Hi Jeff.
Nice to see your mail, I somehow overlooked this last week so apologies for
the late reply.
The two track approach looks very good. The current work done in JSR 375,
specifically the authentication mechanism and the identity store should be
a really good foundation for specifically OAuth and OpenIDConnect.
As you probably know, JSR 375 is itself based on the existing work done in
Java EE for Servlet, JASPIC and JACC, which saved us from having to
re-invent the wheel and leveraging what has already been done there.
Although it's not a blocker for JSR 375, it would be good if some
clarifications were added to specifically JASPIC in a MR. JSR 375 makes a
few assumptions that are quite obvious (such as that an authentication
session remembers both the principal name and the groups of a caller), but
that aren't as clearly spelled out in the JASPIC spec as they could be.
About the cloud topic, the existing JSR for 375 doesn't mention it so much,
but most of the work that we've done (at least from my personal point of
view) has been for cloud really. I recognise that on premise is still
important as well, so I think whatever we do should not exclude that, but
cloud friendly (where users and services register themselves instead of
expecting an admin prepared application server) has been the major focus
all along.
Although not in the main repo yet, EG member Rudy has provided a POC JWT
support for JSR 375. See
https://github.com/rdebusscher/soteria-jwt
There's also an OAuth POC available from myself here:
https://github.com/omnifaces/soteria-google-oauth-client
Kind regards,
Arjan Tijms
On Sat, Sep 10, 2016 at 12:15 AM, Jeff Tancill <jeff.tancill_at_oracle.com>
wrote:
> Hello,
>
>
>
> My name is Jeff Tancill, I recently posted the general update from Bill
> Shannon to this list and the thread
> <https://java.net/projects/javaee-security-spec/lists/jsr375-experts/archive/2016-08/message/23>
> ended with Arjan expressing his curiosity about what would be in the JSR
> 375 spec, I would like to start a dialog with you on this and share some of
> our JavaOne plans. First, a little about me. I am the development
> manager for Platform Security at Oracle which covers WebLogic & GlassFish
> Security as well as Oracle Platform Security Services (OPSS). I will not
> be the new spec lead but have been a subscriber to this list during its
> entire run and I have been an internal advocate/supporter of JSR 375. Alex
> Kosowski worked in my group during his tenure as the JSR 375 spec lead.
>
>
>
> Enough context setting, what’s next?
>
>
>
> Oracle is interested in pursuing Java EE 8 and considering features of
> cloud composed and deployed applications for a future Java EE release.
> With respect to security, we’re considering a two track plan:
>
> 1) Finish JSR 375 for Java EE 8, move forward with EDR basically as
> defined to date by this EG (i.e. standardize terminology, APIs for
> authentication mechanism, identity store, security context)
>
> 2) Work with this EG, and others in the community as appropriate, to
> define a Cloud/microservices security related JSR for Java EE 9 (i.e.
> standard way of connecting an application to a key service, encryption
> service for stored data, secret management, Authorization - OAuth support,
> registration and discovery of resources to request scopes, Authentication –
> OpenIDConnect support)
>
>
>
> We’re interested in your comments on the basic two track approach as well
> as your thoughts on Cloud and microservices security topics. The plan is
> to cover this material at JavaOne in CON7978 by Kk Sriramadhesikan on
> Tuesday September 20th at 5:30-06:30 PM.
>
>
>
> Jeff
>
>
>
>
>