users@jax-rs-spec.java.net

[jax-rs-spec users] [jsr339-experts] Re: offtopic: Java EE Security media type

From: Markus KARG <markus_at_headcrashing.eu>
Date: Sat, 20 Oct 2012 17:04:48 +0200

Until this dicussion started I had not any need for OAuth 2.0, so I have not
collected any experience with it (and still do not see a personal need for
this until my customers complain a lack of OAuth 2.0 support). As I said, I
think there are experts this topics, so I do not think I would be of big
help.

> -----Original Message-----
> From: Sergey Beryozkin [mailto:sberyozkin_at_talend.com]
> Sent: Freitag, 19. Oktober 2012 22:56
> To: jsr339-experts_at_jax-rs-spec.java.net
> Subject: [jsr339-experts] Re: offtopic: Java EE Security media type
>
> On 19/10/12 18:25, Markus KARG wrote:
> > Thank you for posting this really interesting link. After reading it
> I
> > understand that any kind of further support of OAuth 2.0 makes no
> > sense to
> > me: If the lead editor thinks it is crap and he doesn't want to
> > further see his name on it, I should keep my hands off.
>
> Good example how the community at large can be affected by the critique
> - just curious - have you even done your own analysis ?
>
> Sergey
>
> >
> >> -----Original Message-----
> >> From: Bill Burke [mailto:bburke_at_redhat.com]
> >> Sent: Donnerstag, 18. Oktober 2012 01:02
> >> To: jsr339-experts_at_jax-rs-spec.java.net
> >> Subject: [jsr339-experts] Re: offtopic: Java EE Security media type
> >>
> >> Thats the thing. AFAICT, OAuth2 leaves the token format undefined.
> >> SAML has a mapping, but it would be cool to have a Java EE specific
> >> token format.
> >>
> >> There does seem to be a registry defined in the OAuth2 RFC.
> >>
> >> FYI, Eran Hammer, the previous lead, quit OAuth2 and ranted like
> crazy:
> >>
> >> http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/
> >>
> >> On 10/17/2012 12:15 PM, Markus KARG wrote:
> >>> Maybe this is a dumb question, but if the access token media type
> is
> >>> defined by OAuth2, how should it ever work to map a Principal on
> it?
> >> I
> >>> mean, the result would be that some tokens could be mapped while
> >> other
> >>> could not. What a chaos! I hardly can't believe that there is no
> >>> kind of registry defined for this at IETF or elsewhere!?
> >>>
> >>>> -----Original Message-----
> >>>> From: Bill Burke [mailto:bburke_at_redhat.com]
> >>>> Sent: Dienstag, 16. Oktober 2012 21:20
> >>>> To: jsr339-experts_at_jax-rs-spec.java.net
> >>>> Subject: [jsr339-experts] Re: offtopic: Java EE Security media
> type
> >>>>
> >>>> You're missing what I'm saying. I want to define a on-the-wire
> >>>> access token media type that can be converted into Principal,
> >>>> user-role mappings and JACC permissions. OAuth2 does not specify
> >> the
> >>>> access token format, although SAML is used as an example.
> >>>>
> >>>> On 10/16/2012 2:09 PM, Markus KARG wrote:
> >>>>> I think that OAuth plays an important role, but I doubt that
> there
> >>>>> is a need for a JAX-RS extension: I think it should be covered by
> >>>>> Java EE's security layer, hence, it should be wrapped by an
> >> instance
> >>>>> of
> >>>> Principal.
> >>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: Bill Burke [mailto:bburke_at_redhat.com]
> >>>>>> Sent: Dienstag, 16. Oktober 2012 17:16
> >>>>>> To: jsr339-experts_at_jax-rs-spec.java.net
> >>>>>> Subject: [jsr339-experts] offtopic: Java EE Security media type
> >>>>>>
> >>>>>> Now that OAuth 2.0 has reached RFC phase, I was wondering if
> >>>>>> anybody was interested in collaborating on a Java EE Security
> >> token
> >>>>>> media type and maybe even extensions of the OAuth 2.0 protocol.
> >>>>>>
> >>>>>> A token media type would be a simple format that encapsulated
> >>>>>> user/role mappings and maybe user/permission (JACC) metadata.
> >>>>>>
> >>>>>> I've only done a high-level reading of OAUth 2 RFC, but it seems
> >> to
> >>>>>> be missing non-browser REST communication. Basically an ability
> >> to
> >>>>>> transfer the token via header invocations. I'd also like to see
> >>>>>> extended protocols/media types that includes PKI support.
> >>>>>>
> >>>>>> Finally, I'd like to get this done via the IETF and their
> >> processes.
> >>>>>> I think this would be a good chance to get some industry
> >>>>>> collaboration around REST, security, and the Java EE world.
> >>>>>> Something specifically designed for Java EE. I know we have
> SAML
> >>>> and
> >>>>>> XACML and all, but I'd like to see something developed that is
> >>>>>> specific to Java EE. Formats and protocols that are simple and
> >>>>>> easy to implement and support in other environments beyond Java.
> >>>>>>
> >>>>>> Any thoughts?
> >>>>>>
> >>>>>> Thanks,
> >>>>>>
> >>>>>> Bill
> >>>>>>
> >>>>>> --
> >>>>>> Bill Burke
> >>>>>> JBoss, a division of Red Hat
> >>>>>> http://bill.burkecentral.com
> >>>>>
> >>>>
> >>>> --
> >>>> Bill Burke
> >>>> JBoss, a division of Red Hat
> >>>> http://bill.burkecentral.com
> >>>
> >>
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >
>
>
> --
> Sergey Beryozkin
>
> Talend Community Coders
> http://coders.talend.com/
>
> Blog: http://sberyozkin.blogspot.com