Hi Les! I'm agree, the purpose is not to re-invent the wheel, and thanks to have created JJWT ;)
As JJWT is under Apache 2.0 license, I think we can use it in Shiro. Do you have some time to work on this integration or make some proposal? François Papon [email protected] Le 07/03/2019 à 21:38, Les Hazlewood a écrit : > Hi François! > > I see it a little differently. Shiro 'sits' a little higher than some > of the lower-level utilities like working with JWTs. IMO, it should > leverage these lower-level tools than re-invent the wheel. So using > JJWT for JWTs or using Jackson for JSON, etc. > > When I wrote JJWT, I had no idea how many things I would have to take > into account for the JWT set of specifications. It is a *lot* of work > and so many different things need to be taken into account depending > on the JWT is unsigned, signed, or encrypted. IMO, this is a whole > set of low-level responsibilities outside the realm of Application > Security, which is Shiro's bread-and-butter. > > I think it would make a lot more sense for Shiro to _use_ JJWT to > accomplish things - i.e. session cookies, identity protocol support > (OpenID Connect, etc). And of course, wrap these calls behind a nice > API/Interface so as to not tightly couple Shiro's codebase to JJWT. > > FWIW, JJWT also has 'plugin' capabilities where signature and > encryption algorithms can be delegated to another provider, and maybe > Shiro could be that provider. That said, I don't think that's > necessary because JJWT's algorithm support is already broader in > support that what Shiro currently has because the JWE specifications > require various things (like EllipticCurve etc). > > Thoughts? Does this make sense? > > Cheers, > > Les > > On Thu, Mar 7, 2019 at 12:17 PM Francois Papon > <[email protected]> wrote: >> Hi Les, >> >> I take a look on JJWT and it's realy great ;) >> >> But as Shiro is a security framework and already have a cryptography >> module, I was hoping that we could have our own implementation. >> >> regards, >> >> François Papon >> [email protected] >> >> Le 07/03/2019 à 01:37, Les Hazlewood a écrit : >>> What about jjwt - would that work? >>> >>> On Wed, Mar 6, 2019 at 3:15 PM Brian Demers <[email protected]> wrote: >>>> What use cases are you thinking about targeting ? >>>> >>>> >>>> On Wed, Mar 6, 2019 at 1:33 PM Francois Papon >>>> <[email protected]> >>>> wrote: >>>> >>>>> Hi guys, >>>>> >>>>> I would like to start a thread about JWT. >>>>> >>>>> We already have a shiro-jaxrs module and I think it would be nice for >>>>> Shiro to be able to use JWT. >>>>> >>>>> There is some existing implementations (Apache CXF JOSE, Apache Geronimo >>>>> microprofile...) and for me it make sence to have an implementation of >>>>> JWT in Shiro. >>>>> >>>>> Thoughts? >>>>> >>>>> regards, >>>>> >>>>> -- >>>>> François Papon >>>>> [email protected] >>>>> >>>>> >>>>>
