Hi Everyone,
I am Ajay Reddy (Karkala) from IBM. Sorry for the delay. Have been out and
busy lately and finally was
able to complete the paper work to join the group.
I am very excited to be part of this team. I have been working in the J2EE
security area for more than 7 years
in various aspects - support, development, design and architecture. Glad to
see that finally we have a group
to focus on general Security for J2EE. Going by the discussions so far I
am sure it will be an interesting and
educational venture.
All the security topics mentioned in this specification are interesting and
definitely need clarity and improvements.
Though my primary interests are in the areas of User Management and
Authorization, I would like to see us come
to some standardization across security related terminology (which seem to
have already started), Role Mapping,
Authentication (including plugging into technologies like SAML, openID
Connect), started).
I look forward to working with you all and coming up with security
proposals that have clarity and simplicity and have
wide acceptance not just with the application server vendors but also the
customers that use them.
Regards,
Ajay Reddy,
From: Alex Kosowski <alex.kosowski_at_oracle.com>
To: jsr375-experts_at_javaee-security-spec.java.net
Date: 03/31/2015 06:53 PM
Subject: [jsr375-experts] Welcome to the JSR 375 EE Security API Expert
Group!
Hi Experts,
Welcome to the EE Security API (JSR 375) expert group!
Thanks again for offering to participate. The expert group includes
experts from seven companies and includes individuals. The current
members are:
Adam Bien
David Blevins (Tomitribe)
Rudy De Busscher
Ivar Grimstad
Les Hazlewood (Stormpath, Inc.)
Will Hopkins (Oracle)
Werner Keil
Matt Konda (Jemurai)
Darran Lofthouse (RedHat)
Jean-Louis Monteiro (Tomitribe)
Pedro Igor Silva (RedHat)
Arjan Tijms (ZEEF)
[pending participant from IBM]
I am Alex, the spec lead from Oracle.
The current members of the expert group and their contact information
are listed on the expert group home page at jcp.org,
"
https://jcp.org/en/eg/view?id=375". We still have one pending
participant from IBM, and I expect they will monitor the user's mailing
list while the JCP processes the nomination.
I expect most discussions will be ongoing using this Expert Group
mailing list, and (automatically) CCed to the user's mailing list. If
practical, I would also like to have occasional Web Conferences. I will
have an introductory web conference soon. Timezone wise, we are
currently spread from California to Western Europe, so perhaps meeting
at Noon (12 PM) US Eastern Standard Time may be a good compromise.
We will generally decide on issues by consensus of the Expert Group.
However, should polling be needed, each JCP member will get one vote. So
JCP members on the Expert Group with multiple representatives would
still only get one vote.
=====
Okay, now that we got that admin stuff out of the way...
The Java EE Security API needs a lot of work from an application
developer's perspective. JSR 375 is proposing to improve EE security API
portability and simplicity, and to modernize it.
Here are some proposed improvements to consider...
Portability:
- User Management
- Password Aliasing
- Role Mapping
Simplicity:
- Add conveniences to simplify authentication, e.g. JASPIC
Modernization:
- Authentication CDI Events
- Authorization CDI Events
- Authorization CDI Interceptors
- EL Authorization Rules
The original proposal is available here:
"
https://jcp.org/en/jsr/detail?id=375#orig".
I would like to start our discussions with: standardizing an API for
User Management. This would allow an application to
add/update/remove/query users in a repository within the scope of an
application. Since the focus here is simplicity, lets consider an API
similar to PicketLink or Shiro. However, something like JSR 351 Java
Identity API may be too complex for the typical application developer.
What do you think? Let's discuss!
=====
Finally, so that I know that the expert group mailing list on java.net
is working correctly, would you please reply to the mailing list?
Briefly introduce yourself to the group and let us know in which
particular areas of this JSR you yourself are most interested in
contributing.
I am looking forward to working with all of you!
Thanks,
Alex