1. javaee-security-spec@javaee.groups.io
Topics

Notes from JSR-375 EG Meeting 2017-07-25

Will Hopkins
 

Agenda/Notes from JSR-375 EG Meeting 2017-07-25:
  • Status -- where are we?
    • Soteria work needed for RI to match PFD spec:
      • Expression Language Support -- DONE
      • Add getPrincipalsByType() -- DONE
      • Remove hasAccessToWebResource(resource) -- DONE
      • Changes to signatures for HttpMessageContext -- DONE
      • Changes to notifyContainerAboutLogin to set principals correctly -- In Progress
      • Changes to bridge SAM to support AuthenticationException -- DONE
      • Add support for caller DN to built-in identity stores -- DONE
      • Support for changes to LdapIdentityStoreDefinition annotation -- DONE
      • Support for changes DatabaseIdentityStoreDefinition annotation -- In Progress (may deviate from current spec, see below)
    • Potential changes for updated PFD:
      • Fix description of RememberMe annotation -- can't be used with built-in identity stores -- DONE (on branch)
      • Describe required Credential type support for built-in identity stores (UsernamePassword required, others optional)
      • Describe permission model, required behavior, for IdentityStore.getCallerGroups()
      • Better DatabaseIdentityStoreDefinition password hashing support -- In Progress
      • Auto-apply session description for spec document -- Not Done
  • Process stuff
    • Need to get final RI changes (code complete, not necessarily all bugs) to TCK team ASAP, hopefully by tonight (TCK team is in China).
      • At risk of not meeting TCK schedule, so need simplest possible solutions for remaining technical issues.
    • Use of issues going forward
      • Haven't played with it yet, but may create a project, or maybe just some tags, so that we can manage issues specifically for milestones like generating a PFD2 draft and associated spec and API changes.
        • Will to triage issues and make sure there are open issues for all outstanding work items.
        • Should we use API repo issues to manage API changes and soteria issues for RI? Or keep it simple and just use soteria issues? -- Decision, separate issues for each repo.
      • If working on an issue, assign to yourself so others know it's being worked.
      • At some point, need to triage issues in security-spec repo.
    • Travis CI integration? -- Arjan will fix this so the checking tests work.
    • Jetbrains? No further followup yet. Will has been in touch to give them updated spec and request feedback. Suggestion: propose that they submit a PR with spec changes.
  • Technical Discussion
    • notifyContainerAboutLogin (and getCallerPrincipal())?
      • Don't need to change this, Per JASPIC, CallerPrincipalCallback can do whatever it needs here, even add multiple principals.
      • CallerPrincpal will continue to be explicitly added if provided to notify() as a Principal type or via CredentialValidationResult.
    • DatabaseIdentityStore PasswordHash
      • Will add an init() method to the interface, runtime will get dependent bean at id store init time, init the algorithm, and hand it to the identity store. Id store specific instance available internally, may specify an accessor method in a subsequent version of the spec.
    • Permission for IdentityStore.getCallerGroups()
      • Will use a generic permission (i.e., not qualified by the app context or anything else), checked only if security manager is enabled.

-- 
Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Application Development
35 Network Drive, Burlington, MA 01803

1 - 1 of 1