users@javaee-security-spec.java.net

[javaee-security-spec users] [jsr375-experts] Re: Re: Security Let's do something useful

From: Pedro Igor Silva <psilva_at_redhat.com>
Date: Mon, 6 Apr 2015 10:00:28 -0400 (EDT)

----- Original Message -----
> From: "David Blevins" <dblevins_at_tomitribe.com>
> To: jsr375-experts_at_javaee-security-spec.java.net
> Cc: "Jan Beernink" <jan.beernink_at_zeef.com>, "Robert Panzer" <robert.panzer_at_me.com>, "jan westerkamp"
> <jan.westerkamp_at_sensor-aktor.de>
> Sent: Thursday, April 2, 2015 9:51:50 PM
> Subject: [jsr375-experts] Re: [javaee-security-spec users] Re: Security Let's do something useful
>
> On Apr 2, 2015, at 1:54 PM, arjan tijms <arjan.tijms_at_gmail.com> wrote:
>
> > However, Java EE does not mandate that a role is only allowed to be
> > something like "administrator". At the end of the day, it's just a
> > collection of attributes attached to a user that you test for. The names
> > of those attributes as well as the semantic value your application assigns
> > to them is yours to decide.
>
> I've explained that same concept to numerous people and seems there's no end
> in site -- I'll be saying the same thing one-at-a-time to people till death
> it seems :)
>
> As these "just strings" are in the code, treating them in a more fine-grained
> fashion and grouping them externally is the only really usable approach.
>
> I've become disenchanted with "role" and wonder if we wouldn't be better
> served with a name that doesn't require people to be enlightened to think
> "outside" its implied use.

I think I agree with you here. And maybe is time to consider ABAC, in other words, just handle things like that as regular attributes or claims for a particular identity or subject (pretty much what we have with Subject/Principal ?). I think we can learn a lot from other specs such as JWT where information tied to an identity are just regular claims in a token.

>
> It's easy to see where people get the idea to effectively hard-code groups
> into their code. Here's what wikipedia says in their RBAC page:
>
> - "Role = Job function or title which defines an authority level"
> http://en.wikipedia.org/wiki/Role-based_access_control
>
> For the record I'm also quite sick of explaining away the assumptions people
> inject into "Stateless" EJBs. :) "Actually, they're pooled beans...."
>
>
> -David
>
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.