users@javaee-security-spec.java.net

[javaee-security-spec users] [jsr375-experts] Re: Agenda for EG Meeting, 2017/04/07

From: arjan tijms <arjan.tijms_at_gmail.com>
Date: Sat, 8 Apr 2017 21:08:52 +0200

Hi,

I understand, and if that was the case the method should indeed be named
differently, but this only concerns the URLs (web resources) such as
constrained in web.xml, that the caller has or not has access to.

As an example, consider the following in web.xml:

<security-constraint>

<web-resource-collection>

<web-resource-name>Admin pages</web-resource-name>

<url-pattern>/admin/*</url-pattern>

</web-resource-collection>

<auth-constraint>

<role-name>VIEW_ADMIN_PAGES</role-name>

</auth-constraint>

</security-constraint>


This method specifically tests for access to a "web-resource" such as
defined by the "url-pattern" (which is always a string).


So given the above, a logical call would e.g. be:


boolean hasAccess = context.hasAccessToWebResource("/admin/foo");


SocketResources and FileResources are typically not expressed in terms of
the authenticated Java EE caller, but more in terms of the code (fqn) using
these (using the CodeSource type). As such they are Java SE permissions.

I indeed agree that the JavaDoc should make it abundantly clear what kind
of access this method is testing for. Probably an example like the above
could help with that.

Kind regards,
Arjan Tijms





On Sat, Apr 8, 2017 at 8:37 PM, Werner Keil <werner.keil_at_gmail.com> wrote:

> Hi,
>
> That was only one aspect of asking if the term "Web" in the method was
> always right and applicable.
>
> The API has only strings as argument, we clearly need some amount of
> JavaDoc. If it turns out, "String resource" could be other kinds of
> resources, e.g. the host name in a SocketResource or the file name/path in
> a FileResource, then maybe it should just say hasAccessToResource?;-)
>
> Kind Regards,
> Werner
>
>
> On Sat, Apr 8, 2017 at 6:28 PM, arjan tijms <arjan.tijms_at_gmail.com> wrote:
>
>> Hi,
>>
>> There's (for now anyway) no direct compile time connection to any JACC
>> type in the API, so the only dependency is at the spec level.
>>
>> Simply said; it should behave as JACC specified it, but it does not
>> actually have to be JACC. The Servlet spec does something similar and
>> clearly Tomcat (currently) does not implement JACC.
>>
>> As a side note, I noticed there's quite an amount of "fear" (for lack of
>> a better term) around JACC, but I think that's largely unjustified. JACC
>> among others very clearly specifies the resource patterns used by Servlet.
>>
>> Kind regards,
>> Arjan
>>
>> On Saturday, April 8, 2017, Werner Keil <werner.keil_at_gmail.com> wrote:
>>
>>> IC, so it's https://docs.oracle.com/javaee/7/api/javax/security/jac
>>> c/WebResourcePermission.html
>>> The question for a general API element like SecurityContext is, will
>>> this always be specific and limited to JACC only?
>>> The parent class http://docs.oracle.com/javase/7/docs/api/java/security
>>> /Permission.html has various other known children like
>>> SocketPermission, etc.
>>>
>>> Do we know only WebResourcePermission applies to SecurityContext?
>>>
>>> Kind Regards,
>>> Werner
>>>
>>>
>>> On Sat, Apr 8, 2017 at 1:59 PM, arjan tijms <arjan.tijms_at_gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> On Sat, Apr 8, 2017 at 1:44 PM, Werner Keil <werner.keil_at_gmail.com>
>>>> wrote:
>>>>
>>>>> IMO I am not sure, if the word "Web" is necessary or adds value, given
>>>>> Mobile, Embedded, etc. may have different types of resources than
>>>>> traditional "websites" or pages.
>>>>>
>>>>
>>>> The term "Web" is there since it's hinges on the underlying
>>>> "WebResourcePermission". So this method asks for exactly the access that
>>>> you can ask for using such WebResourcePermission. WebResourcePermission has
>>>> a well defined meaning of what resources it points to, hence the term "Web"
>>>> in the method ;)
>>>>
>>>> Kind regards,
>>>> Arjan Tijms
>>>>
>>>>
>>>>
>>>>>
>>>>> Kind Regards,
>>>>>
>>>>>
>>>>> Werner
>>>>>
>>>>>
>>>>> On Sat, Apr 8, 2017 at 10:39 AM, Rudy De Busscher <
>>>>> rdebusscher_at_gmail.com> wrote:
>>>>>
>>>>>> Hi Arjan,
>>>>>>
>>>>>> The meeting was ended shortly after your connection broke up.
>>>>>>
>>>>>> The question was to use also CredentialValidationResult with this
>>>>>> method of IdentityStore
>>>>>>
>>>>>> *List<String> getGroupsByCallerPrincipal(CallerPrincipal
>>>>>> callerPrincipal)*
>>>>>>
>>>>>> In order to add additional information to it so that the
>>>>>> IdentityStore has more information about the Caller which was authenticated
>>>>>> so that it can retrieve the groups of the *correct person*
>>>>>>
>>>>>> best regards
>>>>>>
>>>>>> Rudy
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 7 April 2017 at 22:29, arjan tijms <arjan.tijms_at_gmail.com> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I just lost the connection totally too, but probably because it was
>>>>>>> automatically ended by the time limit set.
>>>>>>>
>>>>>>> Oh well, good things were discussed. Perhaps we should have had
>>>>>>> those meetings on a regular basis some time ago, but what's done is done.
>>>>>>>
>>>>>>> Last point of discussion was the CredentialValidationResult that
>>>>>>> should be passed around, but actually this already is. Or maybe I
>>>>>>> understood the question not correctly.
>>>>>>>
>>>>>>> But if you look at the handler, then the main loop is this:
>>>>>>>
>>>>>>> CredentialValidationResult validationResult = null;
>>>>>>>
>>>>>>> // Check stores to authenticate until one succeeds.
>>>>>>> for (IdentityStore authenticationIdentityStore :
>>>>>>> authenticationIdentityStores) {
>>>>>>> validationResult = authenticationIdentityStore.va
>>>>>>> lidate(credential);
>>>>>>> if (validationResult.getStatus() == VALID) {
>>>>>>> break;
>>>>>>> }
>>>>>>> }
>>>>>>>
>>>>>>>
>>>>>>> This makes its decision based on CredentialValidationResult above
>>>>>>> anything else. But again, maybe I understood incorrectly.
>>>>>>>
>>>>>>> Kind regards,
>>>>>>> Arjan Tijms
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Apr 7, 2017 at 10:05 PM, Werner Keil <werner.keil_at_gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Looks like I totally lost the connection, Wifi keeps breaking down.
>>>>>>>> I might try again, otherwise hope next week it will be more stable... So
>>>>>>>> far it was OK here.
>>>>>>>>
>>>>>>>> Werner
>>>>>>>>
>>>>>>>> On Fri, Apr 7, 2017 at 8:21 PM, Werner Keil <werner.keil_at_gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Hi Sorry to be late, where is the Zoom URL?
>>>>>>>>>
>>>>>>>>> Werner Keil | JCP Executive Committee Member, JSR 363 Maintenance
>>>>>>>>> Lead | Eclipse UOMo Lead, Babel Language Champion | Apache
>>>>>>>>> Committer
>>>>>>>>>
>>>>>>>>> Twitter @wernerkeil | @UnitAPI | @JSR354 | @AgoravaProj | @TamayaConf
>>>>>>>>> | @OpenDDR | #EclipseUOMo
>>>>>>>>> Skype werner.keil <http://gplus.to/wernerkeil>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Fri, Apr 7, 2017 at 7:40 PM, Will Hopkins <
>>>>>>>>> will.hopkins_at_oracle.com> wrote:
>>>>>>>>>
>>>>>>>>>> Agenda:
>>>>>>>>>>
>>>>>>>>>> -- JavaOne talks (Werner):
>>>>>>>>>> -- I think this is a good idea. Willing to present myself, or
>>>>>>>>>> with others from the EG. Having a single session makes sense to me, don't
>>>>>>>>>> know what sort would be best -- maybe BOF? Not sure whether Oracle has a
>>>>>>>>>> separate internal CFP with different deadlines, looking into it now.
>>>>>>>>>>
>>>>>>>>>> -- Glassfish security guide (Werner):
>>>>>>>>>> -- I believe the Oracle doc team will update this with
>>>>>>>>>> relevant information.
>>>>>>>>>>
>>>>>>>>>> -- Build issues (Arjan):
>>>>>>>>>> -- pushing out the api artefact to bintray
>>>>>>>>>> -- pushing milestones (also) to maven central
>>>>>>>>>> -- testing the builds
>>>>>>>>>>
>>>>>>>>>> -- Spec/API issues (Arjan):
>>>>>>>>>> -- checking the source (specifically api) adjusting where
>>>>>>>>>> needed
>>>>>>>>>> -- (will) need to review RI too, for functionality not in API
>>>>>>>>>> -- any new features still? Events, @Authorized, ... ?
>>>>>>>>>>
>>>>>>>>>> -- Process (Will):
>>>>>>>>>> -- Very little time left in the schedule, need to work
>>>>>>>>>> efficiently
>>>>>>>>>> -- Regular meetings (same time each week)?
>>>>>>>>>> -- GitHub issues vs. JIRA?
>>>>>>>>>> -- Process/tools for doc review?
>>>>>>>>>>
>>>>>>>>>> -- Doc Review (Will):
>>>>>>>>>> -- Walk through EDR1 draft addressing open issues
>>>>>>>>>>
>>>>>>>>>> -- Other Business?
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Will Hopkins | WebLogic Security Architect | +1.781.442.0310 <+1%20781-442-0310>
>>>>>>>>>> Oracle Application Development
>>>>>>>>>> 35 Network Drive, Burlington, MA 01803
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>