You're missing what I'm saying. I want to define a on-the-wire access
token media type that can be converted into Principal, user-role
mappings and JACC permissions. OAuth2 does not specify the access token
format, although SAML is used as an example.
On 10/16/2012 2:09 PM, Markus KARG wrote:
> I think that OAuth plays an important role, but I doubt that there is a need
> for a JAX-RS extension: I think it should be covered by Java EE's security
> layer, hence, it should be wrapped by an instance of Principal.
>
>> -----Original Message-----
>> From: Bill Burke [mailto:bburke_at_redhat.com]
>> Sent: Dienstag, 16. Oktober 2012 17:16
>> To: jsr339-experts_at_jax-rs-spec.java.net
>> Subject: [jsr339-experts] offtopic: Java EE Security media type
>>
>> Now that OAuth 2.0 has reached RFC phase, I was wondering if anybody
>> was interested in collaborating on a Java EE Security token media type
>> and maybe even extensions of the OAuth 2.0 protocol.
>>
>> A token media type would be a simple format that encapsulated user/role
>> mappings and maybe user/permission (JACC) metadata.
>>
>> I've only done a high-level reading of OAUth 2 RFC, but it seems to be
>> missing non-browser REST communication. Basically an ability to
>> transfer the token via header invocations. I'd also like to see
>> extended protocols/media types that includes PKI support.
>>
>> Finally, I'd like to get this done via the IETF and their processes. I
>> think this would be a good chance to get some industry collaboration
>> around REST, security, and the Java EE world. Something specifically
>> designed for Java EE. I know we have SAML and XACML and all, but I'd
>> like to see something developed that is specific to Java EE. Formats
>> and protocols that are simple and easy to implement and support in
>> other environments beyond Java.
>>
>> Any thoughts?
>>
>> Thanks,
>>
>> Bill
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com