users@javaee-security-spec.java.net

[javaee-security-spec users] [jsr375-experts] Re: Social Media presence for Soteria

From: Alex Kosowski <alex.kosowski_at_oracle.com>
Date: Mon, 01 Feb 2016 10:28:25 -0500

Hi,

Not a problem. Let me take a look.

Regards,
Alex

On 2/1/16, 6:23 AM, Werner Keil wrote:
> You'd have to ask David or Alex (depending on who is more responsive
> right now?;-) but I'd say, at the very least you could/should be an
> admin if that's used by the organization or otherwise also made co-owner.
> I have a similar role in JSR 354 (as I helped create it like David did
> here), so that's not reserved to Spec Leads alone.
>
> Werner
>
>
> On Mon, Feb 1, 2016 at 12:19 PM, arjan tijms <arjan.tijms_at_gmail.com
> <mailto:arjan.tijms_at_gmail.com>> wrote:
>
> Okay, cool, so if either of them could make me an owner too, OR
> create that soteria repo, then I can copy the code to there. After
> the version can become edr1-alpha1 or something, We can then
> increase the alphaX versions until we do the actual EDR submission.
>
>
>
>
>
>
> On Mon, Feb 1, 2016 at 12:11 PM, Werner Keil
> <werner.keil_at_gmail.com <mailto:werner.keil_at_gmail.com>> wrote:
>
> Yes, according to GitHub only Alex and David are owners, so
> either of them could add such repo;-)
>
> Kind Regards,
> Werner
>
> On Mon, Feb 1, 2016 at 12:01 PM, arjan tijms
> <arjan.tijms_at_gmail.com <mailto:arjan.tijms_at_gmail.com>> wrote:
>
> Hi,
>
> On Mon, Feb 1, 2016 at 11:48 AM, Werner Keil
> <werner.keil_at_gmail.com <mailto:werner.keil_at_gmail.com>> wrote:
>
> P.s.: IMHO the "edr1" should not be part of the
> artifactId, it's clearly a part of the version number.
>
>
> I guess it is, but shouldn't soteria then not become it's
> own top level repo? E.g.
> https://github.com/javaee-security-spec/soteria
>
> One of the reasons I went with edr1 in the artifact name
> for now (I knows it's not ideal and should be changed) is
> that the version as set in Maven would best be aligned
> with the git tag, but if you do that know the entire
> https://github.com/javaee-security-spec/javaee-security-proposals
> repo would get that tag. The authentication/authorization
> etc folders are independent of that.
>
> Kind regards,
> Arjan Tijms
>
>
>
>
>
> So maybe we could have 2 Maven modules under
> "soteria-proposal" or similar and simply call them
> "javax.security-api:security-api" (in the API project
> the artifactId also contains the "javax" part, not
> sure, if other EE JSRs do that also on MavenCentral?)
> as well as "net.java.jsr375:soteria" for now.
>
> Something like "EDR1" "B01" or similar should only be
> in the version number.
>
> Thanks,
> Werner
>
> On Mon, Feb 1, 2016 at 11:38 AM, Werner Keil
> <werner.keil_at_gmail.com <mailto:werner.keil_at_gmail.com>>
> wrote:
>
> At least Reza is very eager blogging all the time,
> maybe he could help us with some of the things
> like updating RI list, etc.?;-)
>
> Cheers,
>
> Werner
>
>
> On Mon, Feb 1, 2016 at 11:36 AM, Werner Keil
> <werner.keil_at_gmail.com
> <mailto:werner.keil_at_gmail.com>> wrote:
>
> Sounds great, thanks.
>
> If anybody has enough rights in JIRA we could
> schedule these accordingly and define at least
> "versions" for each of these EDR and other steps.
>
> I noticed, the larger Glassfish community has
> also not been updated for 3 years now (guess
> Oracle is not so interested in Glassfish now
> after all? ;-|)
> https://glassfish.java.net/rel-projects.html
>
> MVC and JSR 375 RIs should be listed there and
> if there is a CI server instance for Glassfish
> or related projects, we should try to run
> those on a CI build, too.
>
> Known public CI servers like Travis or
> Circle-CI would also work if we had to do this
> on our own.
>
> Kind Regards,
> Werner
>
> On Mon, Feb 1, 2016 at 12:43 AM, arjan tijms
> <arjan.tijms_at_gmail.com
> <mailto:arjan.tijms_at_gmail.com>> wrote:
>
> On Sun, Jan 31, 2016 at 8:28 PM, Werner
> Keil <werner.keil_at_gmail.com
> <mailto:werner.keil_at_gmail.com>> wrote:
>
> Ideally we should keep API/Spec (it's
> simply Asciidoc like JSR 354) and RI
> separate.
> Snapshot repos are fine, we used JFrog
> OSS with JSRs 354 or 363 but Sonatype
> is just as good (possibly easier to
> get it to MavenCentral then)
>
>
> Indeed, we went specifically for that with
> Sonatype for OmniFaces.
>
> From a process point we have up to 1
> year from the Renewal Ballot, but of
> course it's always better to produce
> something earlier. Could always do
> EDR2 or more similar to MVC and others.
>
>
> Yeah, I think it's best we do something
> like that.
>
> EDR1 is then roughly;
>
> * Authentication Mechanism base API
> * Several implementations of
> authentication mechanisms
> * Two mechanism interceptors; auto session
> and remember me
> * Identity store base API
> * Several implementations of identity stores
> * Standard Principal for the caller (used
> by JSR 375 at least, standardising this
> for the entire platform will be bigger task)
>
> For EDR2 to consider:
>
> * Multi authentication mechanism proposal
> from Darran
> * Multi identity store proposal from Rudy
> * Security context
> * Security interceptor proposal from Reza
> et all
>
> For EDR3 to consider:
> * Mandating containers doing 1:1 role
> mapping (we can't really implement this
> using public APIs, but RI could do it
> using GlassFish specific code)
> * web.xml integration/alignment
>
> There's (much) more on the TODO list like
> events, password aliasing and more, but
> the above may be a guideline on how to
> proceed.
>
> Kind regards,
> Arjan Tijms
>
>
>
>
>
> Kind Regards,
> Werner
>
> On Sun, Jan 31, 2016 at 5:47 PM, arjan
> tijms <arjan.tijms_at_gmail.com
> <mailto:arjan.tijms_at_gmail.com>> wrote:
>
> Okay, so that remains an open
> question.
>
> Meanwhile I've done a quick
> snapshot upload here using our
> omnnifaces groupId:
> https://oss.sonatype.org/content/repositories/snapshots/org/omnifaces/soteria-edr1/1.0-SNAPSHOT/
>
> I made some choices with regard to
> naming and organisation here.
>
> Both API and impl. are in the same
> Maven module, just as two
> different packages. MVC has the
> API as a separate artefact in a
> separate repo, with the
> implementation depending on that.
> JSF however has api and impl as
> two folders in one larger project.
> Once the API is a little bit more
> stable and we can more easily
> upload both artefacts under their
> own groupIds, we should do the
> separation I guess.
>
> I also named the artefact
> "soteria-edr1" for now. It could
> have been just soteria with "edr1"
> as the version number. For now I
> thought it was easier and clearer
> to have a separate edr1 folder,
> and then later have an edr2 etc,
> but we can change this of course.
> I just had to pick something for now.
>
> I'll test a little with the
> snapshot and can do a Maven
> central upload using the omnifaces
> groupId for the short term. This
> would make it easier for people to
> at least try out the code in their
> own test projects.
>
> Kind regards,
> Arjan
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Sun, Jan 31, 2016 at 5:17 PM,
> Werner Keil <werner.keil_at_gmail.com
> <mailto:werner.keil_at_gmail.com>> wrote:
>
> Not sure, who in the EG can do
> that, at least someone had to
> request upload privileges to
> MavenCentral for a groupId
> like org.glassfish.soteria and
> of course for javax.security.*
> too, otherwise it won't build ;-)
>
> Werner
>
>
> On Sat, Jan 30, 2016 at 12:49
> AM, arjan tijms
> <arjan.tijms_at_gmail.com
> <mailto:arjan.tijms_at_gmail.com>> wrote:
>
> Hi,
>
> On Fri, Jan 29, 2016 at
> 6:31 PM, Werner Keil
> <werner.keil_at_gmail.com
> <mailto:werner.keil_at_gmail.com>>
> wrote:
>
> So along the lines of
> MVC it should be
> packageorg.glassfish.soteria;
> then ;-)
>
>
> I just did the initial
> commit for the work in
> progress EDR1:
> https://github.com/javaee-security-spec/javaee-security-proposals/commit/e482ba6580072ad82413a80c40e7d3112b83119a
>
> The implementation package
> is org.glassfish.soteria ;)
>
> Please in the
> proposals repo try to
> use the license header
> plugin.
> Looking at e.g.
> JAX-RS, the header
> spans across multiple
> years for some JSRs
> (probably will be for
> MVC if they do
> something again)
> Copyright (c)
> 2010-2015 Oracle
> and/or its affiliates.
> All rights reserved.
>
>
> I had already copied the
> header manually to the API
> files, but I'll try the
> license plug-in header next.
>
> For promotion it would be
> cool if we can publish the
> work in progress EDR1 jar
> to Maven central so people
> can more easily try it out.
>
> Kind regards,
> Arjan Tijms
>
>
>
> Right now the license
> plugin as of last year
> only uses the
> inception year (from
> the POM) but
> "currentYear" is also
> available. If you want
> I can run the license
> reformatting at any
> time when things are
> changed.
>
>
> Kind Regards,
>
>
> Werner
>
>
> On Fri, Jan 29, 2016
> at 6:18 PM, arjan
> tijms
> <arjan.tijms_at_gmail.com
> <mailto:arjan.tijms_at_gmail.com>>
> wrote:
>
> Great :)
>
> I'll do the
> package renaming
> tonight or
> tomorrow at the
> latest and commit
> the whole to the
> proposals repo.
>
> Kind regards,
> Arjan Tijms
>
>
>
>
>
> On Fri, Jan 29,
> 2016 at 9:08 AM,
> Rudy De Busscher
> <rdebusscher_at_gmail.com
> <mailto:rdebusscher_at_gmail.com>>
> wrote:
>
> All,
>
> I created the
> Twitter
> account
> @Soteria_RI to
> promote the RI
> and
> evangelise Java EE
> Security in
> general.
>
> best regards
> Rudy
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>