P.s.: IMHO the "edr1" should not be part of the artifactId, it's clearly a
part of the version number. So maybe we could have 2 Maven modules under "
soteria-proposal" or similar and simply call them
"javax.security-api:security-api"
(in the API project the artifactId also contains the "javax" part, not
sure, if other EE JSRs do that also on MavenCentral?) as well as "
net.java.jsr375:soteria" for now.
Something like "EDR1" "B01" or similar should only be in the version number.
Thanks,
Werner
On Mon, Feb 1, 2016 at 11:38 AM, Werner Keil <werner.keil_at_gmail.com> wrote:
> At least Reza is very eager blogging all the time, maybe he could help us
> with some of the things like updating RI list, etc.?;-)
>
> Cheers,
>
> Werner
>
> On Mon, Feb 1, 2016 at 11:36 AM, Werner Keil <werner.keil_at_gmail.com>
> wrote:
>
>> Sounds great, thanks.
>>
>> If anybody has enough rights in JIRA we could schedule these accordingly
>> and define at least "versions" for each of these EDR and other steps.
>>
>> I noticed, the larger Glassfish community has also not been updated for 3
>> years now (guess Oracle is not so interested in Glassfish now after all?
>> ;-|)
>> https://glassfish.java.net/rel-projects.html
>>
>> MVC and JSR 375 RIs should be listed there and if there is a CI server
>> instance for Glassfish or related projects, we should try to run those on a
>> CI build, too.
>>
>> Known public CI servers like Travis or Circle-CI would also work if we
>> had to do this on our own.
>>
>> Kind Regards,
>> Werner
>>
>> On Mon, Feb 1, 2016 at 12:43 AM, arjan tijms <arjan.tijms_at_gmail.com>
>> wrote:
>>
>>> On Sun, Jan 31, 2016 at 8:28 PM, Werner Keil <werner.keil_at_gmail.com>
>>> wrote:
>>>
>>>> Ideally we should keep API/Spec (it's simply Asciidoc like JSR 354) and
>>>> RI separate.
>>>> Snapshot repos are fine, we used JFrog OSS with JSRs 354 or 363 but
>>>> Sonatype is just as good (possibly easier to get it to MavenCentral then)
>>>>
>>>
>>> Indeed, we went specifically for that with Sonatype for OmniFaces.
>>>
>>>
>>>
>>>> From a process point we have up to 1 year from the Renewal Ballot, but
>>>> of course it's always better to produce something earlier. Could always do
>>>> EDR2 or more similar to MVC and others.
>>>>
>>>
>>> Yeah, I think it's best we do something like that.
>>>
>>> EDR1 is then roughly;
>>>
>>> * Authentication Mechanism base API
>>> * Several implementations of authentication mechanisms
>>> * Two mechanism interceptors; auto session and remember me
>>> * Identity store base API
>>> * Several implementations of identity stores
>>> * Standard Principal for the caller (used by JSR 375 at least,
>>> standardising this for the entire platform will be bigger task)
>>>
>>> For EDR2 to consider:
>>>
>>> * Multi authentication mechanism proposal from Darran
>>> * Multi identity store proposal from Rudy
>>> * Security context
>>> * Security interceptor proposal from Reza et all
>>>
>>> For EDR3 to consider:
>>> * Mandating containers doing 1:1 role mapping (we can't really implement
>>> this using public APIs, but RI could do it using GlassFish specific code)
>>> * web.xml integration/alignment
>>>
>>> There's (much) more on the TODO list like events, password aliasing and
>>> more, but the above may be a guideline on how to proceed.
>>>
>>> Kind regards,
>>> Arjan Tijms
>>>
>>>
>>>
>>>
>>>
>>>
>>>>
>>>> Kind Regards,
>>>> Werner
>>>>
>>>> On Sun, Jan 31, 2016 at 5:47 PM, arjan tijms <arjan.tijms_at_gmail.com>
>>>> wrote:
>>>>
>>>>> Okay, so that remains an open question.
>>>>>
>>>>> Meanwhile I've done a quick snapshot upload here using our omnnifaces
>>>>> groupId:
>>>>> https://oss.sonatype.org/content/repositories/snapshots/org/omnifaces/soteria-edr1/1.0-SNAPSHOT/
>>>>>
>>>>> I made some choices with regard to naming and organisation here.
>>>>>
>>>>> Both API and impl. are in the same Maven module, just as two different
>>>>> packages. MVC has the API as a separate artefact in a separate repo, with
>>>>> the implementation depending on that. JSF however has api and impl as two
>>>>> folders in one larger project. Once the API is a little bit more stable and
>>>>> we can more easily upload both artefacts under their own groupIds, we
>>>>> should do the separation I guess.
>>>>>
>>>>> I also named the artefact "soteria-edr1" for now. It could have been
>>>>> just soteria with "edr1" as the version number. For now I thought it was
>>>>> easier and clearer to have a separate edr1 folder, and then later have an
>>>>> edr2 etc, but we can change this of course. I just had to pick something
>>>>> for now.
>>>>>
>>>>> I'll test a little with the snapshot and can do a Maven central upload
>>>>> using the omnifaces groupId for the short term. This would make it easier
>>>>> for people to at least try out the code in their own test projects.
>>>>>
>>>>> Kind regards,
>>>>> Arjan
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Sun, Jan 31, 2016 at 5:17 PM, Werner Keil <werner.keil_at_gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Not sure, who in the EG can do that, at least someone had to request
>>>>>> upload privileges to MavenCentral for a groupId like org.glassfish.soteria
>>>>>> and of course for javax.security.* too, otherwise it won't build ;-)
>>>>>>
>>>>>> Werner
>>>>>>
>>>>>> On Sat, Jan 30, 2016 at 12:49 AM, arjan tijms <arjan.tijms_at_gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> On Fri, Jan 29, 2016 at 6:31 PM, Werner Keil <werner.keil_at_gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> So along the lines of MVC it should be
>>>>>>>> package org.glassfish.soteria;
>>>>>>>> then ;-)
>>>>>>>>
>>>>>>>
>>>>>>> I just did the initial commit for the work in progress EDR1:
>>>>>>> https://github.com/javaee-security-spec/javaee-security-proposals/commit/e482ba6580072ad82413a80c40e7d3112b83119a
>>>>>>>
>>>>>>> The implementation package is org.glassfish.soteria ;)
>>>>>>>
>>>>>>>
>>>>>>>> Please in the proposals repo try to use the license header plugin.
>>>>>>>> Looking at e.g. JAX-RS, the header spans across multiple years for
>>>>>>>> some JSRs (probably will be for MVC if they do something again)
>>>>>>>> Copyright (c) 2010-2015 Oracle and/or its affiliates. All rights
>>>>>>>> reserved.
>>>>>>>>
>>>>>>>
>>>>>>> I had already copied the header manually to the API files, but I'll
>>>>>>> try the license plug-in header next.
>>>>>>>
>>>>>>> For promotion it would be cool if we can publish the work in
>>>>>>> progress EDR1 jar to Maven central so people can more easily try it out.
>>>>>>>
>>>>>>> Kind regards,
>>>>>>> Arjan Tijms
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Right now the license plugin as of last year only uses the
>>>>>>>> inception year (from the POM) but "currentYear" is also available. If you
>>>>>>>> want I can run the license reformatting at any time when things are changed.
>>>>>>>>
>>>>>>>>
>>>>>>>> Kind Regards,
>>>>>>>>
>>>>>>>>
>>>>>>>> Werner
>>>>>>>>
>>>>>>>> On Fri, Jan 29, 2016 at 6:18 PM, arjan tijms <arjan.tijms_at_gmail.com
>>>>>>>> > wrote:
>>>>>>>>
>>>>>>>>> Great :)
>>>>>>>>>
>>>>>>>>> I'll do the package renaming tonight or tomorrow at the latest and
>>>>>>>>> commit the whole to the proposals repo.
>>>>>>>>>
>>>>>>>>> Kind regards,
>>>>>>>>> Arjan Tijms
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Fri, Jan 29, 2016 at 9:08 AM, Rudy De Busscher <
>>>>>>>>> rdebusscher_at_gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> All,
>>>>>>>>>>
>>>>>>>>>> I created the Twitter account @Soteria_RI to promote the RI and
>>>>>>>>>> evangelise Java EE Security in general.
>>>>>>>>>>
>>>>>>>>>> best regards
>>>>>>>>>> Rudy
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>