[jax-rs-spec users] [jsr339-experts] Re: offtopic: Java EE Security media type

From: Sergey Beryozkin <>
Date: Thu, 18 Oct 2012 10:19:57 +0100

On 18/10/12 00:01, Bill Burke wrote:
> Thats the thing. AFAICT, OAuth2 leaves the token format undefined. SAML
> has a mapping, but it would be cool to have a Java EE specific token
> format.

using Java EE to implement OAuth2 is an implementation detail, so I'm
not sure there's any scope for getting something JavaEE specific into
the protocol

> There does seem to be a registry defined in the OAuth2 RFC.
> FYI, Eran Hammer, the previous lead, quit OAuth2 and ranted like crazy:

Does not mean OAuth2 is totally broken

> On 10/17/2012 12:15 PM, Markus KARG wrote:
>> Maybe this is a dumb question, but if the access token media type is
>> defined
>> by OAuth2, how should it ever work to map a Principal on it? I mean, the
>> result would be that some tokens could be mapped while other could
>> not. What
>> a chaos! I hardly can't believe that there is no kind of registry defined
>> for this at IETF or elsewhere!?

That is not the case, OAuth2 does provide for the use of all types of
tokens, including the ones not referred to by the spec


>>> -----Original Message-----
>>> From: Bill Burke []
>>> Sent: Dienstag, 16. Oktober 2012 21:20
>>> To:
>>> Subject: [jsr339-experts] Re: offtopic: Java EE Security media type
>>> You're missing what I'm saying. I want to define a on-the-wire access
>>> token media type that can be converted into Principal, user-role
>>> mappings and JACC permissions. OAuth2 does not specify the access
>>> token format, although SAML is used as an example.
>>> On 10/16/2012 2:09 PM, Markus KARG wrote:
>>>> I think that OAuth plays an important role, but I doubt that there is
>>>> a need for a JAX-RS extension: I think it should be covered by Java
>>>> EE's security layer, hence, it should be wrapped by an instance of
>>> Principal.
>>>>> -----Original Message-----
>>>>> From: Bill Burke []
>>>>> Sent: Dienstag, 16. Oktober 2012 17:16
>>>>> To:
>>>>> Subject: [jsr339-experts] offtopic: Java EE Security media type
>>>>> Now that OAuth 2.0 has reached RFC phase, I was wondering if anybody
>>>>> was interested in collaborating on a Java EE Security token media
>>>>> type and maybe even extensions of the OAuth 2.0 protocol.
>>>>> A token media type would be a simple format that encapsulated
>>>>> user/role mappings and maybe user/permission (JACC) metadata.
>>>>> I've only done a high-level reading of OAUth 2 RFC, but it seems to
>>>>> be missing non-browser REST communication. Basically an ability to
>>>>> transfer the token via header invocations. I'd also like to see
>>>>> extended protocols/media types that includes PKI support.
>>>>> Finally, I'd like to get this done via the IETF and their processes.
>>>>> I think this would be a good chance to get some industry
>>>>> collaboration around REST, security, and the Java EE world.
>>>>> Something specifically designed for Java EE. I know we have SAML
>>> and
>>>>> XACML and all, but I'd like to see something developed that is
>>>>> specific to Java EE. Formats and protocols that are simple and easy
>>>>> to implement and support in other environments beyond Java.
>>>>> Any thoughts?
>>>>> Thanks,
>>>>> Bill
>>>>> --
>>>>> Bill Burke
>>>>> JBoss, a division of Red Hat
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat