Hi François! I see it a little differently. Shiro 'sits' a little higher than some of the lower-level utilities like working with JWTs. IMO, it should leverage these lower-level tools than re-invent the wheel. So using JJWT for JWTs or using Jackson for JSON, etc.
When I wrote JJWT, I had no idea how many things I would have to take into account for the JWT set of specifications. It is a *lot* of work and so many different things need to be taken into account depending on the JWT is unsigned, signed, or encrypted. IMO, this is a whole set of low-level responsibilities outside the realm of Application Security, which is Shiro's bread-and-butter. I think it would make a lot more sense for Shiro to _use_ JJWT to accomplish things - i.e. session cookies, identity protocol support (OpenID Connect, etc). And of course, wrap these calls behind a nice API/Interface so as to not tightly couple Shiro's codebase to JJWT. FWIW, JJWT also has 'plugin' capabilities where signature and encryption algorithms can be delegated to another provider, and maybe Shiro could be that provider. That said, I don't think that's necessary because JJWT's algorithm support is already broader in support that what Shiro currently has because the JWE specifications require various things (like EllipticCurve etc). Thoughts? Does this make sense? Cheers, Les On Thu, Mar 7, 2019 at 12:17 PM Francois Papon <[email protected]> wrote: > > Hi Les, > > I take a look on JJWT and it's realy great ;) > > But as Shiro is a security framework and already have a cryptography > module, I was hoping that we could have our own implementation. > > regards, > > François Papon > [email protected] > > Le 07/03/2019 à 01:37, Les Hazlewood a écrit : > > What about jjwt - would that work? > > > > On Wed, Mar 6, 2019 at 3:15 PM Brian Demers <[email protected]> wrote: > >> What use cases are you thinking about targeting ? > >> > >> > >> On Wed, Mar 6, 2019 at 1:33 PM Francois Papon > >> <[email protected]> > >> wrote: > >> > >>> Hi guys, > >>> > >>> I would like to start a thread about JWT. > >>> > >>> We already have a shiro-jaxrs module and I think it would be nice for > >>> Shiro to be able to use JWT. > >>> > >>> There is some existing implementations (Apache CXF JOSE, Apache Geronimo > >>> microprofile...) and for me it make sence to have an implementation of > >>> JWT in Shiro. > >>> > >>> Thoughts? > >>> > >>> regards, > >>> > >>> -- > >>> François Papon > >>> [email protected] > >>> > >>> > >>>
