Alex/all,
Allow me to introduce myself as well to those who may not know me already.
My name is Werner, I'm the only Individual JCP EC Member outside the US
(after a year of being the only one globally) a reasonable up to date bio
is therefore on the EC page:
https://jcp.org/en/press/news/ec-feature#keil
I am Apache and Eclipse Committer and EG member of a couple of active JSRs.
Beside "value based" ones like 354 or 363 (where I'm also one of the Spec
Leads) most others are related to Java ME as well as EE and CDI. I was in
the Java EE EG since EE 6. I was the first person to ever publicly
associate the term "ESSO" with Single Sign-On during a talk at the first
(and AFAIK only) ApacheCon Asia in Sri Lanka 9 years ago. I worked in many
SSO, SAML, OpenID or other security related projects for major companies
and sites around the world. I'm on the EG of JSR 351 (Identity Management)
which for certain aspects may offer synergies to this JSR.
Together with now CDI Co-Spec Lead Antoine I proposed JSR 357 which after
it was voted down here resulted in the creation of Agorava.org. Several
aspects especially CDI events for authorization and authentication exist in
Agorava, somewhat naturally given its co-founder and project lead Antoine
is also heavily involved in CDI.
Looking forward to working with you here,
Werner Keil | JCP Executive Committee Member, JSR 363 Co Spec Lead |
Eclipse UOMo Lead, Babel Language Champion | Apache Committer | AdBoard
Member, Java Track Chair, DWX '15
Twitter @wernerkeil | @UnitAPI | @JSR377 | @JSR354 | @AgoravaProj |
#EclipseUOMo
| #DeviceMap | #DevOps
Skype werner.keil | Google+ gplus.to/wernerkeil
On Thu, Mar 5, 2015 at 7:58 AM, David Blevins <dblevins_at_tomitribe.com>
wrote:
> Hi Alex and all!
>
> David Blevins, general Java EE enthusiast. Helped create OpenEJB,
> Geronimo, TomEE. Survived the J2EE 1.4 TCK and onward.
>
> I couldn't put a finger on one tweak or single action that would fix Java
> EE Security. All I can say is that we've seem to historically gotten it
> wrong time and time again standardizing the wrong things in great detail
> while simultaneously leaving other huge gaps completely undefined.
>
> A big example of that is never having had a standard way to add users,
> resulting in still being tied to your provider and shallow benefit to any
> abstractions. Add to that the extremely elaborate nature of things like
> JACC which drives up the implementation overhead and severely reduces
> performance. Top it off with the fact that once we create these
> abstractions for plugging in security providers, the diverse market of
> implementations we designed for never show up.
>
> After years of that, I'd have to say I'm keen on seeing what we can do to
> put more security in the user's hands. Let the app play a role in
> authentication and authorization. I think if developers are empowered be
> providers of the underlying authentication & authorization and can do it
> right in their webapp, they'll create and share far more implementations
> than all us vendors have in the last 15 years combined.
>
> I think CDI Events could be the breakthrough we've been waiting for in
> that regard.
>
> If you take JAAS, for example. Yank out the "plugging in" part (CDI
> Extensions cover that), then yank out initialization and shutdown
> (@PostConstruct, @PreDestroy cover that), you don't have much left but
> overly generic "callback" classes. CDI Events offers the ability for
> callbacks, but no need for a fixed and one-size-fits-all method signature.
>
> I think some things we tried to do early in Java EE failed because we
> didn't have the right tools. As of 2015 we don't have a single security
> API where the provider side uses annotations.
>
> Happy to see User Management on the list. If we can do that right,
> fantastic. It's certainly been near the top of my wish list for years.
>
> No concrete ideas yet, but I'm slightly curious what we could do with Java
> 8 and functional style. In the past we've affixed methods with meta-data
> that said what the security requirements were. Methods are now mobile.
>
> We could theoretically pass them into something that would execute them
> with specific constraints or requirements. Things like @RunAs could be
> done by passing method into a container-implemented "runner" rather than
> annotating the method with the current container-implemented @RunAs.
>
> Anyway, excited to see this opportunity. Hope we crack this nut.
>
> Very much look forward to working with you all!
>
>
> -David
>
> On Mar 4, 2015, at 8:26 PM, Alex Kosowski <alex.kosowski_at_oracle.com>
> wrote:
>
> > Hi Experts,
> >
> > Welcome to the EE Security API (JSR 375) expert group!
> >
> > Thanks again for offering to participate. The expert group includes
> experts from seven companies and includes individuals. The current members
> are:
> >
> > Adam Bien
> > David Blevins (Tomitribe)
> > Rudy De Busscher
> > Ivar Grimstad
> > Les Hazlewood (Stormpath, Inc.)
> > Will Hopkins (Oracle)
> > Werner Keil
> > Matt Konda (Jemurai)
> > Darran Lofthouse (RedHat)
> > Jean-Louis Monteiro (Tomitribe)
> > Pedro Igor Silva (RedHat)
> > Arjan Tijms (ZEEF)
> > [pending participant from IBM]
> >
> > I am Alex, the spec lead from Oracle.
> >
> > The current members of the expert group and their contact information
> are listed on the expert group home page at jcp.org, "
> https://jcp.org/en/eg/view?id=375". We still have one pending
> participant from IBM, and I expect they will monitor the user's mailing
> list while the JCP processes the nomination.
> >
> > I expect most discussions will be ongoing using this Expert Group
> mailing list, and (automatically) CCed to the user's mailing list. If
> practical, I would also like to have occasional Web Conferences. I will
> have an introductory web conference soon. Timezone wise, we are currently
> spread from California to Western Europe, so perhaps meeting at Noon (12
> PM) US Eastern Standard Time may be a good compromise.
> >
> > We will generally decide on issues by consensus of the Expert Group.
> However, should polling be needed, each JCP member will get one vote. So
> JCP members on the Expert Group with multiple representatives would still
> only get one vote.
> >
> > =====
> >
> > Okay, now that we got that admin stuff out of the way...
> >
> > The Java EE Security API needs a lot of work from an application
> developer's perspective. JSR 375 is proposing to improve EE security API
> portability and simplicity, and to modernize it.
> >
> > Here are some proposed improvements to consider...
> >
> > Portability:
> > - User Management
> > - Password Aliasing
> > - Role Mapping
> >
> > Simplicity:
> > - Add conveniences to simplify authentication, e.g. JASPIC
> >
> > Modernization:
> > - Authentication CDI Events
> > - Authorization CDI Events
> > - Authorization CDI Interceptors
> > - EL Authorization Rules
> >
> >
> > The original proposal is available here: "
> https://jcp.org/en/jsr/detail?id=375#orig".
> >
> >
> > I would like to start our discussions with: standardizing an API for
> User Management. This would allow an application to add/update/remove/query
> users in a repository within the scope of an application. Since the focus
> here is simplicity, lets consider an API similar to PicketLink or Shiro.
> However, something like JSR 351 Java Identity API may be too complex for
> the typical application developer. What do you think? Let's discuss!
> >
> > =====
> >
> > Finally, so that I know that the expert group mailing list on java.net
> is working correctly, would you please reply to the mailing list? Briefly
> introduce yourself to the group and let us know in which particular areas
> of this JSR you yourself are most interested in contributing.
> >
> > I am looking forward to working with all of you!
> >
> > Thanks,
> > Alex
> >
>
>