Maybe this is a dumb question, but if the access token media type is defined
by OAuth2, how should it ever work to map a Principal on it? I mean, the
result would be that some tokens could be mapped while other could not. What
a chaos! I hardly can't believe that there is no kind of registry defined
for this at IETF or elsewhere!?
> -----Original Message-----
> From: Bill Burke [mailto:bburke_at_redhat.com]
> Sent: Dienstag, 16. Oktober 2012 21:20
> To: jsr339-experts_at_jax-rs-spec.java.net
> Subject: [jsr339-experts] Re: offtopic: Java EE Security media type
>
> You're missing what I'm saying. I want to define a on-the-wire access
> token media type that can be converted into Principal, user-role
> mappings and JACC permissions. OAuth2 does not specify the access
> token format, although SAML is used as an example.
>
> On 10/16/2012 2:09 PM, Markus KARG wrote:
> > I think that OAuth plays an important role, but I doubt that there is
> > a need for a JAX-RS extension: I think it should be covered by Java
> > EE's security layer, hence, it should be wrapped by an instance of
> Principal.
> >
> >> -----Original Message-----
> >> From: Bill Burke [mailto:bburke_at_redhat.com]
> >> Sent: Dienstag, 16. Oktober 2012 17:16
> >> To: jsr339-experts_at_jax-rs-spec.java.net
> >> Subject: [jsr339-experts] offtopic: Java EE Security media type
> >>
> >> Now that OAuth 2.0 has reached RFC phase, I was wondering if anybody
> >> was interested in collaborating on a Java EE Security token media
> >> type and maybe even extensions of the OAuth 2.0 protocol.
> >>
> >> A token media type would be a simple format that encapsulated
> >> user/role mappings and maybe user/permission (JACC) metadata.
> >>
> >> I've only done a high-level reading of OAUth 2 RFC, but it seems to
> >> be missing non-browser REST communication. Basically an ability to
> >> transfer the token via header invocations. I'd also like to see
> >> extended protocols/media types that includes PKI support.
> >>
> >> Finally, I'd like to get this done via the IETF and their processes.
> >> I think this would be a good chance to get some industry
> >> collaboration around REST, security, and the Java EE world.
> >> Something specifically designed for Java EE. I know we have SAML
> and
> >> XACML and all, but I'd like to see something developed that is
> >> specific to Java EE. Formats and protocols that are simple and easy
> >> to implement and support in other environments beyond Java.
> >>
> >> Any thoughts?
> >>
> >> Thanks,
> >>
> >> Bill
> >>
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com