I'm for Identity Store or Realm
I think Java EE borrowed the term "Realm" from Basic Authentication:
http://tools.ietf.org/html/rfc2617 ("Protection Space")
A realm could be anything, but from pragmatic point of view it is an Identity Store.
> On 13.04.2015, at 17:52, arjan tijms <arjan.tijms_at_gmail.com> wrote:
>
> Hi,
>
> On Fri, Apr 10, 2015 at 10:23 AM, Ivar Grimstad <ivar.grimstad_at_gmail.com> wrote:
>> Identity Store for me.
>
> Thanks for the vote! Current status is now:
>
> 10 out of 14 voted:
>
> David Blevins: Store
> Arjan Tijms: Authentication Store
> Alex Kosowski: Identity Store
> Rudy De Busscher: Security Provider
> Darran Lofthouse: Realm / Identity Store
> Werner Keil: Authentication Store / Identity Store
> Ajay Reddy: Identity Store / User Repository / Realm
> Pedro Igor: Identity Store
> Jean-Louis Monteiro: Authentication Store / Store
> Ivar Grimstad: Identity Store
>
>
> Organized per term:
>
> Identity Store - 6
> Authentication Store - 3
> Realm - 3
> Store - 1
> Security Provider - 1
> User Repository - 1
>
> I'm willing to change my vote to "Identity Store" as well, so we'd then have:
>
> David Blevins: Store
> Arjan Tijms: Identity Store
> Alex Kosowski: Identity Store
> Rudy De Busscher: Security Provider
> Darran Lofthouse: Realm / Identity Store
> Werner Keil: Authentication Store / Identity Store
> Ajay Reddy: Identity Store / User Repository / Realm
> Pedro Igor: Identity Store
> Jean-Louis Monteiro: Authentication Store / Store
> Ivar Grimstad: Identity Store
>
>
> Organized per term:
>
> Identity Store - 7
> Realm - 3
> Authentication Store - 2
> Store - 1
> Security Provider - 1
> User Repository - 1
>
> So if Adam Bien, Will Hopkins, Matt Konda and Les Hazlewood all voted
> "realm" we'd have a tie, but otherwise there's not much that stands in
> the way of "identity store" for the working term.
>
> Kind regards,
> Arjan Tijms
>
>
>
>
>
>
>
>
>
>
>
>>
>> On Apr 10, 2015 9:16 AM, "arjan tijms" <arjan.tijms_at_gmail.com> wrote:
>>>
>>> On Fri, Apr 10, 2015 at 8:44 AM, Jean-Louis Monteiro
>>> <jlmonteiro_at_tomitribe.com> wrote:
>>>> Oups, thought I voted but looks like no.
>>>>
>>>> If it's still time, "authentication store" for me if we wan't to really
>>>> qualify what's the store is about.
>>>> Otherwise "store" only is enough.
>>>
>>> Thanks!
>>>
>>> Latest votes overview then becomes:
>>>
>>> 9 out of 14 voted:
>>>
>>> David Blevins: Store
>>> Arjan Tijms: Authentication Store
>>> Alex Kosowski: Identity Store
>>> Rudy De Busscher: Security Provider
>>> Darran Lofthouse: Realm / Identity Store
>>> Werner Keil: Authentication Store / Identity Store
>>> Ajay Reddy: Identity Store / User Repository / Realm
>>> Pedro Igor: Identity Store
>>> Jean-Louis Monteiro: Authentication Store / Store
>>>
>>>
>>> Organized per term:
>>>
>>> Identity Store - 5
>>> Authentication Store - 3
>>> Realm - 3
>>> Store - 1
>>> Security Provider - 1
>>> User Repository - 1
>>>
>>>
>>>>
>>>> --
>>>> Jean-Louis Monteiro
>>>> http://twitter.com/jlouismonteiro
>>>> http://www.tomitribe.com
>>>>
>>>> On Fri, Apr 10, 2015 at 12:22 AM, arjan tijms <arjan.tijms_at_gmail.com>
>>>> wrote:
>>>>>
>>>>> On Fri, Apr 10, 2015 at 12:11 AM, Alex Kosowski
>>>>> <alex.kosowski_at_oracle.com> wrote:
>>>>>> I change my vote to just "Identity Store"
>>>>>
>>>>> Okay, so then we have:
>>>>>
>>>>> David Blevins: Store
>>>>> Arjan Tijms: Authentication Store
>>>>> Alex Kosowski: Identity Store
>>>>> Rudy De Busscher: Security Provider
>>>>> Darran Lofthouse: Realm / Identity Store
>>>>> Werner Keil: Authentication Store / Identity Store
>>>>> Ajay Reddy: Identity Store / User Repository / Realm
>>>>> Pedro Igor: Identity Store
>>>>>
>>>>>
>>>>> Organized per term:
>>>>>
>>>>> Identity Store - 5
>>>>> Authentication Store - 2
>>>>> Realm - 2
>>>>> Store - 1
>>>>> Security Provider - 1
>>>>> User Repository - 1
>>>>>
>>>>> Kind regards,
>>>>> Arjan Tijms
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>> On 4/9/15 5:56 PM, Pedro Igor Silva wrote:
>>>>>>>
>>>>>>> In PicketLink, IdentityStore is mainly related on how you manage
>>>>>>> identities and relationships. Identities would be users, roles,
>>>>>>> groups,
>>>>>>> applications, etc. And relationships would be grants(rbac), group
>>>>>>> membership(gbac) and so forth. It is basically a CRUD interface,
>>>>>>> base
>>>>>>> for
>>>>>>> all others specific stores we have.
>>>>>>>
>>>>>>> Regarding authentication, there is also a specific store for
>>>>>>> credentials,
>>>>>>> the CredentialStore. There is a reference to it in the scope
>>>>>>> document
>>>>>>> as
>>>>>>> follows:
>>>>>>>
>>>>>>> "4.3.c Credentials also in Identity Store? Perhap separate secured
>>>>>>> store?"
>>>>>>>
>>>>>>> These two stores are involved during the authentication process.
>>>>>>> Where
>>>>>>> you
>>>>>>> need to load an account (eg.: user) and authenticate based on a
>>>>>>> specific
>>>>>>> credential type (password, totp, X.509, token, etc).
>>>>>>>
>>>>>>> PermissionStore, on the other hand, is specific for permissions and
>>>>>>> is
>>>>>>> not
>>>>>>> related at all with authentication. Like you said, is related with
>>>>>>> acl
>>>>>>> authorization.
>>>>>>>
>>>>>>> I would say that in this case makes more sense Identity Store.
>>>>>>> Specially
>>>>>>> if you consider what Darran said about the potential to be widely
>>>>>>> referenced
>>>>>>> after authentication.
>>>>>>>
>>>>>>> One of the reasons for different and specific stores is that you may
>>>>>>> mix
>>>>>>> different repositories (Eg.: LDAP and JPA), where each one can be
>>>>>>> used
>>>>>>> to
>>>>>>> store only a specific type of information. For instance, use LDAP
>>>>>>> for
>>>>>>> users
>>>>>>> and credentials, but JPA for more fine grained authorization with
>>>>>>> permissions/acl. And also because each repository has its
>>>>>>> limitations.
>>>>>>> For
>>>>>>> instance, It is really hard to support ACL or even custom attributes
>>>>>>> in
>>>>>>> LDAP.
>>>>>>>
>>>>>>> Regards.
>>>>>>> Pedro Igor
>>>>>>>
>>>>>>> ----- Original Message -----
>>>>>>> From: "Werner Keil"<werner.keil_at_gmail.com>
>>>>>>> To: jsr375-experts_at_javaee-security-spec.java.net
>>>>>>> Sent: Thursday, April 9, 2015 12:18:32 PM
>>>>>>> Subject: [jsr375-experts] Re: 1-TerminologyAuthInteractionVsStore
>>>>>>> ACTION:
>>>>>>> cast vote
>>>>>>>
>>>>>>> Actually "IdentityStore" is also used in different PicketLink
>>>>>>> modules.
>>>>>>> So it uses "PermissionStore" in the context of "Authorization"/ACL
>>>>>>> and
>>>>>>> "IdentityStore" on the Authentication side.
>>>>>>> If we purely deal with Authentication, either "IdentityStore" or
>>>>>>> "AuthenticationStore" sound best.
>>>>>>> Otherwise I'd say "PermissionStore" (or "SecurityStore" to have
>>>>>>> another
>>>>>>> prefix to the simple "Store") sound more versatile.
>>>>>>>
>>>>>>> Werner
>>>>>>>
>>>>>>> On Thu, Apr 9, 2015 at 5:08 PM, Werner Keil<werner.keil_at_gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> PicketLink calls it PermissionStore. I could think of variations
>>>>>>>> including
>>>>>>>> SecurityStore (just Store seems a bit too wide)
>>>>>>>> but PermissionStore sounds fine to me.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Werner
>>>>>>>>
>>>>>>>> On Thu, Apr 9, 2015 at 4:32 PM, Darran Lofthouse<
>>>>>>>> darran.lofthouse_at_redhat.com> wrote:
>>>>>>>>
>>>>>>>>> Looks like I replied but did not vote ;-)
>>>>>>>>>
>>>>>>>>> My vote would be Realm or Identity Store.
>>>>>>>>>
>>>>>>>>> Whilst I agree it's first use will be authentication I think it
>>>>>>>>> has
>>>>>>>>> the
>>>>>>>>> potential to be widely referenced after authentication.
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>> Darran Lofthouse.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 09/04/15 15:24, arjan tijms wrote:
>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> We now have 4 votes:
>>>>>>>>>>
>>>>>>>>>> David Blevins: Store
>>>>>>>>>> Arjan Tijms: Authentication Store
>>>>>>>>>> Alex Kosowski: Authentication Store / Identity Store
>>>>>>>>>> Rudy De Busscher: Security Provider
>>>>>>>>>>
>>>>>>>>>> No other people have voted yet, although there have been some
>>>>>>>>>> additional comments.
>>>>>>>>>>
>>>>>>>>>> Based on this, shall we establish "authentication store" as the
>>>>>>>>>> working term? Just so we all know what we're talking about. The
>>>>>>>>>> final
>>>>>>>>>> term can be something else still.
>>>>>>>>>>
>>>>>>>>>> Kind regards,
>>>>>>>>>> Arjan
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Mon, Mar 23, 2015 at 11:13 PM, arjan
>>>>>>>>>> tijms<arjan.tijms_at_gmail.com>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> On Mon, Mar 23, 2015 at 10:32 PM, Alex Kosowski<
>>>>>>>>>>> alex.kosowski_at_oracle.com>
>>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> To add a 13th option,
>>>>>>>>>>>>
>>>>>>>>>>>> How about IdentityStore? That would reflect that we are storing
>>>>>>>>>>>> identity
>>>>>>>>>>>> attributes.
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I could absolutely see that working as well, sure. In
>>>>>>>>>>> terminology
>>>>>>>>>>> it
>>>>>>>>>>> has
>>>>>>>>>>> some connection with a JSR that was started some time ago, the
>>>>>>>>>>> Java
>>>>>>>>>>> Identity
>>>>>>>>>>> API (JSR 351), and with the term "authenticated identity" (the
>>>>>>>>>>> more
>>>>>>>>>>> formal
>>>>>>>>>>> alternative for "logged-in user").
>>>>>>>>>>>
>>>>>>>>>>> But is Identity Store also a preference you have for the term,
>>>>>>>>>>> or
>>>>>>>>>>> just
>>>>>>>>>>> an
>>>>>>>>>>> alternative idea?
>>>>>>>>>>>
>>>>>>>>>>> Giving the overview again, it would now be:
>>>>>>>>>>>
>>>>>>>>>>> David Blevins: Store
>>>>>>>>>>> Arjan Tijms: Authentication Store
>>>>>>>>>>> Alex Kosowski: Authentication Store / Identity Store
>>>>>>>>>>> Rudy De Busscher: Security Provider
>>>>>>>>>>>
>>>>>>>>>>> Kind regards,
>>>>>>>>>>> Arjan Tijms
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On 3/23/15 5:15 PM, Rudy De Busscher wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Hi,
>>>>>>>>>>>>
>>>>>>>>>>>> the concept of "the store where users/callers and optionally
>>>>>>>>>>>> the
>>>>>>>>>>>>>
>>>>>>>>>>>>> group/role data resides".
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Since you also have the group/role information, it is not only
>>>>>>>>>>>> Authentication info anymore. So Authentication Store is then
>>>>>>>>>>>> confusing.
>>>>>>>>>>>>
>>>>>>>>>>>> Store is indeed too general, so what about security provider
>>>>>>>>>>>> (if I
>>>>>>>>>>>> have to
>>>>>>>>>>>> take a term from the list proposed here)?
>>>>>>>>>>>>
>>>>>>>>>>>> regards
>>>>>>>>>>>> Rudy
>>>>>>>>>>>>
>>>>>>>>>>>> On 23 March 2015 at 22:03, arjan tijms<arjan.tijms_at_gmail.com>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Monday, March 23, 2015, Alex
>>>>>>>>>>>>> Kosowski<alex.kosowski_at_oracle.com>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi Arjan,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Does this indicates your preference, or is it just the term
>>>>>>>>>>>>>> Shiro
>>>>>>>>>>>>>> happened to use?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> It was just a starting point.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Okay ;)
>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> David Blevins: Store
>>>>>>>>>>>>>> Arjan Tijms: Authentication Store
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Authentication Store is fine with me. Store seems a little
>>>>>>>>>>>>>> broad,
>>>>>>>>>>>>>> but
>>>>>>>>>>>>>> less typing.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Yes, for me too just store would feel too broad. AuthStore
>>>>>>>>>>>>> would
>>>>>>>>>>>>> seem
>>>>>>>>>>>>> to
>>>>>>>>>>>>> work at first, but I agree with Les who stated in another
>>>>>>>>>>>>> thread
>>>>>>>>>>>>> that
>>>>>>>>>>>>> we
>>>>>>>>>>>>> shouldn't use just "auth" anywhere.
>>>>>>>>>>>>>
>>>>>>>>>>>>> While very common, it unfortunately makes it hard to
>>>>>>>>>>>>> distinguish
>>>>>>>>>>>>> between
>>>>>>>>>>>>> authentication and authorization.
>>>>>>>>>>>>>
>>>>>>>>>>>>> So we now have;
>>>>>>>>>>>>>
>>>>>>>>>>>>> David Blevins: Store
>>>>>>>>>>>>> Arjan Tijms: Authentication Store
>>>>>>>>>>>>> Alex Kosowski; Authentication Store
>>>>>>>>>>>>>
>>>>>>>>>>>>> Anyone else?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Kind regards,
>>>>>>>>>>>>> Arjan Tijms
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>> Alex
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 3/20/15 8:56 AM, arjan tijms wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> The doc is a great start, thanks Alex :)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I noticed that relevant to the issue described in this
>>>>>>>>>>>>>> thread,
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>> document has chosen the term "Realm" for the concept of "the
>>>>>>>>>>>>>> store
>>>>>>>>>>>>>> where
>>>>>>>>>>>>>> users/callers and optionally the group/role data resides".
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Does this indicates your preference, or is it just the term
>>>>>>>>>>>>>> Shiro
>>>>>>>>>>>>>> happened to use?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> What about a round of voting (non-binding at this stage, just
>>>>>>>>>>>>>> to
>>>>>>>>>>>>>> test
>>>>>>>>>>>>>> the waters)? That way we at least can establish a working
>>>>>>>>>>>>>> term
>>>>>>>>>>>>>> that
>>>>>>>>>>>>>> we can
>>>>>>>>>>>>>> use in the different discussions and issues that have already
>>>>>>>>>>>>>> all
>>>>>>>>>>>>>> started to
>>>>>>>>>>>>>> use different terms.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> The list of proposed terms is now the following:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> security provider (WebLogic)
>>>>>>>>>>>>>> realm (Tomcat, Shiro, some hints in Servlet spec)
>>>>>>>>>>>>>> (authentication) repository
>>>>>>>>>>>>>> (authentication) store
>>>>>>>>>>>>>> login module (JAAS)
>>>>>>>>>>>>>> identity manager (Undertow)
>>>>>>>>>>>>>> service provider
>>>>>>>>>>>>>> relying party
>>>>>>>>>>>>>> authenticator (Resin, OmniSecurity, Seam Security)
>>>>>>>>>>>>>> user service (?, used by 375 JSR)
>>>>>>>>>>>>>> authentication provider (Spring Security)
>>>>>>>>>>>>>> identity provider
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I'd like to ask everyone on this list to vote for your
>>>>>>>>>>>>>> preferred
>>>>>>>>>>>>>> term.
>>>>>>>>>>>>>> David had already expressed favoring "store" in the JIRA
>>>>>>>>>>>>>> issue,
>>>>>>>>>>>>>> which is
>>>>>>>>>>>>>> together with "repository" also my favorite, although I like
>>>>>>>>>>>>>> to
>>>>>>>>>>>>>> prefix it
>>>>>>>>>>>>>> with "authentication".
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> So the current outcome is:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> David Blevins: Store
>>>>>>>>>>>>>> Arjan Tijms: Authentication Store
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Kind regards,
>>>>>>>>>>>>>> Arjan Tijms
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Thu, Mar 19, 2015 at 3:25 AM, Alex Kosowski
>>>>>>>>>>>>>> <alex.kosowski_at_oracle.com> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I created a draft document for adding/editing EE Security
>>>>>>>>>>>>>>> API
>>>>>>>>>>>>>>> Terminology on an on-going basis.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> https://docs.google.com/document/d/1eaNCUa78Eytt73WYvDHrsS3klTzHL
>>>>>>>>>>>>>>> 0xD5vswHhT-KVY/edit?usp=sharing
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> This a Google doc viewable by the public and editable by
>>>>>>>>>>>>>>> those
>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>> Google Group jsr375-experts_at_googlegroups.com, of which all
>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>> you
>>>>>>>>>>>>>>> should be
>>>>>>>>>>>>>>> a member.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Alex
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 3/8/15 5:01 PM, arjan tijms wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hi there,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> A while ago I created
>>>>>>>>>>>>>>> https://java.net/jira/browse/JAVAEE_SECURITY_SPEC-1, which
>>>>>>>>>>>>>>> seeks
>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>> establish clear terminology for two concepts that often come
>>>>>>>>>>>>>>> up
>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>> authentication:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> 1. The (user) interaction method via which credentials
>>>>>>>>>>>>>>> are
>>>>>>>>>>>>>>> obtained
>>>>>>>>>>>>>>> (FORM, BASIC, etc)
>>>>>>>>>>>>>>> 2. The store where users/callers and optionally the
>>>>>>>>>>>>>>> group/role
>>>>>>>>>>>>>>> data
>>>>>>>>>>>>>>> resides
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Not only do I see very different terms being used for both
>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>> these
>>>>>>>>>>>>>>> concepts which is a problem by itself, but the lack of
>>>>>>>>>>>>>>> consistent
>>>>>>>>>>>>>>> terminology makes it unclear what people are really asking
>>>>>>>>>>>>>>> at
>>>>>>>>>>>>>>> times.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Your thoughts?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Kind regards,
>>>>>>>>>>>>>>> Arjan Tijms
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>
>>>>
>>>>