Re: Welcome to the new JSR-375 mailing list


Arjan Tijms
 



On Fri, May 12, 2017 at 9:01 PM, Will Hopkins <will.hopkins@...> wrote:
Hi Arjan,

I've also noticed that there are a number of interfaces in the API repo that don't correspond to things we've spec'd; the RememberMeIdentityStore, for example. I propose to move those out of the API (spec) to the RI.

The RememberMeIdentityStore is crucial for the @RememberMe annotation, and has been spec'ed there.


 
What are you referring to re: 1:1 role mapping? Is that from the discussion on the ML after the last meeting?

The 1:1 role mapping refers to the fact that some Java EE products mandate groups to be mapped to roles. Without that mapping, nothing works.

This is *extremely* undesirable as it still requires server specific configuration, while the entire point of JSR 375 is to have security without any server specific configuration. This was early on recognised as an important thing to specify that it should not be done (using a switch or under certain circumstances), but we never actually did that.

As you may know, WebLogic already does 1:1 role mapping is there's no specific configuration present and GF has a switch for it (but doesn't default to it).

Kind regards,
Arjan Tijms

 

Will


On 05/12/2017 02:36 PM, Arjan Tijms wrote:
Hi Will,

Good to hear from you again, it has been a tad quiet at the list since the last EG call.

What are roughly speaking the API changes that still need to be done?

From the top of my head I think there's still one occurrence of getGroups returning a list. Spec wise we still need to say that the identity store getGroups method is subject to a Java SE security manager restriction.

After last call I applied a couple of other things as discussed during that call, such as the renaming and the check  in the handler that we overlooked previously.

One final thing that we should still spec is the 1:1 role mapping. We can either do this via a new element in web.xml, an annotation, both, or even something implicit (say spec text like: "If a JSR 375 authentication mechanism is configured, and not group to role mapping is not explicitly configured in a container specific way, the container *MUST* default to 1:1 group to role mapping")

Wdyt?

Kind regards,
Arjan Tijms




On Fri, May 12, 2017 at 7:37 PM, Will Hopkins <will.hopkins@...> wrote:
JSR-375 Experts and Users:

Welcome to the new JSR-375 mailing list (javaee-security-spec@...roups.io).

This list replaces the mailing lists previously hosted at java.net. There are no longer separate "experts" and "users" lists; this single list will be used for both purposes (which is a good simplification, since the old experts list was always forwarded to the users list anyway, creating lots of extra copies of emails). The java.net "issues" and "commits" lists will not be replicated here, but there are other mechanisms available to be notified of changes to the github source repos or issues lists.

I have been working on updating the spec for publication of the Public Review Draft. It's not quite done, but I plan to send an email later today detailing the major changes from the EDR and corresponding changes I expect to make to the API code.

Regards,

Will
-- 
Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Application Development
35 Network Drive, Burlington, MA 01803


-- 
Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Application Development
35 Network Drive, Burlington, MA 01803


Join javaee-security-spec@javaee.groups.io to automatically receive all group messages.