Hello,
My name is Jeff Tancill, I recently posted the general update from Bill Shannon to this list and HYPERLINK "
https://java.net/projects/javaee-security-spec/lists/jsr375-experts/archive/2016-08/message/23"the thread ended with Arjan expressing his curiosity about what would be in the JSR 375 spec, I would like to start a dialog with you on this and share some of our JavaOne plans. First, a little about me. I am the development manager for Platform Security at Oracle which covers WebLogic & GlassFish Security as well as Oracle Platform Security Services (OPSS). I will not be the new spec lead but have been a subscriber to this list during its entire run and I have been an internal advocate/supporter of JSR 375. Alex Kosowski worked in my group during his tenure as the JSR 375 spec lead.
Enough context setting, what's next?
Oracle is interested in pursuing Java EE 8 and considering features of cloud composed and deployed applications for a future Java EE release. With respect to security, we're considering a two track plan:
1) Finish JSR 375 for Java EE 8, move forward with EDR basically as defined to date by this EG (i.e. standardize terminology, APIs for authentication mechanism, identity store, security context)
2) Work with this EG, and others in the community as appropriate, to define a Cloud/microservices security related JSR for Java EE 9 (i.e. standard way of connecting an application to a key service, encryption service for stored data, secret management, Authorization - OAuth support, registration and discovery of resources to request scopes, Authentication - OpenIDConnect support)
We're interested in your comments on the basic two track approach as well as your thoughts on Cloud and microservices security topics. The plan is to cover this material at JavaOne in CON7978 by Kk Sriramadhesikan on Tuesday September 20th at 5:30-06:30 PM.
Jeff