users@javaee-security-spec.java.net

[javaee-security-spec users] [jsr375-experts] Re: 1-TerminologyAuthInteractionVsStore ACTION: cast vote

From: arjan tijms <arjan.tijms_at_gmail.com>
Date: Fri, 10 Apr 2015 00:22:10 +0200

On Fri, Apr 10, 2015 at 12:11 AM, Alex Kosowski
<alex.kosowski_at_oracle.com> wrote:
> I change my vote to just "Identity Store"

Okay, so then we have:

David Blevins: Store
Arjan Tijms: Authentication Store
Alex Kosowski: Identity Store
Rudy De Busscher: Security Provider
Darran Lofthouse: Realm / Identity Store
Werner Keil: Authentication Store / Identity Store
Ajay Reddy: Identity Store / User Repository / Realm
Pedro Igor: Identity Store


Organized per term:

Identity Store - 5
Authentication Store - 2
Realm - 2
Store - 1
Security Provider - 1
User Repository - 1

Kind regards,
Arjan Tijms



>
>
> On 4/9/15 5:56 PM, Pedro Igor Silva wrote:
>>
>> In PicketLink, IdentityStore is mainly related on how you manage
>> identities and relationships. Identities would be users, roles, groups,
>> applications, etc. And relationships would be grants(rbac), group
>> membership(gbac) and so forth. It is basically a CRUD interface, base for
>> all others specific stores we have.
>>
>> Regarding authentication, there is also a specific store for credentials,
>> the CredentialStore. There is a reference to it in the scope document as
>> follows:
>>
>> "4.3.c Credentials also in Identity Store? Perhap separate secured store?"
>>
>> These two stores are involved during the authentication process. Where you
>> need to load an account (eg.: user) and authenticate based on a specific
>> credential type (password, totp, X.509, token, etc).
>>
>> PermissionStore, on the other hand, is specific for permissions and is not
>> related at all with authentication. Like you said, is related with acl
>> authorization.
>>
>> I would say that in this case makes more sense Identity Store. Specially
>> if you consider what Darran said about the potential to be widely referenced
>> after authentication.
>>
>> One of the reasons for different and specific stores is that you may mix
>> different repositories (Eg.: LDAP and JPA), where each one can be used to
>> store only a specific type of information. For instance, use LDAP for users
>> and credentials, but JPA for more fine grained authorization with
>> permissions/acl. And also because each repository has its limitations. For
>> instance, It is really hard to support ACL or even custom attributes in
>> LDAP.
>>
>> Regards.
>> Pedro Igor
>>
>> ----- Original Message -----
>> From: "Werner Keil"<werner.keil_at_gmail.com>
>> To: jsr375-experts_at_javaee-security-spec.java.net
>> Sent: Thursday, April 9, 2015 12:18:32 PM
>> Subject: [jsr375-experts] Re: 1-TerminologyAuthInteractionVsStore ACTION:
>> cast vote
>>
>> Actually "IdentityStore" is also used in different PicketLink modules.
>> So it uses "PermissionStore" in the context of "Authorization"/ACL and
>> "IdentityStore" on the Authentication side.
>> If we purely deal with Authentication, either "IdentityStore" or
>> "AuthenticationStore" sound best.
>> Otherwise I'd say "PermissionStore" (or "SecurityStore" to have another
>> prefix to the simple "Store") sound more versatile.
>>
>> Werner
>>
>> On Thu, Apr 9, 2015 at 5:08 PM, Werner Keil<werner.keil_at_gmail.com> wrote:
>>
>>> PicketLink calls it PermissionStore. I could think of variations
>>> including
>>> SecurityStore (just Store seems a bit too wide)
>>> but PermissionStore sounds fine to me.
>>>
>>> Regards,
>>> Werner
>>>
>>> On Thu, Apr 9, 2015 at 4:32 PM, Darran Lofthouse<
>>> darran.lofthouse_at_redhat.com> wrote:
>>>
>>>> Looks like I replied but did not vote ;-)
>>>>
>>>> My vote would be Realm or Identity Store.
>>>>
>>>> Whilst I agree it's first use will be authentication I think it has the
>>>> potential to be widely referenced after authentication.
>>>>
>>>> Regards,
>>>> Darran Lofthouse.
>>>>
>>>>
>>>>
>>>> On 09/04/15 15:24, arjan tijms wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> We now have 4 votes:
>>>>>
>>>>> David Blevins: Store
>>>>> Arjan Tijms: Authentication Store
>>>>> Alex Kosowski: Authentication Store / Identity Store
>>>>> Rudy De Busscher: Security Provider
>>>>>
>>>>> No other people have voted yet, although there have been some
>>>>> additional comments.
>>>>>
>>>>> Based on this, shall we establish "authentication store" as the
>>>>> working term? Just so we all know what we're talking about. The final
>>>>> term can be something else still.
>>>>>
>>>>> Kind regards,
>>>>> Arjan
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Mon, Mar 23, 2015 at 11:13 PM, arjan tijms<arjan.tijms_at_gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> On Mon, Mar 23, 2015 at 10:32 PM, Alex Kosowski<
>>>>>> alex.kosowski_at_oracle.com>
>>>>>> wrote:
>>>>>>
>>>>>>> To add a 13th option,
>>>>>>>
>>>>>>> How about IdentityStore? That would reflect that we are storing
>>>>>>> identity
>>>>>>> attributes.
>>>>>>>
>>>>>>
>>>>>> I could absolutely see that working as well, sure. In terminology it
>>>>>> has
>>>>>> some connection with a JSR that was started some time ago, the Java
>>>>>> Identity
>>>>>> API (JSR 351), and with the term "authenticated identity" (the more
>>>>>> formal
>>>>>> alternative for "logged-in user").
>>>>>>
>>>>>> But is Identity Store also a preference you have for the term, or just
>>>>>> an
>>>>>> alternative idea?
>>>>>>
>>>>>> Giving the overview again, it would now be:
>>>>>>
>>>>>> David Blevins: Store
>>>>>> Arjan Tijms: Authentication Store
>>>>>> Alex Kosowski: Authentication Store / Identity Store
>>>>>> Rudy De Busscher: Security Provider
>>>>>>
>>>>>> Kind regards,
>>>>>> Arjan Tijms
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> On 3/23/15 5:15 PM, Rudy De Busscher wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> the concept of "the store where users/callers and optionally the
>>>>>>>>
>>>>>>>> group/role data resides".
>>>>>>>>
>>>>>>>
>>>>>>> Since you also have the group/role information, it is not only
>>>>>>> Authentication info anymore. So Authentication Store is then
>>>>>>> confusing.
>>>>>>>
>>>>>>> Store is indeed too general, so what about security provider (if I
>>>>>>> have to
>>>>>>> take a term from the list proposed here)?
>>>>>>>
>>>>>>> regards
>>>>>>> Rudy
>>>>>>>
>>>>>>> On 23 March 2015 at 22:03, arjan tijms<arjan.tijms_at_gmail.com> wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> On Monday, March 23, 2015, Alex Kosowski<alex.kosowski_at_oracle.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Hi Arjan,
>>>>>>>>>
>>>>>>>>> Does this indicates your preference, or is it just the term Shiro
>>>>>>>>> happened to use?
>>>>>>>>>
>>>>>>>>> It was just a starting point.
>>>>>>>>>
>>>>>>>>
>>>>>>>> Okay ;)
>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> David Blevins: Store
>>>>>>>>> Arjan Tijms: Authentication Store
>>>>>>>>>
>>>>>>>>> Authentication Store is fine with me. Store seems a little broad,
>>>>>>>>> but
>>>>>>>>> less typing.
>>>>>>>>>
>>>>>>>>
>>>>>>>> Yes, for me too just store would feel too broad. AuthStore would
>>>>>>>> seem
>>>>>>>> to
>>>>>>>> work at first, but I agree with Les who stated in another thread
>>>>>>>> that
>>>>>>>> we
>>>>>>>> shouldn't use just "auth" anywhere.
>>>>>>>>
>>>>>>>> While very common, it unfortunately makes it hard to distinguish
>>>>>>>> between
>>>>>>>> authentication and authorization.
>>>>>>>>
>>>>>>>> So we now have;
>>>>>>>>
>>>>>>>> David Blevins: Store
>>>>>>>> Arjan Tijms: Authentication Store
>>>>>>>> Alex Kosowski; Authentication Store
>>>>>>>>
>>>>>>>> Anyone else?
>>>>>>>>
>>>>>>>> Kind regards,
>>>>>>>> Arjan Tijms
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Alex
>>>>>>>>>
>>>>>>>>> On 3/20/15 8:56 AM, arjan tijms wrote:
>>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> The doc is a great start, thanks Alex :)
>>>>>>>>>
>>>>>>>>> I noticed that relevant to the issue described in this thread, the
>>>>>>>>> document has chosen the term "Realm" for the concept of "the store
>>>>>>>>> where
>>>>>>>>> users/callers and optionally the group/role data resides".
>>>>>>>>>
>>>>>>>>> Does this indicates your preference, or is it just the term Shiro
>>>>>>>>> happened to use?
>>>>>>>>>
>>>>>>>>> What about a round of voting (non-binding at this stage, just to
>>>>>>>>> test
>>>>>>>>> the waters)? That way we at least can establish a working term that
>>>>>>>>> we can
>>>>>>>>> use in the different discussions and issues that have already all
>>>>>>>>> started to
>>>>>>>>> use different terms.
>>>>>>>>>
>>>>>>>>> The list of proposed terms is now the following:
>>>>>>>>>
>>>>>>>>> security provider (WebLogic)
>>>>>>>>> realm (Tomcat, Shiro, some hints in Servlet spec)
>>>>>>>>> (authentication) repository
>>>>>>>>> (authentication) store
>>>>>>>>> login module (JAAS)
>>>>>>>>> identity manager (Undertow)
>>>>>>>>> service provider
>>>>>>>>> relying party
>>>>>>>>> authenticator (Resin, OmniSecurity, Seam Security)
>>>>>>>>> user service (?, used by 375 JSR)
>>>>>>>>> authentication provider (Spring Security)
>>>>>>>>> identity provider
>>>>>>>>>
>>>>>>>>> I'd like to ask everyone on this list to vote for your preferred
>>>>>>>>> term.
>>>>>>>>> David had already expressed favoring "store" in the JIRA issue,
>>>>>>>>> which is
>>>>>>>>> together with "repository" also my favorite, although I like to
>>>>>>>>> prefix it
>>>>>>>>> with "authentication".
>>>>>>>>>
>>>>>>>>> So the current outcome is:
>>>>>>>>>
>>>>>>>>> David Blevins: Store
>>>>>>>>> Arjan Tijms: Authentication Store
>>>>>>>>>
>>>>>>>>> Kind regards,
>>>>>>>>> Arjan Tijms
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Thu, Mar 19, 2015 at 3:25 AM, Alex Kosowski
>>>>>>>>> <alex.kosowski_at_oracle.com> wrote:
>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> I created a draft document for adding/editing EE Security API
>>>>>>>>>> Terminology on an on-going basis.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> https://docs.google.com/document/d/1eaNCUa78Eytt73WYvDHrsS3klTzHL
>>>>>>>>>> 0xD5vswHhT-KVY/edit?usp=sharing
>>>>>>>>>>
>>>>>>>>>> This a Google doc viewable by the public and editable by those in
>>>>>>>>>> the
>>>>>>>>>> Google Group jsr375-experts_at_googlegroups.com, of which all of you
>>>>>>>>>> should be
>>>>>>>>>> a member.
>>>>>>>>>>
>>>>>>>>>> Alex
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 3/8/15 5:01 PM, arjan tijms wrote:
>>>>>>>>>>
>>>>>>>>>> Hi there,
>>>>>>>>>>
>>>>>>>>>> A while ago I created
>>>>>>>>>> https://java.net/jira/browse/JAVAEE_SECURITY_SPEC-1, which seeks
>>>>>>>>>> to
>>>>>>>>>> establish clear terminology for two concepts that often come up in
>>>>>>>>>> authentication:
>>>>>>>>>>
>>>>>>>>>> 1. The (user) interaction method via which credentials are
>>>>>>>>>> obtained
>>>>>>>>>> (FORM, BASIC, etc)
>>>>>>>>>> 2. The store where users/callers and optionally the
>>>>>>>>>> group/role
>>>>>>>>>> data
>>>>>>>>>> resides
>>>>>>>>>>
>>>>>>>>>> Not only do I see very different terms being used for both of
>>>>>>>>>> these
>>>>>>>>>> concepts which is a problem by itself, but the lack of consistent
>>>>>>>>>> terminology makes it unclear what people are really asking at
>>>>>>>>>> times.
>>>>>>>>>>
>>>>>>>>>> Your thoughts?
>>>>>>>>>>
>>>>>>>>>> Kind regards,
>>>>>>>>>> Arjan Tijms
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>