jsr339-experts@jax-rs-spec.java.net

[jsr339-experts] Re: offtopic: Java EE Security media type

From: Bill Burke <bburke_at_redhat.com>
Date: Wed, 17 Oct 2012 19:01:44 -0400

Thats the thing. AFAICT, OAuth2 leaves the token format undefined.
SAML has a mapping, but it would be cool to have a Java EE specific
token format.

There does seem to be a registry defined in the OAuth2 RFC.

FYI, Eran Hammer, the previous lead, quit OAuth2 and ranted like crazy:

http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/

On 10/17/2012 12:15 PM, Markus KARG wrote:
> Maybe this is a dumb question, but if the access token media type is defined
> by OAuth2, how should it ever work to map a Principal on it? I mean, the
> result would be that some tokens could be mapped while other could not. What
> a chaos! I hardly can't believe that there is no kind of registry defined
> for this at IETF or elsewhere!?
>
>> -----Original Message-----
>> From: Bill Burke [mailto:bburke_at_redhat.com]
>> Sent: Dienstag, 16. Oktober 2012 21:20
>> To: jsr339-experts_at_jax-rs-spec.java.net
>> Subject: [jsr339-experts] Re: offtopic: Java EE Security media type
>>
>> You're missing what I'm saying. I want to define a on-the-wire access
>> token media type that can be converted into Principal, user-role
>> mappings and JACC permissions. OAuth2 does not specify the access
>> token format, although SAML is used as an example.
>>
>> On 10/16/2012 2:09 PM, Markus KARG wrote:
>>> I think that OAuth plays an important role, but I doubt that there is
>>> a need for a JAX-RS extension: I think it should be covered by Java
>>> EE's security layer, hence, it should be wrapped by an instance of
>> Principal.
>>>
>>>> -----Original Message-----
>>>> From: Bill Burke [mailto:bburke_at_redhat.com]
>>>> Sent: Dienstag, 16. Oktober 2012 17:16
>>>> To: jsr339-experts_at_jax-rs-spec.java.net
>>>> Subject: [jsr339-experts] offtopic: Java EE Security media type
>>>>
>>>> Now that OAuth 2.0 has reached RFC phase, I was wondering if anybody
>>>> was interested in collaborating on a Java EE Security token media
>>>> type and maybe even extensions of the OAuth 2.0 protocol.
>>>>
>>>> A token media type would be a simple format that encapsulated
>>>> user/role mappings and maybe user/permission (JACC) metadata.
>>>>
>>>> I've only done a high-level reading of OAUth 2 RFC, but it seems to
>>>> be missing non-browser REST communication. Basically an ability to
>>>> transfer the token via header invocations. I'd also like to see
>>>> extended protocols/media types that includes PKI support.
>>>>
>>>> Finally, I'd like to get this done via the IETF and their processes.
>>>> I think this would be a good chance to get some industry
>>>> collaboration around REST, security, and the Java EE world.
>>>> Something specifically designed for Java EE. I know we have SAML
>> and
>>>> XACML and all, but I'd like to see something developed that is
>>>> specific to Java EE. Formats and protocols that are simple and easy
>>>> to implement and support in other environments beyond Java.
>>>>
>>>> Any thoughts?
>>>>
>>>> Thanks,
>>>>
>>>> Bill
>>>>
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>> http://bill.burkecentral.com
>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
> 

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.