users@javaee-security-spec.java.net

[javaee-security-spec users] [jsr375-experts] Re: Agenda for EG Meeting, 2017/04/07

From: arjan tijms <arjan.tijms_at_gmail.com>
Date: Sat, 8 Apr 2017 18:28:55 +0200

Hi,

There's (for now anyway) no direct compile time connection to any JACC type
in the API, so the only dependency is at the spec level.

Simply said; it should behave as JACC specified it, but it does not
actually have to be JACC. The Servlet spec does something similar and
clearly Tomcat (currently) does not implement JACC.

As a side note, I noticed there's quite an amount of "fear" (for lack of
a better term) around JACC, but I think that's largely unjustified. JACC
among others very clearly specifies the resource patterns used by Servlet.

Kind regards,
Arjan

On Saturday, April 8, 2017, Werner Keil <werner.keil_at_gmail.com> wrote:

> IC, so it's https://docs.oracle.com/javaee/7/api/javax/security/
> jacc/WebResourcePermission.html
> The question for a general API element like SecurityContext is, will this
> always be specific and limited to JACC only?
> The parent class http://docs.oracle.com/javase/7/docs/api/java/
> security/Permission.html has various other known children like
> SocketPermission, etc.
>
> Do we know only WebResourcePermission applies to SecurityContext?
>
> Kind Regards,
> Werner
>
>
> On Sat, Apr 8, 2017 at 1:59 PM, arjan tijms <arjan.tijms_at_gmail.com
> <javascript:_e(%7B%7D,'cvml','arjan.tijms_at_gmail.com');>> wrote:
>
>> Hi,
>>
>> On Sat, Apr 8, 2017 at 1:44 PM, Werner Keil <werner.keil_at_gmail.com
>> <javascript:_e(%7B%7D,'cvml','werner.keil_at_gmail.com');>> wrote:
>>
>>> IMO I am not sure, if the word "Web" is necessary or adds value, given
>>> Mobile, Embedded, etc. may have different types of resources than
>>> traditional "websites" or pages.
>>>
>>
>> The term "Web" is there since it's hinges on the underlying
>> "WebResourcePermission". So this method asks for exactly the access that
>> you can ask for using such WebResourcePermission. WebResourcePermission has
>> a well defined meaning of what resources it points to, hence the term "Web"
>> in the method ;)
>>
>> Kind regards,
>> Arjan Tijms
>>
>>
>>
>>>
>>> Kind Regards,
>>>
>>>
>>> Werner
>>>
>>>
>>> On Sat, Apr 8, 2017 at 10:39 AM, Rudy De Busscher <rdebusscher_at_gmail.com
>>> <javascript:_e(%7B%7D,'cvml','rdebusscher_at_gmail.com');>> wrote:
>>>
>>>> Hi Arjan,
>>>>
>>>> The meeting was ended shortly after your connection broke up.
>>>>
>>>> The question was to use also CredentialValidationResult with this
>>>> method of IdentityStore
>>>>
>>>> *List<String> getGroupsByCallerPrincipal(CallerPrincipal
>>>> callerPrincipal)*
>>>>
>>>> In order to add additional information to it so that the IdentityStore
>>>> has more information about the Caller which was authenticated so that it
>>>> can retrieve the groups of the *correct person*
>>>>
>>>> best regards
>>>>
>>>> Rudy
>>>>
>>>>
>>>>
>>>>
>>>> On 7 April 2017 at 22:29, arjan tijms <arjan.tijms_at_gmail.com
>>>> <javascript:_e(%7B%7D,'cvml','arjan.tijms_at_gmail.com');>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I just lost the connection totally too, but probably because it was
>>>>> automatically ended by the time limit set.
>>>>>
>>>>> Oh well, good things were discussed. Perhaps we should have had those
>>>>> meetings on a regular basis some time ago, but what's done is done.
>>>>>
>>>>> Last point of discussion was the CredentialValidationResult that
>>>>> should be passed around, but actually this already is. Or maybe I
>>>>> understood the question not correctly.
>>>>>
>>>>> But if you look at the handler, then the main loop is this:
>>>>>
>>>>> CredentialValidationResult validationResult = null;
>>>>>
>>>>> // Check stores to authenticate until one succeeds.
>>>>> for (IdentityStore authenticationIdentityStore :
>>>>> authenticationIdentityStores) {
>>>>> validationResult = authenticationIdentityStore.va
>>>>> lidate(credential);
>>>>> if (validationResult.getStatus() == VALID) {
>>>>> break;
>>>>> }
>>>>> }
>>>>>
>>>>>
>>>>> This makes its decision based on CredentialValidationResult above
>>>>> anything else. But again, maybe I understood incorrectly.
>>>>>
>>>>> Kind regards,
>>>>> Arjan Tijms
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Apr 7, 2017 at 10:05 PM, Werner Keil <werner.keil_at_gmail.com
>>>>> <javascript:_e(%7B%7D,'cvml','werner.keil_at_gmail.com');>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Looks like I totally lost the connection, Wifi keeps breaking down. I
>>>>>> might try again, otherwise hope next week it will be more stable... So far
>>>>>> it was OK here.
>>>>>>
>>>>>> Werner
>>>>>>
>>>>>> On Fri, Apr 7, 2017 at 8:21 PM, Werner Keil <werner.keil_at_gmail.com
>>>>>> <javascript:_e(%7B%7D,'cvml','werner.keil_at_gmail.com');>> wrote:
>>>>>>
>>>>>>> Hi Sorry to be late, where is the Zoom URL?
>>>>>>>
>>>>>>> Werner Keil | JCP Executive Committee Member, JSR 363 Maintenance
>>>>>>> Lead | Eclipse UOMo Lead, Babel Language Champion | Apache Committer
>>>>>>>
>>>>>>> Twitter @wernerkeil | @UnitAPI | @JSR354 | @AgoravaProj | @TamayaConf
>>>>>>> | @OpenDDR | #EclipseUOMo
>>>>>>> Skype werner.keil <http://gplus.to/wernerkeil>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Apr 7, 2017 at 7:40 PM, Will Hopkins <
>>>>>>> will.hopkins_at_oracle.com
>>>>>>> <javascript:_e(%7B%7D,'cvml','will.hopkins_at_oracle.com');>> wrote:
>>>>>>>
>>>>>>>> Agenda:
>>>>>>>>
>>>>>>>> -- JavaOne talks (Werner):
>>>>>>>> -- I think this is a good idea. Willing to present myself, or
>>>>>>>> with others from the EG. Having a single session makes sense to me, don't
>>>>>>>> know what sort would be best -- maybe BOF? Not sure whether Oracle has a
>>>>>>>> separate internal CFP with different deadlines, looking into it now.
>>>>>>>>
>>>>>>>> -- Glassfish security guide (Werner):
>>>>>>>> -- I believe the Oracle doc team will update this with relevant
>>>>>>>> information.
>>>>>>>>
>>>>>>>> -- Build issues (Arjan):
>>>>>>>> -- pushing out the api artefact to bintray
>>>>>>>> -- pushing milestones (also) to maven central
>>>>>>>> -- testing the builds
>>>>>>>>
>>>>>>>> -- Spec/API issues (Arjan):
>>>>>>>> -- checking the source (specifically api) adjusting where needed
>>>>>>>> -- (will) need to review RI too, for functionality not in API
>>>>>>>> -- any new features still? Events, @Authorized, ... ?
>>>>>>>>
>>>>>>>> -- Process (Will):
>>>>>>>> -- Very little time left in the schedule, need to work
>>>>>>>> efficiently
>>>>>>>> -- Regular meetings (same time each week)?
>>>>>>>> -- GitHub issues vs. JIRA?
>>>>>>>> -- Process/tools for doc review?
>>>>>>>>
>>>>>>>> -- Doc Review (Will):
>>>>>>>> -- Walk through EDR1 draft addressing open issues
>>>>>>>>
>>>>>>>> -- Other Business?
>>>>>>>>
>>>>>>>> --
>>>>>>>> Will Hopkins | WebLogic Security Architect | +1.781.442.0310 <+1%20781-442-0310>
>>>>>>>> Oracle Application Development
>>>>>>>> 35 Network Drive, Burlington, MA 01803
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>