Hi all!
I'll use this opportunity to test out the mailing list and introduce
myself. My name is Les (nice to e-meet you!), and I'm interested in
supporting strong security while keeping conceptual concepts (and APIs) as
simple as possible. Due to my work w/ Shiro and Stormpath, I'm of course
interested in User Management (identity CRUD, password security, role and
permission management, etc), but I'm also interested in the CDI events and
interceptors. An authentication/authorization expression language w/
annotations is something we're adding to Shiro 2.0, so I'm interested in
that as well.
I'm sure there will be lots of interesting discussions as the ball starts
rolling. I look forward to working with and hopefully meeting you all.
Cheers,
Les
On Wed, Mar 4, 2015 at 8:26 PM, Alex Kosowski <alex.kosowski_at_oracle.com>
wrote:
> Hi Experts,
>
> Welcome to the EE Security API (JSR 375) expert group!
>
> Thanks again for offering to participate. The expert group includes
> experts from seven companies and includes individuals. The current members
> are:
>
> Adam Bien
> David Blevins (Tomitribe)
> Rudy De Busscher
> Ivar Grimstad
> Les Hazlewood (Stormpath, Inc.)
> Will Hopkins (Oracle)
> Werner Keil
> Matt Konda (Jemurai)
> Darran Lofthouse (RedHat)
> Jean-Louis Monteiro (Tomitribe)
> Pedro Igor Silva (RedHat)
> Arjan Tijms (ZEEF)
> [pending participant from IBM]
>
> I am Alex, the spec lead from Oracle.
>
> The current members of the expert group and their contact information are
> listed on the expert group home page at jcp.org, "
> https://jcp.org/en/eg/view?id=375". We still have one pending
> participant from IBM, and I expect they will monitor the user's mailing
> list while the JCP processes the nomination.
>
> I expect most discussions will be ongoing using this Expert Group mailing
> list, and (automatically) CCed to the user's mailing list. If practical, I
> would also like to have occasional Web Conferences. I will have an
> introductory web conference soon. Timezone wise, we are currently spread
> from California to Western Europe, so perhaps meeting at Noon (12 PM) US
> Eastern Standard Time may be a good compromise.
>
> We will generally decide on issues by consensus of the Expert Group.
> However, should polling be needed, each JCP member will get one vote. So
> JCP members on the Expert Group with multiple representatives would still
> only get one vote.
>
> =====
>
> Okay, now that we got that admin stuff out of the way...
>
> The Java EE Security API needs a lot of work from an application
> developer's perspective. JSR 375 is proposing to improve EE security API
> portability and simplicity, and to modernize it.
>
> Here are some proposed improvements to consider...
>
> Portability:
> - User Management
> - Password Aliasing
> - Role Mapping
>
> Simplicity:
> - Add conveniences to simplify authentication, e.g. JASPIC
>
> Modernization:
> - Authentication CDI Events
> - Authorization CDI Events
> - Authorization CDI Interceptors
> - EL Authorization Rules
>
>
> The original proposal is available here: "https://jcp.org/en/jsr/
> detail?id=375#orig".
>
>
> I would like to start our discussions with: standardizing an API for User
> Management. This would allow an application to add/update/remove/query
> users in a repository within the scope of an application. Since the focus
> here is simplicity, lets consider an API similar to PicketLink or Shiro.
> However, something like JSR 351 Java Identity API may be too complex for
> the typical application developer. What do you think? Let's discuss!
>
> =====
>
> Finally, so that I know that the expert group mailing list on java.net is
> working correctly, would you please reply to the mailing list? Briefly
> introduce yourself to the group and let us know in which particular areas
> of this JSR you yourself are most interested in contributing.
>
> I am looking forward to working with all of you!
>
> Thanks,
> Alex
>
>