A simple security API is a long-awaited addition to Java EE. Although nobody really thinks about security when developing an app, everyone needs to add security after all - and everyone wants to have a simple API to do it so that they don't need to think about it much.
Although Micro Profile should be a small set of APIs to start with, I really strongly suggest to include the new security JSR, provided that it is really simple and thin abstraction.
For a Micro profile, I believe there should be no implementation of the API and application developers should be completely free to choose to bundle any implementation within their application.
For a Micro profile, I believe there should be no implementation of the API and application developers should be completely free to choose to bundle any implementation within their application.I don't quite understand this part. If the burden for finding and bundling compatible implementations is placed on the user, then what distinguishes the Micro Profile from say Tomcat or Jetty, where users are also completely free to bundle any JAX-RS, CDI, Bean Validation and security implementation they wish?Isn't the idea of a profile that it provides a small but focussed set of ready to use functionality?
What I meant is that providing basic features for a Micro profile is OK, as it is a negligible burden if not used. But providing more complicated mechanisms should be pluggable (like complex role to user mapping, support for many types of reals, such as LDAP, authentication by OAuth).
The advantage of Micro profile would still be providing a common pluggable mechanism for extensions, so that e.g. authentication via facebook could be provided by an external library, but without any integration fuss, as the ibrary itself would be likely to provide integration with a standardized mechanism.
The point to have support in the container is to separate business logic from the implementation of the security, even if both are provided by the application itself.
I think OpenID Connect, OAUTH, OpenID and SAML Web SSO are all playing in this space. From what I see some variant of the first 3 is very popular on the web. JWT is popular. SAML Web SSO is used by a lot of enterprises. Not sure I have a view on which subset should be in MicroProfile, but I suspect it wont be a single one.
Then those are the username and password a client have to present. Sometimes we bundle up the username and password into some JSON in a single environment variable, but there's still only one account. It's insanely simple, but it's good enough for many situations. Will JSR 375 be able to support this?
tom
On Monday, June 27, 2016 at 7:48:54 PM UTC+1, Arjan Tijms wrote:Hi,For typical web service/api/restfull backends which seems to be what the micro profile is targeting, one thing that I almost always see being needed is security. Endpoints like e.g. http://example.com/api/me obviously need authentication.Indeed, an explanation on how to obtain some kind of token for usage in (restful) APIs is often the first thing documentation of such API discusses.Yet, in Java EE there's no default authentication mechanism available that's really suitable for this, and there sure isn't a simple / standard way to set up the matching identity store.The Java EE Security API (JSR 375) is however looking at exactly this. A somewhat older example (predating JSR 375) suitable for securing JAX-RS based endpoints looks like this: http://arjan-tijms.omnifaces.org/2014/11/header-based-stateless-token.htmlAlthough it's by far not ready yet, I think the Java EE Security API would be a good match for the Micro Profile.Thoughts?
--
You received this message because you are subscribed to a topic in the Google Groups "MicroProfile" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/microprofile/vKbIbjSiGZ8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to microprofile...@googlegroups.com.
To post to this group, send email to microp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/ee6f4443-4546-44a4-b896-a95826e17dcd%40googlegroups.com.
so you are replacing user/credentials with a token that needs to be managed separately.
I was more thinking about a front-end system authenticating the user against an identity provider (AD, LDAP).
That front-end system is going to use various microservices which again need the user to be authenticated and authorized. Instead of the front-end server sending the credentials to all the back-end services and each back-end service needing to reauthenticate the user against the identity store I'd like to have a more kerberos like setup.The front-end server obtains a ticket for the user and sends this ticket along with all requests to the back-end servers. Through the ticket the user is then authenticated and if it also contains the roles may also be authorized. The ticket itself cannot be modified and can be trusted by the back-end service since it is encrypted with a preshared secret.
--
You received this message because you are subscribed to a topic in the Google Groups "MicroProfile" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/microprofile/vKbIbjSiGZ8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to microprofile...@googlegroups.com.
To post to this group, send email to microp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/9d73ccfe-c10f-45c7-a0c9-65efdeccd972%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "MicroProfile" group.
To unsubscribe from this group and stop receiving emails from it, send an email to microprofile...@googlegroups.com.
To post to this group, send email to microp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/200150c6-bd82-4f11-bc5a-e867f4eb809d%40googlegroups.com.
+1 for JWT
That's exactly why I found it odd Antonio suggested adding all sorts of technology buzzwords like OAuth or JWT. Too much detail...Neither of them despite based on some RFCs are truly interoperable. There will always be differences between providers,
so leaving that to the container sounds best.While JSR 351 went away, there are so many other standards like SAML one might use but only in certain areas.As JSR 375 looks right now, it also should be seen in a more modular way. And maybe things have to be de-scoped or at least offered only to a certain profile (of Java EE 8 and above;-)
To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/1fd89c48-4ba1-4111-83b0-1c7aaf796e1a%40googlegroups.com.
Hi,
On Sunday, July 10, 2016, Werner Keil <werne...@gmail.com> wrote:That's exactly why I found it odd Antonio suggested adding all sorts of technology buzzwords like OAuth or JWT. Too much detail...Neither of them despite based on some RFCs are truly interoperable. There will always be differences between providers,True, but you can get quite far with a basic and universal Oauth implementation. Some key configuration details have to be left to the application and/or third party lib, so it works with eg Google or Facebook Oauth.See: https://github.com/omnifaces/soteria-google-oauth-clientso leaving that to the container sounds best.While JSR 351 went away, there are so many other standards like SAML one might use but only in certain areas.As JSR 375 looks right now, it also should be seen in a more modular way. And maybe things have to be de-scoped or at least offered only to a certain profile (of Java EE 8 and above;-)Currently Soteria works on existing Java EE 7 servers. There's no dependency on any EE 8 API yet. It should theoretically work on Tomcat + CDI lib added (haven't tested yet, but will soon).
To unsubscribe from this group and all its topics, send an email to microprofile+unsubscribe@googlegroups.com.
What I'm most curious about is if Soteria will provide a single-sign-on proxy capability, take care of all of the user login and redirection back to your application?
The JSR 375 Experts list may likely be restricted to EG Members, so I created
https://groups.google.com/forum/#!forum/jsr375-contributors