On Sun, Jan 31, 2016 at 8:28 PM, Werner Keil <werner.keil_at_gmail.com> wrote:
> Ideally we should keep API/Spec (it's simply Asciidoc like JSR 354) and RI
> separate.
> Snapshot repos are fine, we used JFrog OSS with JSRs 354 or 363 but
> Sonatype is just as good (possibly easier to get it to MavenCentral then)
>
Indeed, we went specifically for that with Sonatype for OmniFaces.
> From a process point we have up to 1 year from the Renewal Ballot, but of
> course it's always better to produce something earlier. Could always do
> EDR2 or more similar to MVC and others.
>
Yeah, I think it's best we do something like that.
EDR1 is then roughly;
* Authentication Mechanism base API
* Several implementations of authentication mechanisms
* Two mechanism interceptors; auto session and remember me
* Identity store base API
* Several implementations of identity stores
* Standard Principal for the caller (used by JSR 375 at least,
standardising this for the entire platform will be bigger task)
For EDR2 to consider:
* Multi authentication mechanism proposal from Darran
* Multi identity store proposal from Rudy
* Security context
* Security interceptor proposal from Reza et all
For EDR3 to consider:
* Mandating containers doing 1:1 role mapping (we can't really implement
this using public APIs, but RI could do it using GlassFish specific code)
* web.xml integration/alignment
There's (much) more on the TODO list like events, password aliasing and
more, but the above may be a guideline on how to proceed.
Kind regards,
Arjan Tijms
>
> Kind Regards,
> Werner
>
> On Sun, Jan 31, 2016 at 5:47 PM, arjan tijms <arjan.tijms_at_gmail.com>
> wrote:
>
>> Okay, so that remains an open question.
>>
>> Meanwhile I've done a quick snapshot upload here using our omnnifaces
>> groupId:
>> https://oss.sonatype.org/content/repositories/snapshots/org/omnifaces/soteria-edr1/1.0-SNAPSHOT/
>>
>> I made some choices with regard to naming and organisation here.
>>
>> Both API and impl. are in the same Maven module, just as two different
>> packages. MVC has the API as a separate artefact in a separate repo, with
>> the implementation depending on that. JSF however has api and impl as two
>> folders in one larger project. Once the API is a little bit more stable and
>> we can more easily upload both artefacts under their own groupIds, we
>> should do the separation I guess.
>>
>> I also named the artefact "soteria-edr1" for now. It could have been just
>> soteria with "edr1" as the version number. For now I thought it was easier
>> and clearer to have a separate edr1 folder, and then later have an edr2
>> etc, but we can change this of course. I just had to pick something for now.
>>
>> I'll test a little with the snapshot and can do a Maven central upload
>> using the omnifaces groupId for the short term. This would make it easier
>> for people to at least try out the code in their own test projects.
>>
>> Kind regards,
>> Arjan
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Sun, Jan 31, 2016 at 5:17 PM, Werner Keil <werner.keil_at_gmail.com>
>> wrote:
>>
>>> Not sure, who in the EG can do that, at least someone had to request
>>> upload privileges to MavenCentral for a groupId like org.glassfish.soteria
>>> and of course for javax.security.* too, otherwise it won't build ;-)
>>>
>>> Werner
>>>
>>> On Sat, Jan 30, 2016 at 12:49 AM, arjan tijms <arjan.tijms_at_gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> On Fri, Jan 29, 2016 at 6:31 PM, Werner Keil <werner.keil_at_gmail.com>
>>>> wrote:
>>>>
>>>>> So along the lines of MVC it should be
>>>>> package org.glassfish.soteria;
>>>>> then ;-)
>>>>>
>>>>
>>>> I just did the initial commit for the work in progress EDR1:
>>>> https://github.com/javaee-security-spec/javaee-security-proposals/commit/e482ba6580072ad82413a80c40e7d3112b83119a
>>>>
>>>> The implementation package is org.glassfish.soteria ;)
>>>>
>>>>
>>>>> Please in the proposals repo try to use the license header plugin.
>>>>> Looking at e.g. JAX-RS, the header spans across multiple years for
>>>>> some JSRs (probably will be for MVC if they do something again)
>>>>> Copyright (c) 2010-2015 Oracle and/or its affiliates. All rights
>>>>> reserved.
>>>>>
>>>>
>>>> I had already copied the header manually to the API files, but I'll try
>>>> the license plug-in header next.
>>>>
>>>> For promotion it would be cool if we can publish the work in progress
>>>> EDR1 jar to Maven central so people can more easily try it out.
>>>>
>>>> Kind regards,
>>>> Arjan Tijms
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>> Right now the license plugin as of last year only uses the inception
>>>>> year (from the POM) but "currentYear" is also available. If you want I can
>>>>> run the license reformatting at any time when things are changed.
>>>>>
>>>>>
>>>>> Kind Regards,
>>>>>
>>>>>
>>>>> Werner
>>>>>
>>>>> On Fri, Jan 29, 2016 at 6:18 PM, arjan tijms <arjan.tijms_at_gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Great :)
>>>>>>
>>>>>> I'll do the package renaming tonight or tomorrow at the latest and
>>>>>> commit the whole to the proposals repo.
>>>>>>
>>>>>> Kind regards,
>>>>>> Arjan Tijms
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, Jan 29, 2016 at 9:08 AM, Rudy De Busscher <
>>>>>> rdebusscher_at_gmail.com> wrote:
>>>>>>
>>>>>>> All,
>>>>>>>
>>>>>>> I created the Twitter account @Soteria_RI to promote the RI and
>>>>>>> evangelise Java EE Security in general.
>>>>>>>
>>>>>>> best regards
>>>>>>> Rudy
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>