[jax-rs-spec users] [jsr339-experts] Re: offtopic: Java EE Security media type

From: Bill Burke <>
Date: Sat, 20 Oct 2012 07:39:18 -0400

On 10/20/2012 3:16 AM, Jan Algermissen wrote:
> On Oct 19, 2012, at 10:55 PM, Sergey Beryozkin wrote:
>> On 19/10/12 18:25, Markus KARG wrote:
>>> Thank you for posting this really interesting link. After reading it I
>>> understand that any kind of further support of OAuth 2.0 makes no sense to
>>> me: If the lead editor thinks it is crap and he doesn't want to further see
>>> his name on it, I should keep my hands off.
>> Good example how the community at large can be affected by the critique - just curious - have you even done your own analysis ?
> I think there lies the problem: this is very hard to analyse if you are not a security expert. My gut feeling is the same as Markus' though. Eran seems to have a reputation of his own but he is likely to know his stuff in and out.
> What I distilled from his posting is that they produced some sort of meta standard that is too generic to be indeed useful. It seemsto be veryone will 'just' have to agree on one reference interpretation of the standard. E.g. Google's.
> But that's just my feeling. (Secretely I am hoping that Eran runs a new, more lightweight thing. Who knows)

That was really the point of this email. I did a 1st read of the spec
and it *is* generic as it doesn't define the access token format. Hence
wondering if we should do something for Java EE...


Bill Burke
JBoss, a division of Red Hat