Hi,
On Tue, Feb 2, 2016 at 9:45 AM, Werner Keil <werner.keil_at_gmail.com> wrote:
> Keeping API and implementation in the same codebase is pretty much what
> Spring does everywhere ;-)
>
It's also what JSF does :P See
https://github.com/javaserverfaces/mojarra
But... the Mojarra project and frankly JSF itself has many issues in the
API/impl department, so I wouldn't want to take that as an example.
So what about
https://github.com/javaee-security-spec/soteria
https://github.com/javaee-security-spec/api
?
It's perhaps slightly confusing having a /api while there's also /spec-api
An alternative:
https://github.com/javaee-security-spec/soteria
https://github.com/javaee-security-spec/api-upstream
So then /api-upstream is where the real development takes places. At
important milestones (edr1, edr2, final, etc) this can be synched to
java.net where it would represent the truth. And then java.net synched back
to /spec-api to have a mirror of the truth.
Would that work for everyone?
In Mojarra we also have a 3 step setup, but slightly different:
Real development (for me) takes place in my "feature branch repo":
https://github.com/arjantijms/mojarra
This gets synched to java.net for the truth:
https://java.net/projects/mojarra/sources/git/show
Which gets synched back to Github since that's what everyone uses:
https://github.com/javaserverfaces/mojarra
Kind regards,
Arjan Tijms
> The EDR pattern of MVC looks like this:
> http://mvnrepository.com/artifact/javax.mvc/javax.mvc-api
> Similar to the template we got under the "api" space.
>
> Not sure, if you plan to define the new RI repo under a group like
> "org.glassfish.soteria" (maybe Alex can advise on that, the package
> structure already is that way) but the MVC RI POM looks reasonable:
> https://github.com/spericas/ozark/blob/master/pom.xml
> Especially the java.net parent POM.
>
> Kind Regards,
> Werner
>
> On Tue, Feb 2, 2016 at 12:57 AM, arjan tijms <arjan.tijms_at_gmail.com>
> wrote:
>
>> Hi Alex,
>>
>> First of all great to see you back here, it has been a while!
>>
>> Thanks for the owner role :) I'll leave the other repos as they are, and
>> will just create the soteria repo. It's likely easiest to keep the API in
>> the same repo for now, and split it later once we figure out how to push to
>> Maven central using the correct group and artefact ids.
>>
>> Kind regards,
>> Arjan Tijms
>>
>>
>>
>>
>>
>> On Tue, Feb 2, 2016 at 12:32 AM, Alex Kosowski <alex.kosowski_at_oracle.com>
>> wrote:
>>
>>> Hi Arjan,
>>>
>>> I added you as "owner" role (i.e. admin) in the organization
>>> https://github.com/orgs/javaee-security-spec.
>>>
>>> Please feel free to add/modify repos as required.
>>>
>>> I ask that you do not change
>>> https://github.com/javaee-security-spec/spec-api, which is a mirror of
>>> git://java.net/javaee-security-spec~spec-api. Per Oracle, the "source
>>> of truth" of released artifacts need to be in java.net, and the mirror
>>> facilitates accessibility within GitHub. Also, please do not change the
>>> Bots team. So, once we complete and "release" the EDR, we would need to
>>> copy it to java.net.
>>>
>>> Thanks for your contributions to the JSR!
>>>
>>> With regards,
>>> Alex
>>>
>>>
>>> On 2/1/16, 10:28 AM, Alex Kosowski wrote:
>>>
>>> Hi,
>>>
>>> Not a problem. Let me take a look.
>>>
>>> Regards,
>>> Alex
>>>
>>> On 2/1/16, 6:23 AM, Werner Keil wrote:
>>>
>>> You'd have to ask David or Alex (depending on who is more responsive
>>> right now?;-) but I'd say, at the very least you could/should be an admin
>>> if that's used by the organization or otherwise also made co-owner.
>>> I have a similar role in JSR 354 (as I helped create it like David did
>>> here), so that's not reserved to Spec Leads alone.
>>>
>>> Werner
>>>
>>> On Mon, Feb 1, 2016 at 12:19 PM, arjan tijms <arjan.tijms_at_gmail.com>
>>> wrote:
>>>
>>>> Okay, cool, so if either of them could make me an owner too, OR create
>>>> that soteria repo, then I can copy the code to there. After the version can
>>>> become edr1-alpha1 or something, We can then increase the alphaX versions
>>>> until we do the actual EDR submission.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Mon, Feb 1, 2016 at 12:11 PM, Werner Keil <werner.keil_at_gmail.com>
>>>> wrote:
>>>>
>>>>> Yes, according to GitHub only Alex and David are owners, so either of
>>>>> them could add such repo;-)
>>>>>
>>>>> Kind Regards,
>>>>> Werner
>>>>>
>>>>> On Mon, Feb 1, 2016 at 12:01 PM, arjan tijms <arjan.tijms_at_gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> On Mon, Feb 1, 2016 at 11:48 AM, Werner Keil <werner.keil_at_gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> P.s.: IMHO the "edr1" should not be part of the artifactId, it's
>>>>>>> clearly a part of the version number.
>>>>>>>
>>>>>>
>>>>>> I guess it is, but shouldn't soteria then not become it's own top
>>>>>> level repo? E.g. https://github.com/javaee-security-spec/soteria
>>>>>>
>>>>>> One of the reasons I went with edr1 in the artifact name for now (I
>>>>>> knows it's not ideal and should be changed) is that the version as set in
>>>>>> Maven would best be aligned with the git tag, but if you do that know the
>>>>>> entire
>>>>>> https://github.com/javaee-security-spec/javaee-security-proposals
>>>>>> repo would get that tag. The authentication/authorization etc folders are
>>>>>> independent of that.
>>>>>>
>>>>>> Kind regards,
>>>>>> Arjan Tijms
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> So maybe we could have 2 Maven modules under "soteria-proposal" or
>>>>>>> similar and simply call them "javax.security-api:security-api" (in
>>>>>>> the API project the artifactId also contains the "javax" part, not sure, if
>>>>>>> other EE JSRs do that also on MavenCentral?) as well as "
>>>>>>> net.java.jsr375:soteria" for now.
>>>>>>>
>>>>>>> Something like "EDR1" "B01" or similar should only be in the version
>>>>>>> number.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Werner
>>>>>>>
>>>>>>> On Mon, Feb 1, 2016 at 11:38 AM, Werner Keil <werner.keil_at_gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> At least Reza is very eager blogging all the time, maybe he could
>>>>>>>> help us with some of the things like updating RI list, etc.?;-)
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>>
>>>>>>>> Werner
>>>>>>>>
>>>>>>>> On Mon, Feb 1, 2016 at 11:36 AM, Werner Keil <werner.keil_at_gmail.com
>>>>>>>> > wrote:
>>>>>>>>
>>>>>>>>> Sounds great, thanks.
>>>>>>>>>
>>>>>>>>> If anybody has enough rights in JIRA we could schedule these
>>>>>>>>> accordingly and define at least "versions" for each of these EDR and other
>>>>>>>>> steps.
>>>>>>>>>
>>>>>>>>> I noticed, the larger Glassfish community has also not been
>>>>>>>>> updated for 3 years now (guess Oracle is not so interested in Glassfish now
>>>>>>>>> after all? ;-|)
>>>>>>>>> https://glassfish.java.net/rel-projects.html
>>>>>>>>>
>>>>>>>>> MVC and JSR 375 RIs should be listed there and if there is a CI
>>>>>>>>> server instance for Glassfish or related projects, we should try to run
>>>>>>>>> those on a CI build, too.
>>>>>>>>>
>>>>>>>>> Known public CI servers like Travis or Circle-CI would also work
>>>>>>>>> if we had to do this on our own.
>>>>>>>>>
>>>>>>>>> Kind Regards,
>>>>>>>>> Werner
>>>>>>>>>
>>>>>>>>> On Mon, Feb 1, 2016 at 12:43 AM, arjan tijms <
>>>>>>>>> arjan.tijms_at_gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> On Sun, Jan 31, 2016 at 8:28 PM, Werner Keil <
>>>>>>>>>> werner.keil_at_gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Ideally we should keep API/Spec (it's simply Asciidoc like JSR
>>>>>>>>>>> 354) and RI separate.
>>>>>>>>>>> Snapshot repos are fine, we used JFrog OSS with JSRs 354 or 363
>>>>>>>>>>> but Sonatype is just as good (possibly easier to get it to MavenCentral
>>>>>>>>>>> then)
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Indeed, we went specifically for that with Sonatype for OmniFaces.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> From a process point we have up to 1 year from the Renewal
>>>>>>>>>>> Ballot, but of course it's always better to produce something earlier.
>>>>>>>>>>> Could always do EDR2 or more similar to MVC and others.
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Yeah, I think it's best we do something like that.
>>>>>>>>>>
>>>>>>>>>> EDR1 is then roughly;
>>>>>>>>>>
>>>>>>>>>> * Authentication Mechanism base API
>>>>>>>>>> * Several implementations of authentication mechanisms
>>>>>>>>>> * Two mechanism interceptors; auto session and remember me
>>>>>>>>>> * Identity store base API
>>>>>>>>>> * Several implementations of identity stores
>>>>>>>>>> * Standard Principal for the caller (used by JSR 375 at least,
>>>>>>>>>> standardising this for the entire platform will be bigger task)
>>>>>>>>>>
>>>>>>>>>> For EDR2 to consider:
>>>>>>>>>>
>>>>>>>>>> * Multi authentication mechanism proposal from Darran
>>>>>>>>>> * Multi identity store proposal from Rudy
>>>>>>>>>> * Security context
>>>>>>>>>> * Security interceptor proposal from Reza et all
>>>>>>>>>>
>>>>>>>>>> For EDR3 to consider:
>>>>>>>>>> * Mandating containers doing 1:1 role mapping (we can't really
>>>>>>>>>> implement this using public APIs, but RI could do it using GlassFish
>>>>>>>>>> specific code)
>>>>>>>>>> * web.xml integration/alignment
>>>>>>>>>>
>>>>>>>>>> There's (much) more on the TODO list like events, password
>>>>>>>>>> aliasing and more, but the above may be a guideline on how to proceed.
>>>>>>>>>>
>>>>>>>>>> Kind regards,
>>>>>>>>>> Arjan Tijms
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Kind Regards,
>>>>>>>>>>> Werner
>>>>>>>>>>>
>>>>>>>>>>> On Sun, Jan 31, 2016 at 5:47 PM, arjan tijms <
>>>>>>>>>>> arjan.tijms_at_gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Okay, so that remains an open question.
>>>>>>>>>>>>
>>>>>>>>>>>> Meanwhile I've done a quick snapshot upload here using our
>>>>>>>>>>>> omnnifaces groupId:
>>>>>>>>>>>> https://oss.sonatype.org/content/repositories/snapshots/org/omnifaces/soteria-edr1/1.0-SNAPSHOT/
>>>>>>>>>>>>
>>>>>>>>>>>> I made some choices with regard to naming and organisation
>>>>>>>>>>>> here.
>>>>>>>>>>>>
>>>>>>>>>>>> Both API and impl. are in the same Maven module, just as two
>>>>>>>>>>>> different packages. MVC has the API as a separate artefact in a separate
>>>>>>>>>>>> repo, with the implementation depending on that. JSF however has api and
>>>>>>>>>>>> impl as two folders in one larger project. Once the API is a little bit
>>>>>>>>>>>> more stable and we can more easily upload both artefacts under their own
>>>>>>>>>>>> groupIds, we should do the separation I guess.
>>>>>>>>>>>>
>>>>>>>>>>>> I also named the artefact "soteria-edr1" for now. It could have
>>>>>>>>>>>> been just soteria with "edr1" as the version number. For now I thought it
>>>>>>>>>>>> was easier and clearer to have a separate edr1 folder, and then later have
>>>>>>>>>>>> an edr2 etc, but we can change this of course. I just had to pick something
>>>>>>>>>>>> for now.
>>>>>>>>>>>>
>>>>>>>>>>>> I'll test a little with the snapshot and can do a Maven central
>>>>>>>>>>>> upload using the omnifaces groupId for the short term. This would make it
>>>>>>>>>>>> easier for people to at least try out the code in their own test projects.
>>>>>>>>>>>>
>>>>>>>>>>>> Kind regards,
>>>>>>>>>>>> Arjan
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Sun, Jan 31, 2016 at 5:17 PM, Werner Keil <
>>>>>>>>>>>> werner.keil_at_gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Not sure, who in the EG can do that, at least someone had to
>>>>>>>>>>>>> request upload privileges to MavenCentral for a groupId like
>>>>>>>>>>>>> org.glassfish.soteria and of course for javax.security.* too, otherwise it
>>>>>>>>>>>>> won't build ;-)
>>>>>>>>>>>>>
>>>>>>>>>>>>> Werner
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Sat, Jan 30, 2016 at 12:49 AM, arjan tijms <
>>>>>>>>>>>>> arjan.tijms_at_gmail.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Fri, Jan 29, 2016 at 6:31 PM, Werner Keil <
>>>>>>>>>>>>>> werner.keil_at_gmail.com> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> So along the lines of MVC it should be
>>>>>>>>>>>>>>> package org.glassfish.soteria;
>>>>>>>>>>>>>>> then ;-)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I just did the initial commit for the work in progress EDR1:
>>>>>>>>>>>>>> https://github.com/javaee-security-spec/javaee-security-proposals/commit/e482ba6580072ad82413a80c40e7d3112b83119a
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> The implementation package is org.glassfish.soteria ;)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Please in the proposals repo try to use the license header
>>>>>>>>>>>>>>> plugin.
>>>>>>>>>>>>>>> Looking at e.g. JAX-RS, the header spans across multiple
>>>>>>>>>>>>>>> years for some JSRs (probably will be for MVC if they do something again)
>>>>>>>>>>>>>>> Copyright (c) 2010-2015 Oracle and/or its affiliates. All
>>>>>>>>>>>>>>> rights reserved.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I had already copied the header manually to the API files,
>>>>>>>>>>>>>> but I'll try the license plug-in header next.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> For promotion it would be cool if we can publish the work in
>>>>>>>>>>>>>> progress EDR1 jar to Maven central so people can more easily try it out.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Kind regards,
>>>>>>>>>>>>>> Arjan Tijms
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Right now the license plugin as of last year only uses the
>>>>>>>>>>>>>>> inception year (from the POM) but "currentYear" is also available. If you
>>>>>>>>>>>>>>> want I can run the license reformatting at any time when things are changed.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Kind Regards,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Werner
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Fri, Jan 29, 2016 at 6:18 PM, arjan tijms <
>>>>>>>>>>>>>>> arjan.tijms_at_gmail.com> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Great :)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I'll do the package renaming tonight or tomorrow at the
>>>>>>>>>>>>>>>> latest and commit the whole to the proposals repo.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Kind regards,
>>>>>>>>>>>>>>>> Arjan Tijms
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Fri, Jan 29, 2016 at 9:08 AM, Rudy De Busscher <
>>>>>>>>>>>>>>>> rdebusscher_at_gmail.com> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> All,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I created the Twitter account @Soteria_RI to promote the
>>>>>>>>>>>>>>>>> RI and evangelise Java EE Security in general.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> best regards
>>>>>>>>>>>>>>>>> Rudy
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>