I think that OAuth plays an important role, but I doubt that there is a need
for a JAX-RS extension: I think it should be covered by Java EE's security
layer, hence, it should be wrapped by an instance of Principal.
> -----Original Message-----
> From: Bill Burke [mailto:bburke_at_redhat.com]
> Sent: Dienstag, 16. Oktober 2012 17:16
> To: jsr339-experts_at_jax-rs-spec.java.net
> Subject: [jsr339-experts] offtopic: Java EE Security media type
>
> Now that OAuth 2.0 has reached RFC phase, I was wondering if anybody
> was interested in collaborating on a Java EE Security token media type
> and maybe even extensions of the OAuth 2.0 protocol.
>
> A token media type would be a simple format that encapsulated user/role
> mappings and maybe user/permission (JACC) metadata.
>
> I've only done a high-level reading of OAUth 2 RFC, but it seems to be
> missing non-browser REST communication. Basically an ability to
> transfer the token via header invocations. I'd also like to see
> extended protocols/media types that includes PKI support.
>
> Finally, I'd like to get this done via the IETF and their processes. I
> think this would be a good chance to get some industry collaboration
> around REST, security, and the Java EE world. Something specifically
> designed for Java EE. I know we have SAML and XACML and all, but I'd
> like to see something developed that is specific to Java EE. Formats
> and protocols that are simple and easy to implement and support in
> other environments beyond Java.
>
> Any thoughts?
>
> Thanks,
>
> Bill
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com