable pluggable
> >>>>>> projects.
> >>>>>> it is more like the place where you might plug a project in once it
> is
> >>>>>>
> >>>>>>> working
> >>>>>>>
> >>>>>>>
> >>>>>>> On 19/03/2018 11:39, Jonathan Gallimore wrote:
> >>>>>>>
> >>>>>>> What's the other vote ("Geronimo one")?
> >>>>>>>
> >>>>>>>> Jon
> >>>>>>>>
> >>>>>>>> On Mon, Mar 19, 2018 at 6:33 AM, Romain Manni-Bucau <
> >>>>>>>> [hidden email]>
> >>>>>>>> wrote:
> >>>>>>>>
> >>>>>>>> Hey David,
> >>>>>>>>
> >>>>>>>> How does this vote relates to the geronimo one you launched?
> >>>>>>>>>
> >>>>>>>>> Are they purely concurrent or can they be conditional one for the
> >>>>>>>>>
> >>>>>>>>> other?
> >>>>>>>>
> >>>>>>>>> Le 19 mars 2018 01:03, "David Blevins" <[hidden email]>
> a
> >>>>>>>>> écrit :
> >>>>>>>>>
> >>>>>>>>> The vote for merging PR 123 does not address community will on
> what
> >>>>>>>>>
> >>>>>>>>> to
> >>>>>>>>
> >>>>>>> do
> >>>>>>
> >>>>>> with the code beyond merging it.  One can realistically vote +1 to
> >>>>>>>
> >>>>>>>> merge
> >>>>>>>>>
> >>>>>>>> the code, but then desire to see the code cleaned up and moved
> >>>>>>>
> >>>>>>>> elsewhere.
> >>>>>>>>>> One can realistically desire seeing an attempt to clean up the
> >>>>>>>>>> code
> >>>>>>>>>>
> >>>>>>>>>> to
> >>>>>>>>>
> >>>>>>>> find
> >>>>>>
> >>>>>>> what is reusable and may wish to withhold a final decision until we
> >>>>>>>>> see
> >>>>>>>>>
> >>>>>>>> how
> >>>>>>>
> >>>>>>>> fruitful such a module would be.
> >>>>>>>>>
> >>>>>>>>>> Out of respect for people who may not know exactly how they feel
> >>>>>>>>>>
> >>>>>>>>>> (TomEE
> >>>>>>>>>
> >>>>>>>> or
> >>>>>>>
> >>>>>>>> Geronimo), this is a vote for the latter.
> >>>>>>>>>
> >>>>>>>>>> Vote: Should we attempt to extract code from the JWT PR to see
> >>>>>>>>>> what
> >>>>>>>>>>
> >>>>>>>>>> is
> >>>>>>>>>
> >>>>>>>> reusable and how successful such a jar would be?
> >>>>>>
> >>>>>>>     +1 Let's give it a shot here
> >>>>>>>>>>     +-0
> >>>>>>>>>>     -1 Let's do this elsewhere
> >>>>>>>>>>
> >>>>>>>>>> If the vote is +1 to attempt an extraction of reusable code
> here,
> >>>>>>>>>>
> >>>>>>>>>> final
> >>>>>>>>>
> >>>>>>>> conclusion of if that extraction is worth it or where it should
> live
> >>>>>>>
> >>>>>>>> is
> >>>>>>>>>
> >>>>>>>> not
> >>>>>>>
> >>>>>>>> being voted on.  People are welcome to decide differently based on
> >>>>>>>>> the
> >>>>>>>>>
> >>>>>>>> results of the exercise.
> >>>>>>
> >>>>>>>
> >>>>>>>>>> -David
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Explore creating a reusable JWT Library

David Blevins-2
In reply to this post by Romain Manni-Bucau
> On Mar 28, 2018, at 1:21 AM, Romain Manni-Bucau <[hidden email]> wrote:
>
> Just move the "main" code to the repo created @G and import the new lib in
> tomee MP as Roberto did for config. Nothing blocking JL to do them at all.

I will need to include the recent discussion in the April board report and I want to fairly represent everyone's votes.

Is your -1 on the basis that the code must be moved to Geronimo?


-David

Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Explore creating a reusable JWT Library

David Blevins-2
In reply to this post by chongma
> On Mar 28, 2018, at 1:22 AM, Matthew Broadhead <[hidden email]> wrote:
>
> would it allow configuration of an oauth endpoint in TomEE and then defining security-constraint in the web.xml of a webapp?  seems like a good plan if it drops the need for 3rd party libs

Very close.  It wouldn't provide an endpoint that creates JWT tokens, but it would provide functionality for JWT tokens to be *validated* when passed to TomEE in the "Authorization" header of any HTTP request.  

But, absolutely yes that validation would be done without the need for any third-party libraries.  The assumption is that TomEE would need to be given the RSA public key corresponding to the private key the token server used to create the JWT.

After validation, there are three groups of additional features to make things convenient for developers:

 - Identity: The server is required to propagate the JWT `sub` to getCallerPrinciple() and similar existing calls in various Java EE apis

 - Permissions: `@RolesAllowed` finally becomes useful as the server is required to honor the JWT `scopes` claim in uses of `@RolesAllowed` and `isCallerInRole()`

 - Claims:  Any other values of the incoming JWT can be injected into your code via CDI `@Inject @Claim("foo")` as a handful of different data types.  I.e. you can use it as a secure cookie if you want and do not need to write any parsing code.

You still need something to create the tokens, which could be done with an API Gateway or some code you write.  You wouldn't put that code on all microservices as the power of JWT is that there's one source of identity that the enterprise trusts so that should be some fairly small set of very secure servers who hold the private key and do not share it.

Hope that puts some color on it.  We'll want to document the feature and this is a good start, so more questions the better.


-David

Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Explore creating a reusable JWT Library

Romain Manni-Bucau
In reply to this post by David Blevins-2
Le 29 mars 2018 03:29, "David Blevins" <[hidden email]> a écrit :

> On Mar 28, 2018, at 1:21 AM, Romain Manni-Bucau <[hidden email]>
wrote:
>
> Just move the "main" code to the repo created @G and import the new lib in
> tomee MP as Roberto did for config. Nothing blocking JL to do them at all.

I will need to include the recent discussion in the April board report and
I want to fairly represent everyone's votes.

Is your -1 on the basis that the code must be moved to Geronimo?


That + the fact tomee is not and shouldnt become a put it all project just
become of scm perms IMO but stay an integration project to keep sense and
not mess up its own image and mess up the quality of our reusable libs.



-David
123