Hi Darran,
Welcome!
We are in the brainstorming stage of the JSR.
* The mailing list has had some interesting discussions
* Our JIRA:
https://java.net/jira/browse/JAVAEE_SECURITY_SPEC
* Our playground Github:
https://github.com/javaee-security-spec/javaee-security-proposals
* Our shared Google Group folder:
https://drive.google.com/drive/#folders/0B6fBL__7IToLaXRyRnUzTXJPeEk
* Our JCP page:
https://jcp.org/en/jsr/detail?id=375
* Our project page:
https://java.net/projects/javaee-security-spec
Please let us know if you are having trouble accessing anything. The EG
should have edit rights to all these resources.
Thanks,
Alex
On 3/20/15 1:07 PM, Darran Lofthouse wrote:
> Hello all,
>
> Apologies for the delay replying, had some time off work and been
> extremely busy since returning.
>
> My name is Darran Lofthouse, I am a software engineer at Red Hat. I
> first started using JBoss back in the J2EE 1.3 days as a developer
> deploying applications to JBoss, I subsequently joined JBoss before
> the Red Hat acquisition and spent 5 years in the support team
> providing 3rd line support to various JBoss AS and EAP releases.
> About 4 years ago I transitioned over to the engineering team
> developing the JBoss AS7 application server and subsequently WildFly.
>
> Currently I am the lead engineer for the WildFly Elytron project which
> is a project currently working to update and unify the security
> solution in-place across the application server - hence my interest in
> this group.
>
> Within WildFly we have a strong preference towards using stronger
> authentication mechanisms for client / server interaction whether that
> be over HTTP or our own native protocols, this throws up a whole host
> of issues which we are working through in the Elytron project, some of
> the more notable ones include identity switching and identity
> propagation so hopefully we have a lot to offer here.
>
> I look forward to working with you all.
>
> Regards,
> Darran Lofthouse.
>
> On 05/03/15 04:26, Alex Kosowski wrote:
>> Hi Experts,
>>
>> Welcome to the EE Security API (JSR 375) expert group!
>>
>> Thanks again for offering to participate. The expert group includes
>> experts from seven companies and includes individuals. The current
>> members are:
>>
>> Adam Bien
>> David Blevins (Tomitribe)
>> Rudy De Busscher
>> Ivar Grimstad
>> Les Hazlewood (Stormpath, Inc.)
>> Will Hopkins (Oracle)
>> Werner Keil
>> Matt Konda (Jemurai)
>> Darran Lofthouse (RedHat)
>> Jean-Louis Monteiro (Tomitribe)
>> Pedro Igor Silva (RedHat)
>> Arjan Tijms (ZEEF)
>> [pending participant from IBM]
>>
>> I am Alex, the spec lead from Oracle.
>>
>> The current members of the expert group and their contact information
>> are listed on the expert group home page at jcp.org,
>> "https://jcp.org/en/eg/view?id=375". We still have one pending
>> participant from IBM, and I expect they will monitor the user's mailing
>> list while the JCP processes the nomination.
>>
>> I expect most discussions will be ongoing using this Expert Group
>> mailing list, and (automatically) CCed to the user's mailing list. If
>> practical, I would also like to have occasional Web Conferences. I will
>> have an introductory web conference soon. Timezone wise, we are
>> currently spread from California to Western Europe, so perhaps meeting
>> at Noon (12 PM) US Eastern Standard Time may be a good compromise.
>>
>> We will generally decide on issues by consensus of the Expert Group.
>> However, should polling be needed, each JCP member will get one vote. So
>> JCP members on the Expert Group with multiple representatives would
>> still only get one vote.
>>
>> =====
>>
>> Okay, now that we got that admin stuff out of the way...
>>
>> The Java EE Security API needs a lot of work from an application
>> developer's perspective. JSR 375 is proposing to improve EE security API
>> portability and simplicity, and to modernize it.
>>
>> Here are some proposed improvements to consider...
>>
>> Portability:
>> - User Management
>> - Password Aliasing
>> - Role Mapping
>>
>> Simplicity:
>> - Add conveniences to simplify authentication, e.g. JASPIC
>>
>> Modernization:
>> - Authentication CDI Events
>> - Authorization CDI Events
>> - Authorization CDI Interceptors
>> - EL Authorization Rules
>>
>>
>> The original proposal is available here:
>> "https://jcp.org/en/jsr/detail?id=375#orig".
>>
>>
>> I would like to start our discussions with: standardizing an API for
>> User Management. This would allow an application to
>> add/update/remove/query users in a repository within the scope of an
>> application. Since the focus here is simplicity, lets consider an API
>> similar to PicketLink or Shiro. However, something like JSR 351 Java
>> Identity API may be too complex for the typical application developer.
>> What do you think? Let's discuss!
>>
>> =====
>>
>> Finally, so that I know that the expert group mailing list on java.net
>> is working correctly, would you please reply to the mailing list?
>> Briefly introduce yourself to the group and let us know in which
>> particular areas of this JSR you yourself are most interested in
>> contributing.
>>
>> I am looking forward to working with all of you!
>>
>> Thanks,
>> Alex
>>
>