jsr375-experts@javaee-security-spec.java.net

[jsr375-experts] Re: Devoxx BE feedback

From: arjan tijms <arjan.tijms_at_gmail.com>
Date: Tue, 24 Nov 2015 14:34:48 +0100

Hi,

On Tue, Nov 24, 2015 at 2:14 PM, Werner Keil <werner.keil_at_gmail.com> wrote:

> Still might have to look at the DevoXX video, but just a quick question,
> which of the demos from https://github.com/javaee-samples/javaee7-samples/
> <https://github.com/javaee-samples/javaee7-samples/blob/master/jaspic/custom-principal/src/main/java/org/javaee7/jaspic/customprincipal/sam/TestServerAuthModule.java#L58> or
> elsewhere are good to show something live, too?
>

This is an actual working application that incorporated the latest API and
what was discussed most recently:
https://github.com/arjantijms/mechanism-to-store

It works directly on GlassFish 4.1.1 and Payara 4.1.1.153+

It works on WildFly 9/10 as well, after JASPIC is "activated" there (still
a big drawback for demo purposes, but Darran promissed to do something
here, so let's hope that works out soon).

It does not work on WebLogic 12.2.1 for the moment. WebLogic contains a
severe bug that makes JASPIC largely unusable.

It doesn't work on Liberty 8.5.5.6/9-beta either, since CDI doesn't work
there in an auth module. On Liberty too, JASPIC needs a kind of activation
that's very unfortunately for demo purposes. Hopefully we can work
with Ajay and/or the IBM Liberty team to lift these constraints (already
contacted them).




> I booked my flight for codemotion Tel Aviv and organizers also confirmed
> accomodation, so as long as no great Middle-Eastern War breaks out in the
> region, I'm good to go.
> I was also smart to neither book cheaper indirect alternate flights via
> Turkey, Russia or the Ukraine;-) Going non-stop with El Al seems safest
> under the current circumstances.
>

Stay safe, that's the most important thing!

Kind regards,
Arjan Tijms


>
> Thanks and Regards,
> Werner
>
> On Mon, Nov 16, 2015 at 10:54 PM, arjan tijms <arjan.tijms_at_gmail.com>
> wrote:
>
>> Hi,
>>
>> On Mon, Nov 16, 2015 at 7:51 PM, Rudy De Busscher <rdebusscher_at_gmail.com>
>> wrote:
>>
>>> @All,
>>>
>>> Just want to add one additional thing.
>>>
>>> There was a question about adding 'metadata' of the logged in user (like
>>> department, affiliate, ...) so that it can be used to determine if the
>>> user/caller is allowed to execute the specified action.
>>>
>>
>> That's a bit in the domain of JSR 351, isn't it?
>>
>> The default way of sorts to do this now I think is by using a custom
>> principal that has properties for this metadata. JASPIC already supports
>> setting a custom principal. See
>> https://github.com/javaee-samples/javaee7-samples/blob/master/jaspic/custom-principal/src/main/java/org/javaee7/jaspic/customprincipal/sam/TestServerAuthModule.java#L58
>>
>> A custom principal would play well with EL, as the exact type doesn't
>> have to be known there.
>>
>> E.g.
>>
>> @EvaluateSecured("callerPrincipal.department == 'finance'")
>>
>> We do have to discuss I believe how to support a custom principal with
>> the identity store interface. Perhaps an extra property on the return value
>> of the validate() method that takes precedence if not null?
>>
>> Kind regards,
>> Arjan Tijms
>>
>>
>>
>>
>>
>>>
>>> Hope to meet some more experts another time. :)
>>>
>>> Best regards
>>> Rudy
>>>
>>>
>>> On 16 November 2015 at 15:53, Jean-Louis Monteiro <
>>> jlmonteiro_at_tomitribe.com> wrote:
>>>
>>>> Hi everyone,
>>>>
>>>> Was last week at Devoxx BE. Got to meet Rudy from the expert group
>>>> which is nice.
>>>> The talk itself went great. Did reuse some of the materials already
>>>> done previously.
>>>>
>>>> Good participation during regular polls when I was talking.
>>>> Surprisingly no question during the Q/R which made me feel bad.
>>>>
>>>> But right after the applause, about 10 people jumped on stage to
>>>> discuss and congratulate me which made me feel a bit better.
>>>> Wasn't my best talk at all, but looks like at least some people found
>>>> it interesting.
>>>>
>>>> Some feedback
>>>>
>>>> - rather use user than caller for the consistency question
>>>>
>>>> - CDI must be in the landscape - @Transactional used as a comparison of
>>>> the thing to do. Antoine also opened the doors to collaborate.
>>>>
>>>> - Events - people overall really liked the event approach to either
>>>> collect information about the authN/authZ process, or also to authenticate
>>>> as we proposed in the playground.
>>>>
>>>> - Websocket - please do not forget it. What about HTTP/2 also.
>>>>
>>>> - Multi-tenancy - targeting the cloud is a great decision but
>>>> multi-tenancy must be addressed.
>>>>
>>>> Hope this helps our discussions.
>>>>
>>>> --
>>>> Jean-Louis Monteiro
>>>> http://twitter.com/jlouismonteiro
>>>> http://www.tomitribe.com
>>>>
>>>
>>>
>>
>