Arjan,
Keeping API and implementation in the same codebase is pretty much what
Spring does everywhere ;-)
The EDR pattern of MVC looks like this:
http://mvnrepository.com/artifact/javax.mvc/javax.mvc-api
Similar to the template we got under the "api" space.
Not sure, if you plan to define the new RI repo under a group like
"org.glassfish.soteria" (maybe Alex can advise on that, the package
structure already is that way) but the MVC RI POM looks reasonable:
https://github.com/spericas/ozark/blob/master/pom.xml
Especially the java.net parent POM.
Kind Regards,
Werner
On Tue, Feb 2, 2016 at 12:57 AM, arjan tijms <arjan.tijms_at_gmail.com> wrote:
> Hi Alex,
>
> First of all great to see you back here, it has been a while!
>
> Thanks for the owner role :) I'll leave the other repos as they are, and
> will just create the soteria repo. It's likely easiest to keep the API in
> the same repo for now, and split it later once we figure out how to push to
> Maven central using the correct group and artefact ids.
>
> Kind regards,
> Arjan Tijms
>
>
>
>
>
> On Tue, Feb 2, 2016 at 12:32 AM, Alex Kosowski <alex.kosowski_at_oracle.com>
> wrote:
>
>> Hi Arjan,
>>
>> I added you as "owner" role (i.e. admin) in the organization
>> https://github.com/orgs/javaee-security-spec.
>>
>> Please feel free to add/modify repos as required.
>>
>> I ask that you do not change
>> https://github.com/javaee-security-spec/spec-api, which is a mirror of
>> git://java.net/javaee-security-spec~spec-api. Per Oracle, the "source of
>> truth" of released artifacts need to be in java.net, and the mirror
>> facilitates accessibility within GitHub. Also, please do not change the
>> Bots team. So, once we complete and "release" the EDR, we would need to
>> copy it to java.net.
>>
>> Thanks for your contributions to the JSR!
>>
>> With regards,
>> Alex
>>
>>
>> On 2/1/16, 10:28 AM, Alex Kosowski wrote:
>>
>> Hi,
>>
>> Not a problem. Let me take a look.
>>
>> Regards,
>> Alex
>>
>> On 2/1/16, 6:23 AM, Werner Keil wrote:
>>
>> You'd have to ask David or Alex (depending on who is more responsive
>> right now?;-) but I'd say, at the very least you could/should be an admin
>> if that's used by the organization or otherwise also made co-owner.
>> I have a similar role in JSR 354 (as I helped create it like David did
>> here), so that's not reserved to Spec Leads alone.
>>
>> Werner
>>
>> On Mon, Feb 1, 2016 at 12:19 PM, arjan tijms <arjan.tijms_at_gmail.com>
>> wrote:
>>
>>> Okay, cool, so if either of them could make me an owner too, OR create
>>> that soteria repo, then I can copy the code to there. After the version can
>>> become edr1-alpha1 or something, We can then increase the alphaX versions
>>> until we do the actual EDR submission.
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Mon, Feb 1, 2016 at 12:11 PM, Werner Keil <werner.keil_at_gmail.com>
>>> wrote:
>>>
>>>> Yes, according to GitHub only Alex and David are owners, so either of
>>>> them could add such repo;-)
>>>>
>>>> Kind Regards,
>>>> Werner
>>>>
>>>> On Mon, Feb 1, 2016 at 12:01 PM, arjan tijms <arjan.tijms_at_gmail.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> On Mon, Feb 1, 2016 at 11:48 AM, Werner Keil <werner.keil_at_gmail.com>
>>>>> wrote:
>>>>>
>>>>>> P.s.: IMHO the "edr1" should not be part of the artifactId, it's
>>>>>> clearly a part of the version number.
>>>>>>
>>>>>
>>>>> I guess it is, but shouldn't soteria then not become it's own top
>>>>> level repo? E.g. https://github.com/javaee-security-spec/soteria
>>>>>
>>>>> One of the reasons I went with edr1 in the artifact name for now (I
>>>>> knows it's not ideal and should be changed) is that the version as set in
>>>>> Maven would best be aligned with the git tag, but if you do that know the
>>>>> entire
>>>>> https://github.com/javaee-security-spec/javaee-security-proposals
>>>>> repo would get that tag. The authentication/authorization etc folders are
>>>>> independent of that.
>>>>>
>>>>> Kind regards,
>>>>> Arjan Tijms
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> So maybe we could have 2 Maven modules under "soteria-proposal" or
>>>>>> similar and simply call them "javax.security-api:security-api" (in
>>>>>> the API project the artifactId also contains the "javax" part, not sure, if
>>>>>> other EE JSRs do that also on MavenCentral?) as well as "
>>>>>> net.java.jsr375:soteria" for now.
>>>>>>
>>>>>> Something like "EDR1" "B01" or similar should only be in the version
>>>>>> number.
>>>>>>
>>>>>> Thanks,
>>>>>> Werner
>>>>>>
>>>>>> On Mon, Feb 1, 2016 at 11:38 AM, Werner Keil <werner.keil_at_gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> At least Reza is very eager blogging all the time, maybe he could
>>>>>>> help us with some of the things like updating RI list, etc.?;-)
>>>>>>>
>>>>>>> Cheers,
>>>>>>>
>>>>>>> Werner
>>>>>>>
>>>>>>> On Mon, Feb 1, 2016 at 11:36 AM, Werner Keil <werner.keil_at_gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Sounds great, thanks.
>>>>>>>>
>>>>>>>> If anybody has enough rights in JIRA we could schedule these
>>>>>>>> accordingly and define at least "versions" for each of these EDR and other
>>>>>>>> steps.
>>>>>>>>
>>>>>>>> I noticed, the larger Glassfish community has also not been updated
>>>>>>>> for 3 years now (guess Oracle is not so interested in Glassfish now after
>>>>>>>> all? ;-|)
>>>>>>>> https://glassfish.java.net/rel-projects.html
>>>>>>>>
>>>>>>>> MVC and JSR 375 RIs should be listed there and if there is a CI
>>>>>>>> server instance for Glassfish or related projects, we should try to run
>>>>>>>> those on a CI build, too.
>>>>>>>>
>>>>>>>> Known public CI servers like Travis or Circle-CI would also work if
>>>>>>>> we had to do this on our own.
>>>>>>>>
>>>>>>>> Kind Regards,
>>>>>>>> Werner
>>>>>>>>
>>>>>>>> On Mon, Feb 1, 2016 at 12:43 AM, arjan tijms <arjan.tijms_at_gmail.com
>>>>>>>> > wrote:
>>>>>>>>
>>>>>>>>> On Sun, Jan 31, 2016 at 8:28 PM, Werner Keil <
>>>>>>>>> werner.keil_at_gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> Ideally we should keep API/Spec (it's simply Asciidoc like JSR
>>>>>>>>>> 354) and RI separate.
>>>>>>>>>> Snapshot repos are fine, we used JFrog OSS with JSRs 354 or 363
>>>>>>>>>> but Sonatype is just as good (possibly easier to get it to MavenCentral
>>>>>>>>>> then)
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Indeed, we went specifically for that with Sonatype for OmniFaces.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> From a process point we have up to 1 year from the Renewal
>>>>>>>>>> Ballot, but of course it's always better to produce something earlier.
>>>>>>>>>> Could always do EDR2 or more similar to MVC and others.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Yeah, I think it's best we do something like that.
>>>>>>>>>
>>>>>>>>> EDR1 is then roughly;
>>>>>>>>>
>>>>>>>>> * Authentication Mechanism base API
>>>>>>>>> * Several implementations of authentication mechanisms
>>>>>>>>> * Two mechanism interceptors; auto session and remember me
>>>>>>>>> * Identity store base API
>>>>>>>>> * Several implementations of identity stores
>>>>>>>>> * Standard Principal for the caller (used by JSR 375 at least,
>>>>>>>>> standardising this for the entire platform will be bigger task)
>>>>>>>>>
>>>>>>>>> For EDR2 to consider:
>>>>>>>>>
>>>>>>>>> * Multi authentication mechanism proposal from Darran
>>>>>>>>> * Multi identity store proposal from Rudy
>>>>>>>>> * Security context
>>>>>>>>> * Security interceptor proposal from Reza et all
>>>>>>>>>
>>>>>>>>> For EDR3 to consider:
>>>>>>>>> * Mandating containers doing 1:1 role mapping (we can't really
>>>>>>>>> implement this using public APIs, but RI could do it using GlassFish
>>>>>>>>> specific code)
>>>>>>>>> * web.xml integration/alignment
>>>>>>>>>
>>>>>>>>> There's (much) more on the TODO list like events, password
>>>>>>>>> aliasing and more, but the above may be a guideline on how to proceed.
>>>>>>>>>
>>>>>>>>> Kind regards,
>>>>>>>>> Arjan Tijms
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Kind Regards,
>>>>>>>>>> Werner
>>>>>>>>>>
>>>>>>>>>> On Sun, Jan 31, 2016 at 5:47 PM, arjan tijms <
>>>>>>>>>> arjan.tijms_at_gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Okay, so that remains an open question.
>>>>>>>>>>>
>>>>>>>>>>> Meanwhile I've done a quick snapshot upload here using our
>>>>>>>>>>> omnnifaces groupId:
>>>>>>>>>>> https://oss.sonatype.org/content/repositories/snapshots/org/omnifaces/soteria-edr1/1.0-SNAPSHOT/
>>>>>>>>>>>
>>>>>>>>>>> I made some choices with regard to naming and organisation here.
>>>>>>>>>>>
>>>>>>>>>>> Both API and impl. are in the same Maven module, just as two
>>>>>>>>>>> different packages. MVC has the API as a separate artefact in a separate
>>>>>>>>>>> repo, with the implementation depending on that. JSF however has api and
>>>>>>>>>>> impl as two folders in one larger project. Once the API is a little bit
>>>>>>>>>>> more stable and we can more easily upload both artefacts under their own
>>>>>>>>>>> groupIds, we should do the separation I guess.
>>>>>>>>>>>
>>>>>>>>>>> I also named the artefact "soteria-edr1" for now. It could have
>>>>>>>>>>> been just soteria with "edr1" as the version number. For now I thought it
>>>>>>>>>>> was easier and clearer to have a separate edr1 folder, and then later have
>>>>>>>>>>> an edr2 etc, but we can change this of course. I just had to pick something
>>>>>>>>>>> for now.
>>>>>>>>>>>
>>>>>>>>>>> I'll test a little with the snapshot and can do a Maven central
>>>>>>>>>>> upload using the omnifaces groupId for the short term. This would make it
>>>>>>>>>>> easier for people to at least try out the code in their own test projects.
>>>>>>>>>>>
>>>>>>>>>>> Kind regards,
>>>>>>>>>>> Arjan
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Sun, Jan 31, 2016 at 5:17 PM, Werner Keil <
>>>>>>>>>>> werner.keil_at_gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Not sure, who in the EG can do that, at least someone had to
>>>>>>>>>>>> request upload privileges to MavenCentral for a groupId like
>>>>>>>>>>>> org.glassfish.soteria and of course for javax.security.* too, otherwise it
>>>>>>>>>>>> won't build ;-)
>>>>>>>>>>>>
>>>>>>>>>>>> Werner
>>>>>>>>>>>>
>>>>>>>>>>>> On Sat, Jan 30, 2016 at 12:49 AM, arjan tijms <
>>>>>>>>>>>> arjan.tijms_at_gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Fri, Jan 29, 2016 at 6:31 PM, Werner Keil <
>>>>>>>>>>>>> werner.keil_at_gmail.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> So along the lines of MVC it should be
>>>>>>>>>>>>>> package org.glassfish.soteria;
>>>>>>>>>>>>>> then ;-)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> I just did the initial commit for the work in progress EDR1:
>>>>>>>>>>>>> https://github.com/javaee-security-spec/javaee-security-proposals/commit/e482ba6580072ad82413a80c40e7d3112b83119a
>>>>>>>>>>>>>
>>>>>>>>>>>>> The implementation package is org.glassfish.soteria ;)
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Please in the proposals repo try to use the license header
>>>>>>>>>>>>>> plugin.
>>>>>>>>>>>>>> Looking at e.g. JAX-RS, the header spans across multiple
>>>>>>>>>>>>>> years for some JSRs (probably will be for MVC if they do something again)
>>>>>>>>>>>>>> Copyright (c) 2010-2015 Oracle and/or its affiliates. All
>>>>>>>>>>>>>> rights reserved.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> I had already copied the header manually to the API files, but
>>>>>>>>>>>>> I'll try the license plug-in header next.
>>>>>>>>>>>>>
>>>>>>>>>>>>> For promotion it would be cool if we can publish the work in
>>>>>>>>>>>>> progress EDR1 jar to Maven central so people can more easily try it out.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Kind regards,
>>>>>>>>>>>>> Arjan Tijms
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Right now the license plugin as of last year only uses the
>>>>>>>>>>>>>> inception year (from the POM) but "currentYear" is also available. If you
>>>>>>>>>>>>>> want I can run the license reformatting at any time when things are changed.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Kind Regards,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Werner
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Fri, Jan 29, 2016 at 6:18 PM, arjan tijms <
>>>>>>>>>>>>>> arjan.tijms_at_gmail.com> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Great :)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I'll do the package renaming tonight or tomorrow at the
>>>>>>>>>>>>>>> latest and commit the whole to the proposals repo.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Kind regards,
>>>>>>>>>>>>>>> Arjan Tijms
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Fri, Jan 29, 2016 at 9:08 AM, Rudy De Busscher <
>>>>>>>>>>>>>>> rdebusscher_at_gmail.com> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> All,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I created the Twitter account @Soteria_RI to promote the RI
>>>>>>>>>>>>>>>> and evangelise Java EE Security in general.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> best regards
>>>>>>>>>>>>>>>> Rudy
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>