Hi,
Thanks for the update. As mentioned there is not that much on
SecurityContext and we seem to be missing some of the initial goals like
user/role mapping compared to the current simple login/isAuthenticated
functionality. Whether or not we might rescope or postpone certain aspects
even into a new JSR (for Java EE 9) or not, is also worth looking into.
While OpenID Connect offers to add some optional metadata a concept of
roles seems undefined right now, so we may not require it for certain use
cases, but others would certainly benefit from it.
JAX-RS has its own SecurityContext
https://jax-rs-spec.java.net/nonav/2.0/apidocs/javax/ws/rs/core/SecurityContext.html
Looking at Spring Security the SecurityContext interfact there is somewhat
closer to the one in JSR 375 but it also has a getter for an Authentication
object.
In
https://java.net/jira/browse/JAVAEE_SECURITY_SPEC-12 this could be
getCallerPrincipal(), getAuthMethod() or similar but they do not currently
exist in SecurityContect.
Kind Regards,
Werner
On Mon, Nov 21, 2016 at 11:07 PM, Will Hopkins <will.hopkins_at_oracle.com>
wrote:
> Experts,
>
> While I've received some input for the spec from Arjan (thanks!), and
> there may be some coming from Werner as well, I haven't been able to put
> the terminology section in place, and the content we have so far is, I
> think, too thin to release as an EDR.
>
> I therefore propose we move forward with the renewal ballot, indicating
> that the EDR is taking shape and expected to be released soon, and that the
> expert group is active and involved in producing the EDR, as well as the
> API and an associated RI. It's my understanding that there is unlikely to
> be a problem getting the renewal ballot approved.
>
> What say you all?
>
> Will
>
> --
> Will Hopkins | Platform Security Architect | +1.781.442.0310
> Oracle Cloud Application Foundation
> 35 Network Drive, Burlington, MA 01803
>
>