users@jax-rs-spec.java.net

[jax-rs-spec users] [jsr339-experts] Re: offtopic: Java EE Security media type

From: Bill Burke <bburke_at_redhat.com>
Date: Fri, 19 Oct 2012 14:31:33 -0400

I agree with you, but, IMO, REST + Java EE applications need some kind
of interoperable security solution (even browser + Java EE).

On 10/19/2012 2:03 PM, Markus KARG wrote:
> I typically do not do things just because Google tries to dictate them. If
> OAuth once is the big cool unique standard I might take a look at it. Until
> then, I think there are enough experts that can help more than I can.
>
>> -----Original Message-----
>> From: Bill Burke [mailto:bburke_at_redhat.com]
>> Sent: Freitag, 19. Oktober 2012 19:35
>> To: jsr339-experts_at_jax-rs-spec.java.net
>> Subject: [jsr339-experts] Re: offtopic: Java EE Security media type
>>
>> Well, if you do a little more research, Eran is a touchy kind of guy.
>> I believe Google is behind OAuth2 and supports it(?) If so, I don't
>> see how it could *not* gain some adoption.
>>
>> On 10/19/2012 1:25 PM, Markus KARG wrote:
>>> Thank you for posting this really interesting link. After reading it
>> I
>>> understand that any kind of further support of OAuth 2.0 makes no
>>> sense to
>>> me: If the lead editor thinks it is crap and he doesn't want to
>>> further see his name on it, I should keep my hands off.
>>>
>>>> -----Original Message-----
>>>> From: Bill Burke [mailto:bburke_at_redhat.com]
>>>> Sent: Donnerstag, 18. Oktober 2012 01:02
>>>> To: jsr339-experts_at_jax-rs-spec.java.net
>>>> Subject: [jsr339-experts] Re: offtopic: Java EE Security media type
>>>>
>>>> Thats the thing. AFAICT, OAuth2 leaves the token format undefined.
>>>> SAML has a mapping, but it would be cool to have a Java EE specific
>>>> token format.
>>>>
>>>> There does seem to be a registry defined in the OAuth2 RFC.
>>>>
>>>> FYI, Eran Hammer, the previous lead, quit OAuth2 and ranted like
>> crazy:
>>>>
>>>> http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/
>>>>
>>>> On 10/17/2012 12:15 PM, Markus KARG wrote:
>>>>> Maybe this is a dumb question, but if the access token media type
>> is
>>>>> defined by OAuth2, how should it ever work to map a Principal on
>> it?
>>>> I
>>>>> mean, the result would be that some tokens could be mapped while
>>>> other
>>>>> could not. What a chaos! I hardly can't believe that there is no
>>>>> kind of registry defined for this at IETF or elsewhere!?
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Bill Burke [mailto:bburke_at_redhat.com]
>>>>>> Sent: Dienstag, 16. Oktober 2012 21:20
>>>>>> To: jsr339-experts_at_jax-rs-spec.java.net
>>>>>> Subject: [jsr339-experts] Re: offtopic: Java EE Security media
>> type
>>>>>>
>>>>>> You're missing what I'm saying. I want to define a on-the-wire
>>>>>> access token media type that can be converted into Principal,
>>>>>> user-role mappings and JACC permissions. OAuth2 does not specify
>>>> the
>>>>>> access token format, although SAML is used as an example.
>>>>>>
>>>>>> On 10/16/2012 2:09 PM, Markus KARG wrote:
>>>>>>> I think that OAuth plays an important role, but I doubt that
>> there
>>>>>>> is a need for a JAX-RS extension: I think it should be covered by
>>>>>>> Java EE's security layer, hence, it should be wrapped by an
>>>> instance
>>>>>>> of
>>>>>> Principal.
>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: Bill Burke [mailto:bburke_at_redhat.com]
>>>>>>>> Sent: Dienstag, 16. Oktober 2012 17:16
>>>>>>>> To: jsr339-experts_at_jax-rs-spec.java.net
>>>>>>>> Subject: [jsr339-experts] offtopic: Java EE Security media type
>>>>>>>>
>>>>>>>> Now that OAuth 2.0 has reached RFC phase, I was wondering if
>>>>>>>> anybody was interested in collaborating on a Java EE Security
>>>> token
>>>>>>>> media type and maybe even extensions of the OAuth 2.0 protocol.
>>>>>>>>
>>>>>>>> A token media type would be a simple format that encapsulated
>>>>>>>> user/role mappings and maybe user/permission (JACC) metadata.
>>>>>>>>
>>>>>>>> I've only done a high-level reading of OAUth 2 RFC, but it seems
>>>> to
>>>>>>>> be missing non-browser REST communication. Basically an ability
>>>> to
>>>>>>>> transfer the token via header invocations. I'd also like to see
>>>>>>>> extended protocols/media types that includes PKI support.
>>>>>>>>
>>>>>>>> Finally, I'd like to get this done via the IETF and their
>>>> processes.
>>>>>>>> I think this would be a good chance to get some industry
>>>>>>>> collaboration around REST, security, and the Java EE world.
>>>>>>>> Something specifically designed for Java EE. I know we have
>> SAML
>>>>>> and
>>>>>>>> XACML and all, but I'd like to see something developed that is
>>>>>>>> specific to Java EE. Formats and protocols that are simple and
>>>>>>>> easy to implement and support in other environments beyond Java.
>>>>>>>>
>>>>>>>> Any thoughts?
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> Bill
>>>>>>>>
>>>>>>>> --
>>>>>>>> Bill Burke
>>>>>>>> JBoss, a division of Red Hat
>>>>>>>> http://bill.burkecentral.com
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Bill Burke
>>>>>> JBoss, a division of Red Hat
>>>>>> http://bill.burkecentral.com
>>>>>
>>>>
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>> http://bill.burkecentral.com
>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
> 

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.