jsr375-experts@javaee-security-spec.java.net

[jsr375-experts] Re: Fwd: Security.mup

From: Rudy De Busscher <rdebusscher_at_gmail.com>
Date: Thu, 19 Mar 2015 22:02:23 +0100

Hi Arjan,

Thanks for the good comments, you know all the specs far more better then
me :) !


First of all, there is a distinction between a "method" and "auth-method"
> in the map. Connected to "method" are all the things that are
> "auth-methods" in the Servlet spec. What is the difference here?


Maybe the terms used are a bit confusing (map was created mostly from what
was in my mind and didn't double check). For me, methods are from the view
point of the end user. How can I transfer the credentials?
And Auth-method is the Java code to actually perform the authentication.

But I agree, since auth-method is mentioned in the servlet spec. I change
method -> auth-method and method -> Java methods.

So what would a separate "Plugeable" then mean in this context?


Checked a few things more about JASPIC and indeed, this is basically the
pluggable aspect I wanted to indicate. I'll move it.


> As for "remember me", this is certainly worth a separate discussion. I
> found that it works rather well as a wrapper for an actual authentication
> method. You grouped it with "method", which is good as a concept, but in
> practice it is often explicitly called before the other methods.


"remember me" is indeed a special case. But since it is clearly a
different way of supplying your 'Credentials' I made it a separate item.
But indeed, it can't exist with any of the other auth-methods.

Finally, I don't see any mention of JACC below the "Authorization" node.


Indeed, missed that one.


I have uploaded the updated mindmap (and updated image) to the *shared
JSR375 folder which Alex* made available today.


Regarding your authentication flow, I see a few odd things. But it better
indicates the steps in the authentication process.

But I find it a bit strange that all the auth-methods, like form, basic, ..
are under the JASPIC box. It is the extension point you have today, but
the standard provided mechanism in the servers rely on the realms which use
Database, property files, LDAP, etc ... (and are not using JASPIC, or I may
have it wrong of course)

And I see that the Java EE Security Server Auth Store is marked with the
Java EE Security API label. Does this means that all existing code today
needs to be rewritten to use the new API we are going to define?


Regards
Rudy


On 19 March 2015 at 15:44, arjan tijms <arjan.tijms_at_gmail.com> wrote:

> Hi,
>
>
>> Feel free to comment and change if I made a big mistake or something
>> really important is missing.
>
>
> I do have a few comments and questions indeed ;)
>
> First of all, there is a distinction between a "method" and "auth-method"
> in the map. Connected to "method" are all the things that are
> "auth-methods" in the Servlet spec. What is the difference here?
>
> Furthermore, connected to "auth-method" is "JASPIC" and "Plugeable". I
> don't 100% understand this. JASPIC is not a concrete auth method itself,
> but rather a set of rules (an SPI) that standardize how authentication
> modules can be plugged in a Servlet container in a portable way. The
> Servlet EG is considering to standardize on this plugeable interface for
> the implementation of the standard Servlet auth methods (Form, Basic, ...).
>
> So what would a separate "Plugeable" then mean in this context?
>
> There are currently 2 ways to plug authentication modules in a Servlet
> container; via a proprietary way (this is different for each Servlet
> container) and via JASPIC. Are we going to define a third way and ask the
> Servlet container vendors to implement that as well?
>
>
> As for "remember me", this is certainly worth a separate discussion. I
> found that it works rather well as a wrapper for an actual authentication
> method. You grouped it with "method", which is good as a concept, but in
> practice it is often explicitly called before the other methods.
>
> Remember me is therefor in my opinion a kind of pseudo method. It also
> needs its own store, where a token store seems to work best. (I did quite
> an amount of thinking how to implement this in a universal way, and I'm
> currently at this experimental implementation:
> https://github.com/omnifaces/omnisecurity/blob/master/src/main/java/org/omnifaces/security/jaspic/wrappers/RememberMeWrapper.java
> )
>
>
> Finally, I don't see any mention of JACC below the "Authorization" node.
>
> Kind regards,
> Arjan Tijms
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Thu, Mar 19, 2015 at 2:52 PM, Alex Kosowski <alex.kosowski_at_oracle.com>
> wrote:
>
>> Hi Rudy,
>>
>> I fixed the permissions, everyone in the group should now be allowed to
>> post to the Google Group for sharing docs.
>>
>> Please let us keep the discussions on
>> jsr375-experts_at_javaee-security-spec.java.net.
>>
>> Thanks Rudy for preparing and sharing the mindMap!
>>
>> Alex
>>
>> On 3/19/15 5:47 AM, Rudy De Busscher wrote:
>>
>> Seems that I can't post to the JSR 375 Google groups ...
>>
>> ---------- Forwarded message ----------
>> From: Rudy De Busscher (via Google Drive) <rdebusscher_at_gmail.com>
>> Date: 19 March 2015 at 10:14
>> Subject: Security.mup
>> To: rdebusscher_at_gmail.com
>> Cc: jsr375-experts_at_googlegroups.com
>>
>>
>> Rudy De Busscher <rdebusscher_at_gmail.com> has shared the following
>> file:
>> [image: Item]
>> Security.mup
>> <https://drive.google.com/file/d/0B4QN2eZt4p5dLWF3Q0l0LTZxWWc/view?usp=sharing_eid>
>> Hi all,
>>
>> I tried to create an overview of all 'things' related to Java EE Security
>> and assembled them in a mindMap. Existing concepts and future wishes (and I
>> know it is incomplete)
>>
>> This to keep a global overview of what belongs where and what should it
>> be used for.
>>
>> Feel free to comment and change if I made a big mistake or something
>> really important is missing.
>>
>> It is created with MindMup (in case you have issues with installing/using
>> it, here is a link to an image of the mindMap
>> https://drive.google.com/file/d/0B4QN2eZt4p5dYndIT1Z6QkVoZzQ/view?usp=sharing
>> )
>>
>> Regards
>> Rudy
>> Open
>> <https://drive.google.com/file/d/0B4QN2eZt4p5dLWF3Q0l0LTZxWWc/view?usp=sharing_eid>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Google Drive: Have all your files within reach from any device. [image:
>> Logo for Google Drive] <https://drive.google.com>
>>
>>
>