Agenda/Notes from JSR-375 EG Meeting 2017-07-25:
- Soteria work needed for RI to match PFD spec:
- Expression Language Support -- DONE
- Add getPrincipalsByType() -- DONE
- Remove hasAccessToWebResource(resource) -- DONE
- Changes to signatures for HttpMessageContext -- DONE
- Changes to notifyContainerAboutLogin to set principals
correctly -- In Progress
- Changes to bridge SAM to support
AuthenticationException -- DONE
- Add support for caller DN to built-in identity stores
- Support for changes to LdapIdentityStoreDefinition
annotation -- DONE
- Support for changes DatabaseIdentityStoreDefinition
annotation -- In Progress (may deviate from current
spec, see below)
- Potential changes for updated PFD:
- Fix description of RememberMe annotation -- can't be
used with built-in identity stores -- DONE (on branch)
- Describe required Credential type support for built-in
identity stores (UsernamePassword required, others
- Describe permission model, required behavior, for
- Better DatabaseIdentityStoreDefinition password
hashing support -- In Progress
- Auto-apply session description for spec document --
- Need to get final RI changes (code complete, not
necessarily all bugs) to TCK team ASAP, hopefully by tonight
(TCK team is in China).
- At risk of not meeting TCK schedule, so need simplest
possible solutions for remaining technical issues.
- Use of issues going forward
- Haven't played with it yet, but may create a project,
or maybe just some tags, so that we can manage issues
specifically for milestones like generating a PFD2 draft
and associated spec and API changes.
- Will to triage issues and make sure there are open
issues for all outstanding work items.
- Should we use API repo issues to manage API
changes and soteria issues for RI? Or keep it simple
and just use soteria issues? -- Decision, separate
issues for each repo.
- If working on an issue, assign to yourself so others
know it's being worked.
- At some point, need to triage issues in security-spec
- Travis CI integration? -- Arjan will fix this so the
checking tests work.
- Jetbrains? No further followup yet. Will has been in touch
to give them updated spec and request feedback. Suggestion:
propose that they submit a PR with spec changes.
- notifyContainerAboutLogin (and getCallerPrincipal())?
- Don't need to change this, Per JASPIC,
CallerPrincipalCallback can do whatever it needs here,
even add multiple principals.
- CallerPrincpal will continue to be explicitly added if
provided to notify() as a Principal type or via
- DatabaseIdentityStore PasswordHash
- Will add an init() method to the interface, runtime
will get dependent bean at id store init time, init the
algorithm, and hand it to the identity store. Id store
specific instance available internally, may specify an
accessor method in a subsequent version of the spec.
- Permission for IdentityStore.getCallerGroups()
- Will use a generic permission (i.e., not qualified by
the app context or anything else), checked only if
security manager is enabled.
Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Application Development
35 Network Drive, Burlington, MA 01803