Hi,
> Feel free to comment and change if I made a big mistake or something
> really important is missing.
I do have a few comments and questions indeed ;)
First of all, there is a distinction between a "method" and "auth-method"
in the map. Connected to "method" are all the things that are
"auth-methods" in the Servlet spec. What is the difference here?
Furthermore, connected to "auth-method" is "JASPIC" and "Plugeable". I
don't 100% understand this. JASPIC is not a concrete auth method itself,
but rather a set of rules (an SPI) that standardize how authentication
modules can be plugged in a Servlet container in a portable way. The
Servlet EG is considering to standardize on this plugeable interface for
the implementation of the standard Servlet auth methods (Form, Basic, ...).
So what would a separate "Plugeable" then mean in this context?
There are currently 2 ways to plug authentication modules in a Servlet
container; via a proprietary way (this is different for each Servlet
container) and via JASPIC. Are we going to define a third way and ask the
Servlet container vendors to implement that as well?
As for "remember me", this is certainly worth a separate discussion. I
found that it works rather well as a wrapper for an actual authentication
method. You grouped it with "method", which is good as a concept, but in
practice it is often explicitly called before the other methods.
Remember me is therefor in my opinion a kind of pseudo method. It also
needs its own store, where a token store seems to work best. (I did quite
an amount of thinking how to implement this in a universal way, and I'm
currently at this experimental implementation:
https://github.com/omnifaces/omnisecurity/blob/master/src/main/java/org/omnifaces/security/jaspic/wrappers/RememberMeWrapper.java
)
Finally, I don't see any mention of JACC below the "Authorization" node.
Kind regards,
Arjan Tijms
On Thu, Mar 19, 2015 at 2:52 PM, Alex Kosowski <alex.kosowski_at_oracle.com>
wrote:
> Hi Rudy,
>
> I fixed the permissions, everyone in the group should now be allowed to
> post to the Google Group for sharing docs.
>
> Please let us keep the discussions on
> jsr375-experts_at_javaee-security-spec.java.net.
>
> Thanks Rudy for preparing and sharing the mindMap!
>
> Alex
>
> On 3/19/15 5:47 AM, Rudy De Busscher wrote:
>
> Seems that I can't post to the JSR 375 Google groups ...
>
> ---------- Forwarded message ----------
> From: Rudy De Busscher (via Google Drive) <rdebusscher_at_gmail.com>
> Date: 19 March 2015 at 10:14
> Subject: Security.mup
> To: rdebusscher_at_gmail.com
> Cc: jsr375-experts_at_googlegroups.com
>
>
> Rudy De Busscher <rdebusscher_at_gmail.com> has shared the following file:
> [image: Item]
> Security.mup
> <https://drive.google.com/file/d/0B4QN2eZt4p5dLWF3Q0l0LTZxWWc/view?usp=sharing_eid>
> Hi all,
>
> I tried to create an overview of all 'things' related to Java EE Security
> and assembled them in a mindMap. Existing concepts and future wishes (and I
> know it is incomplete)
>
> This to keep a global overview of what belongs where and what should it be
> used for.
>
> Feel free to comment and change if I made a big mistake or something
> really important is missing.
>
> It is created with MindMup (in case you have issues with installing/using
> it, here is a link to an image of the mindMap
> https://drive.google.com/file/d/0B4QN2eZt4p5dYndIT1Z6QkVoZzQ/view?usp=sharing
> )
>
> Regards
> Rudy
> Open
> <https://drive.google.com/file/d/0B4QN2eZt4p5dLWF3Q0l0LTZxWWc/view?usp=sharing_eid>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Google Drive: Have all your files within reach from any device. [image:
> Logo for Google Drive] <https://drive.google.com>
>
>