[jax-rs-spec users] [jsr339-experts] Re: offtopic: Java EE Security media type

From: Jan Algermissen <>
Date: Sat, 20 Oct 2012 09:16:05 +0200

On Oct 19, 2012, at 10:55 PM, Sergey Beryozkin wrote:

> On 19/10/12 18:25, Markus KARG wrote:
>> Thank you for posting this really interesting link. After reading it I
>> understand that any kind of further support of OAuth 2.0 makes no sense to
>> me: If the lead editor thinks it is crap and he doesn't want to further see
>> his name on it, I should keep my hands off.
> Good example how the community at large can be affected by the critique - just curious - have you even done your own analysis ?

I think there lies the problem: this is very hard to analyse if you are not a security expert. My gut feeling is the same as Markus' though. Eran seems to have a reputation of his own but he is likely to know his stuff in and out.

What I distilled from his posting is that they produced some sort of meta standard that is too generic to be indeed useful. It seemsto be veryone will 'just' have to agree on one reference interpretation of the standard. E.g. Google's.

But that's just my feeling. (Secretely I am hoping that Eran runs a new, more lightweight thing. Who knows)


> Sergey
>>> -----Original Message-----
>>> From: Bill Burke []
>>> Sent: Donnerstag, 18. Oktober 2012 01:02
>>> To:
>>> Subject: [jsr339-experts] Re: offtopic: Java EE Security media type
>>> Thats the thing. AFAICT, OAuth2 leaves the token format undefined.
>>> SAML has a mapping, but it would be cool to have a Java EE specific
>>> token format.
>>> There does seem to be a registry defined in the OAuth2 RFC.
>>> FYI, Eran Hammer, the previous lead, quit OAuth2 and ranted like crazy:
>>> On 10/17/2012 12:15 PM, Markus KARG wrote:
>>>> Maybe this is a dumb question, but if the access token media type is
>>>> defined by OAuth2, how should it ever work to map a Principal on it?
>>> I
>>>> mean, the result would be that some tokens could be mapped while
>>> other
>>>> could not. What a chaos! I hardly can't believe that there is no kind
>>>> of registry defined for this at IETF or elsewhere!?
>>>>> -----Original Message-----
>>>>> From: Bill Burke []
>>>>> Sent: Dienstag, 16. Oktober 2012 21:20
>>>>> To:
>>>>> Subject: [jsr339-experts] Re: offtopic: Java EE Security media type
>>>>> You're missing what I'm saying. I want to define a on-the-wire
>>>>> access token media type that can be converted into Principal,
>>>>> user-role mappings and JACC permissions. OAuth2 does not specify
>>> the
>>>>> access token format, although SAML is used as an example.
>>>>> On 10/16/2012 2:09 PM, Markus KARG wrote:
>>>>>> I think that OAuth plays an important role, but I doubt that there
>>>>>> is a need for a JAX-RS extension: I think it should be covered by
>>>>>> Java EE's security layer, hence, it should be wrapped by an
>>> instance
>>>>>> of
>>>>> Principal.
>>>>>>> -----Original Message-----
>>>>>>> From: Bill Burke []
>>>>>>> Sent: Dienstag, 16. Oktober 2012 17:16
>>>>>>> To:
>>>>>>> Subject: [jsr339-experts] offtopic: Java EE Security media type
>>>>>>> Now that OAuth 2.0 has reached RFC phase, I was wondering if
>>>>>>> anybody was interested in collaborating on a Java EE Security
>>> token
>>>>>>> media type and maybe even extensions of the OAuth 2.0 protocol.
>>>>>>> A token media type would be a simple format that encapsulated
>>>>>>> user/role mappings and maybe user/permission (JACC) metadata.
>>>>>>> I've only done a high-level reading of OAUth 2 RFC, but it seems
>>> to
>>>>>>> be missing non-browser REST communication. Basically an ability
>>> to
>>>>>>> transfer the token via header invocations. I'd also like to see
>>>>>>> extended protocols/media types that includes PKI support.
>>>>>>> Finally, I'd like to get this done via the IETF and their
>>> processes.
>>>>>>> I think this would be a good chance to get some industry
>>>>>>> collaboration around REST, security, and the Java EE world.
>>>>>>> Something specifically designed for Java EE. I know we have SAML
>>>>> and
>>>>>>> XACML and all, but I'd like to see something developed that is
>>>>>>> specific to Java EE. Formats and protocols that are simple and
>>>>>>> easy to implement and support in other environments beyond Java.
>>>>>>> Any thoughts?
>>>>>>> Thanks,
>>>>>>> Bill
>>>>>>> --
>>>>>>> Bill Burke
>>>>>>> JBoss, a division of Red Hat
>>>>> --
>>>>> Bill Burke
>>>>> JBoss, a division of Red Hat
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
> --
> Sergey Beryozkin
> Talend Community Coders
> Blog: