[jax-rs-spec users] [jsr339-experts] Re: offtopic: Java EE Security media type

From: Sergey Beryozkin <>
Date: Fri, 19 Oct 2012 21:55:40 +0100

On 19/10/12 18:25, Markus KARG wrote:
> Thank you for posting this really interesting link. After reading it I
> understand that any kind of further support of OAuth 2.0 makes no sense to
> me: If the lead editor thinks it is crap and he doesn't want to further see
> his name on it, I should keep my hands off.

Good example how the community at large can be affected by the critique
- just curious - have you even done your own analysis ?


>> -----Original Message-----
>> From: Bill Burke []
>> Sent: Donnerstag, 18. Oktober 2012 01:02
>> To:
>> Subject: [jsr339-experts] Re: offtopic: Java EE Security media type
>> Thats the thing. AFAICT, OAuth2 leaves the token format undefined.
>> SAML has a mapping, but it would be cool to have a Java EE specific
>> token format.
>> There does seem to be a registry defined in the OAuth2 RFC.
>> FYI, Eran Hammer, the previous lead, quit OAuth2 and ranted like crazy:
>> On 10/17/2012 12:15 PM, Markus KARG wrote:
>>> Maybe this is a dumb question, but if the access token media type is
>>> defined by OAuth2, how should it ever work to map a Principal on it?
>> I
>>> mean, the result would be that some tokens could be mapped while
>> other
>>> could not. What a chaos! I hardly can't believe that there is no kind
>>> of registry defined for this at IETF or elsewhere!?
>>>> -----Original Message-----
>>>> From: Bill Burke []
>>>> Sent: Dienstag, 16. Oktober 2012 21:20
>>>> To:
>>>> Subject: [jsr339-experts] Re: offtopic: Java EE Security media type
>>>> You're missing what I'm saying. I want to define a on-the-wire
>>>> access token media type that can be converted into Principal,
>>>> user-role mappings and JACC permissions. OAuth2 does not specify
>> the
>>>> access token format, although SAML is used as an example.
>>>> On 10/16/2012 2:09 PM, Markus KARG wrote:
>>>>> I think that OAuth plays an important role, but I doubt that there
>>>>> is a need for a JAX-RS extension: I think it should be covered by
>>>>> Java EE's security layer, hence, it should be wrapped by an
>> instance
>>>>> of
>>>> Principal.
>>>>>> -----Original Message-----
>>>>>> From: Bill Burke []
>>>>>> Sent: Dienstag, 16. Oktober 2012 17:16
>>>>>> To:
>>>>>> Subject: [jsr339-experts] offtopic: Java EE Security media type
>>>>>> Now that OAuth 2.0 has reached RFC phase, I was wondering if
>>>>>> anybody was interested in collaborating on a Java EE Security
>> token
>>>>>> media type and maybe even extensions of the OAuth 2.0 protocol.
>>>>>> A token media type would be a simple format that encapsulated
>>>>>> user/role mappings and maybe user/permission (JACC) metadata.
>>>>>> I've only done a high-level reading of OAUth 2 RFC, but it seems
>> to
>>>>>> be missing non-browser REST communication. Basically an ability
>> to
>>>>>> transfer the token via header invocations. I'd also like to see
>>>>>> extended protocols/media types that includes PKI support.
>>>>>> Finally, I'd like to get this done via the IETF and their
>> processes.
>>>>>> I think this would be a good chance to get some industry
>>>>>> collaboration around REST, security, and the Java EE world.
>>>>>> Something specifically designed for Java EE. I know we have SAML
>>>> and
>>>>>> XACML and all, but I'd like to see something developed that is
>>>>>> specific to Java EE. Formats and protocols that are simple and
>>>>>> easy to implement and support in other environments beyond Java.
>>>>>> Any thoughts?
>>>>>> Thanks,
>>>>>> Bill
>>>>>> --
>>>>>> Bill Burke
>>>>>> JBoss, a division of Red Hat
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>> --
>> Bill Burke
>> JBoss, a division of Red Hat

Sergey Beryozkin
Talend Community Coders