Notes from JSR-375 Expert Group Meeting 2017-07-06


Will Hopkins
 

These are my notes, such as they are, from the meeting we had a couple weeks ago.

Agenda/Notes from JSR-375 Expert Group Meeting 2017-07-06:
  • Need to finalize PFD draft this week
  • How to people feel about the PRD draft?
  • Will send out list of proposed changes tonight or tomorrow, and review draft Friday, quick review appreciated
  • Close on open issues
    • How to handle open JIRAs (at javaee) for things we won't do?
    • Open JIRA issues:
      • Hashing algorithms
      • Indirection for annotation config values?
    • Open issues from email:
      • Refactor SecurityContext?
      • Group -> Role mapping?
      • Downcasting principals
    • From my spec notes:
      • avoid dependency on jaspic from AuthException used by HAM?
      • checked exception for, e.g., network errors during validate() or getCallerGroups()?
      • qualifier and scope for HttpAuthenticatinoMechanism beans?
      • Can we really say it MUST be possible to provide a HAM in an application archive? Isn't that up to CDI?
        • need to use the bean manager that can see both application and container classes.
      • results undefined if more than one HAM supplied? or deployment error? Does CDI say? -- cdi will complain if there are two impls.
    • Other:
      • LDAP annotation attributes -- may tweak these and send proposal to list
Arjan issues:
  • remember me -- secure by default, warning in logs if is not secure
  • login to continue
Will: ejb get caller vs. servlet get caller -- follows servlet way of doing things -- returns null

-- 
Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Application Development
35 Network Drive, Burlington, MA 01803