I'm submitting these comments on behalf of Oracle's WebLogic
- Add groups to "security data" in description of Identity
- Concern about default mapping for groups -- does this
introduce a security risk that user's will be granted roles
unexpectedly due to pre-existing membership in particular
groups? Should we specify an explicit mapping mechanism instead?
Section 2.2, para 7:
- Reference to HttpMessageContext promised, but not provided.
- Consider language to describe/prescribe what happens when more
than one instance of a bean is present.
- Consider language to say what happens if both HAM and web.xml
<login-config> are present.
- Typo: BASIC and BASIC
- Typo in javadoc: "send" should be "sent".
- Consider adding info/references to APIs that exist only in
javadoc (for this annotation they are used by the RI).
- First code block references CredentialValidationResult, but
it's only defined later. Add pointer, and include interface
declaration in code block that lists methods.
- Define "privileged" in reference to the need to restrict
- Typo, first bullet item, comma not needed.
- Make clear there is no requirement for implementations to
supply an action database or LDAP server.
- Describe RememberMe identity store?
- Consider including the following attributes:
- timeout values (connection, results)
- scope of results (one level, subtree)
- Need more description of what these are; not sure what
searchBase and searchExpression do.
- What happens if ejb (or other non-web) container tries to use
methods to test access to web resource?
- Could these methods be added to a servlet-specific context?
- What is the scope of the resource argument? I.e., is it
relative to app context, or is it absolute/fully qualified?
Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Application Development
35 Network Drive, Burlington, MA 01803