[jax-rs-spec users] [jsr339-experts] Re: offtopic: Java EE Security media type

From: Markus KARG <>
Date: Tue, 16 Oct 2012 20:09:24 +0200

I think that OAuth plays an important role, but I doubt that there is a need
for a JAX-RS extension: I think it should be covered by Java EE's security
layer, hence, it should be wrapped by an instance of Principal.

> -----Original Message-----
> From: Bill Burke []
> Sent: Dienstag, 16. Oktober 2012 17:16
> To:
> Subject: [jsr339-experts] offtopic: Java EE Security media type
> Now that OAuth 2.0 has reached RFC phase, I was wondering if anybody
> was interested in collaborating on a Java EE Security token media type
> and maybe even extensions of the OAuth 2.0 protocol.
> A token media type would be a simple format that encapsulated user/role
> mappings and maybe user/permission (JACC) metadata.
> I've only done a high-level reading of OAUth 2 RFC, but it seems to be
> missing non-browser REST communication. Basically an ability to
> transfer the token via header invocations. I'd also like to see
> extended protocols/media types that includes PKI support.
> Finally, I'd like to get this done via the IETF and their processes. I
> think this would be a good chance to get some industry collaboration
> around REST, security, and the Java EE world. Something specifically
> designed for Java EE. I know we have SAML and XACML and all, but I'd
> like to see something developed that is specific to Java EE. Formats
> and protocols that are simple and easy to implement and support in
> other environments beyond Java.
> Any thoughts?
> Thanks,
> Bill
> --
> Bill Burke
> JBoss, a division of Red Hat