I took a look at JSR-351 draft and I noticed that there is no reference to an Identity Store API, as we are considering it in this spec.
However, if I understood it correctly, JSR-351 gives a different look on how we represent identities, with more focus on attributes and how you store and use them to actually represent identities. You see a lot of references about an Attribute Service though, which seems to be a core concept on that spec.
I really like the attribute-oriented design of that spec. I think it is pretty related with what I said in a different thread about ABAC and how an attribute-based approach can help to provide a more flexible authentication and authorization model. Within an identity, everything can be represented as an attribute or claim, even roles, groups or whatever you want.
IMO, an Identity Store interface where you have methods to CRUD identities (eg.: user) is not enough. Attributes alone can be used in different use cases such as those described by that spec. And also when dealing with identity federation use cases.
Any thoughts ?
----- Original Message -----
From: "Alex Kosowski" <alex.kosowski_at_oracle.com>
To: "Ron Monzillo" <ron.monzillo_at_oracle.com>
Cc: jsr375-experts_at_javaee-security-spec.java.net, "PRATEEK MISHRA" <PRATEEK.MISHRA_at_oracle.com>
Sent: Friday, April 10, 2015 2:03:36 PM
Subject: [jsr375-experts] Re: JSR 351 Identity API Status?
Thanks for your response, Ron!
At present, EE 8 is scheduled for completion Q3 2016.
The JSR 375 EG had mentioned that there was some overlap between JSR 375
and JSR 351 wrt Identity Store API. My original intent was that JSR 375
would provide an app dev friendly simplified view of an Identity Store,
with the option to access the full JSR 351 API, if that backed the
simplified view. What is "simplified" is up for discussion.
It will, of course, be difficult to depend on JSR 351, if it is not
available ;)
At the very least, I do not think we want to specify anything that
conflicts with JSR 351.
Although the JSR 351 API is quite comprehensive, I wonder if a
"non-security expert" application developer coming from Apache Shiro or
Spring Security, would understand it. I wonder if there is some
opportunity for JSR 375 to simplify JSR 351.
Since JSR 351 would not be available by EE 8, I wonder if we should try
a more direct approach and define Identity Store access backed by
commonly used persistence mechanisms like file, DB, and LDAP.
Regards,
Alex
On 4/10/15 5:14 PM, Ron Monzillo wrote:
> On 4/9/15 7:37 PM, Alex Kosowski wrote:
>> Hi Prateek and Ron,
>>
>> Do you suspect JSR 351 will be completed in the EE 8 timeframe?
>>
>> Thanks,
>> Alex
> Hi Alex,
>
> I don't think I can commit to JSR 351 being completed in time for EE 8.
>
> I have committed to produce a revision to the early draft.. The
> revision will
> focus on filling in the security aspects of the api, simplifying
> attribute repository
> configuration/registration, and on simplifying repository development and
> integration by allowing for repositories that implement a subset of
> the specified
> query and update capabilities.
>
> BTW, what is the EE8 timeframe?
>
> Ron