Skip to content

Commit

Permalink
Merge pull request #148 from ggam/master
Browse files Browse the repository at this point in the history
Replaced JCP terms (fixes #147)
  • Loading branch information
arjantijms authored Oct 16, 2019
2 parents cf1c912 + ae5e28e commit cca76fe
Show file tree
Hide file tree
Showing 8 changed files with 63 additions and 69 deletions.
50 changes: 25 additions & 25 deletions spec/src/main/asciidoc/authenticationMechanism.asciidoc

Large diffs are not rendered by default.

34 changes: 17 additions & 17 deletions spec/src/main/asciidoc/bibliography.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -7,25 +7,25 @@

The following documents are referenced by this specification.

[CDI12]::
JSR-346, "Contexts and Dependency Injection for the Java EE platform", version 1.2, Maintenance Release +
https://jcp.org/aboutJava/communityprocess/mrel/jsr346/index.html
[CDI20]::
Jakarta Contexts and Dependency Injection, version 2.0 +
https://jakarta.ee/specifications/cdi/2.0/

[EJB32]::
JSR-345, "Enterprise JavaBeans", version 3.2 +
https://jcp.org/aboutJava/communityprocess/final/jsr345/index.html
[JEB32]::
Jakarta Enterprise Beans, version 3.2 +
https://jakarta.ee/specifications/enterprise-beans/3.2/

[EL30]::
JSR-341, "Expression Language", version 3.0 +
https://jcp.org/aboutJava/communityprocess/final/jsr341/index.html
Jakarta Expression Language, version 3.0 +
https://jakarta.ee/specifications/expression-language/3.0/

[JACC]::
JSR-115, "Java Authorization Contract for Containers", version 1.5, Maintenance Release 3 +
https://jcp.org/aboutJava/communityprocess/mrel/jsr115/index3.html
Jakarta Authorization, version 1.5 +
https://jakarta.ee/specifications/authorization/1.5/

[JASPIC]::
JSR-196, "Java Authentication SPI for Containers", version 1.1, Maintenance Release B +
https://jcp.org/aboutJava/communityprocess/mrel/jsr196/index2.html
Jakarta Authentication, version 1.1 +
https://jakarta.ee/specifications/authentication/1.1/

[RFC2119]::
RFC 2119, "Key words for use in RFCs to Indicate Requirement Level" +
Expand All @@ -36,12 +36,12 @@ RFC 7617, "The 'Basic' HTTP Authentication Scheme" +
https://tools.ietf.org/html/rfc7617

[SECAPI]::
JSR-375, "Java EE Security API", version 1.0 +
https://jcp.org/en/jsr/detail?id=375
Jakarta Security, version 1.0 +
https://jakarta.ee/specifications/security/1.0/

[SERVLET31]::
JSR-340, "Java Servlet Specification", version 3.1 +
https://jcp.org/aboutJava/communityprocess/final/jsr340/index.html
[SERVLET40]::
Jakarta Servlet, version 3.0 +
https://jakarta.ee/specifications/servlet/4.0/

[SHIROTERM]::
"Apache Shiro Terminology" +
Expand Down
12 changes: 3 additions & 9 deletions spec/src/main/asciidoc/concepts.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -20,14 +20,8 @@ Abbreviation for _HttpAuthenticationMechanism_, an interface defined by this spe
Identity Store::
An Identity Store is a component that can access application-specific security data such as users, groups, roles, and permissions. It can be thought of as a security-specific DAO (Data Access Object). Synonyms: security provider, repository, store, login module (JAAS), identity manager, service provider, relying party, authenticator, user service. Identity Stores usually have a 1-to-1 correlation with a data source such as a relational database, LDAP directory, file system, or other similar resource. As such, implementations of the _IdentityStore_ interface use data source-specific APIs to discover authorization data (roles, permissions, etc), such as JDBC, File IO, Hibernate or JPA, or any other Data Access API.

JACC::
JSR-115, "Java Authorization Contract for Containers", version 1.5 [https://jcp.org/aboutJava/communityprocess/mrel/jsr115/index3.html[JACC]].

JASPIC::
JSR-196, "Java Authentication SPI for Containers", version 1.1 [https://jcp.org/aboutJava/communityprocess/mrel/jsr196/index2.html[JASPIC]].

SAM::
Abbreviation for _ServerAuthModule_, an interface defined by JASPIC.
Abbreviation for _ServerAuthModule_, an interface defined by Jakarta Authentication.

=== General Requirements

Expand All @@ -43,7 +37,7 @@ An application server MAY provide a default mapping from caller principal names

==== Caller Principal Types

This specification defines a principal type called _CallerPrincipal_ to represent the identity of an application caller. Historically, application servers have used different principal types to represent an application's callers, and various Jakarta EE specifications (e.g., JASPIC), provide abstractions to accommodate, "the container's representation of the caller principal".
This specification defines a principal type called _CallerPrincipal_ to represent the identity of an application caller. Historically, application servers have used different principal types to represent an application's callers, and various Jakarta EE specifications (e.g., Jakarta Authentication), provide abstractions to accommodate, "the container's representation of the caller principal".

This specification RECOMMENDS that Jakarta EE application servers that rely on container-specific caller principal types derive those types by extending _CallerPrincipal_, so that portable applications can rely on a consistent representation of the caller principal.

Expand Down Expand Up @@ -80,4 +74,4 @@ Attributes on these annotations can be provided either as actual values, or as E

For more information, see the package javadoc for the javax.security.enterprise package.

Expression Language 3.0 is specified by JSR-341, "Expression Language", version 3.0 [https://jcp.org/aboutJava/communityprocess/final/jsr341/index.html[EL30]]
Jakarta Expression Language, version 3.0 [https://jakarta.ee/specifications/expression-language/3.0/[EL30]] is a Jakarta EE specification.
4 changes: 2 additions & 2 deletions spec/src/main/asciidoc/identityStore.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ _IdentityStore_ provides an abstraction of an identity store, which is a databas

Implementations of the _IdentityStore_ interface are used to interact with identity stores to authenticate users (i.e., validate their credentials), and to retrieve caller groups. _IdentityStore_ is roughly analogous to the JAAS _LoginModule_ interface, which is often integrated into Jakarta EE products (albeit in vendor-specific ways). Unlike _LoginModule_, _IdentityStore_ is intended specifically for Java EE, and provides only credential validation and group retrieval functions (i.e., functions that require interaction with an identity store). An _IdentityStore_ does not collect caller credentials, or manipulate __Subject__s.

_IdentityStore_ is intended primarily for use by _HttpAuthenticationMechanism_ implementations, but could in theory be used by other types of authentication mechanisms (e.g., a JASPIC _ServerAuthModule_, or a container's built-in authentication mechanisms). _HttpAuthenticationMechanism_ implementations are not required to use _IdentityStore_ -- they can authenticate users in any manner they choose -- but _IdentityStore_ will often be a useful and convenient mechanism.
_IdentityStore_ is intended primarily for use by _HttpAuthenticationMechanism_ implementations, but could in theory be used by other types of authentication mechanisms (e.g., a Jakarta Authentication _ServerAuthModule_, or a container's built-in authentication mechanisms). _HttpAuthenticationMechanism_ implementations are not required to use _IdentityStore_ -- they can authenticate users in any manner they choose -- but _IdentityStore_ will often be a useful and convenient mechanism.

A significant advantage of using _HttpAuthenticationMechanism_ and _IdentityStore_ over container-provided BASIC or FORM implementations is that it allows an application to control the identity stores it will authenticate against, in a standard, portable way.

Expand Down Expand Up @@ -383,4 +383,4 @@ See javadoc for further details on _PasswordHash_ and the _DatabaseIdentityStore

=== Relationship to Other Specifications

_IdentityStore_ and _IdentityStoreHandler_ implementations are CDI beans, as defined by [https://jcp.org/aboutJava/communityprocess/mrel/jsr346/index.html[CDI12]].
_IdentityStore_ and _IdentityStoreHandler_ implementations are CDI beans, as defined by [https://jakarta.ee/specifications/cdi/2.0/[CDI20]].
2 changes: 1 addition & 1 deletion spec/src/main/asciidoc/license.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@

== License

Specification: JSR-375 Java EE Security API ("Specification")
Specification: Jakarta Security

Version: 1.0

Expand Down
6 changes: 3 additions & 3 deletions spec/src/main/asciidoc/preface.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@

== Preface

This document is the Jakarta EE Security API Specification, version 1.0.
This document is the Jakarta Security Specification, version 1.0.

=== Notational Conventions

Expand All @@ -15,11 +15,11 @@ Other documents referenced by this specification are identified by name on first

=== Acknowledgments

The authors would like to thank the JSR-375 Expert Group and Contributors, and, in particular, Arjan Tijms, whose contributions were critical to the success of the JSR.
The authors would like to thank the JSR-375 Expert Group and Contributors, and, in particular, Arjan Tijms, whose contributions were critical to the success of the JCP JSR.

We would also like to thank Alex Kosowski for his work putting together the original JSR-375 proposal, submitting it to the JCP, recruiting a diverse and highly-qualified expert group, and leading the initial development and specification efforts. Without Alex, there would be no JSR-375.

Lastly, we would like to acknowledge Ron Monzillo, and the various expert groups he has led or worked with over the years, for putting in place the foundational security APIs and SPIs upon which JSR-375 is built.
Lastly, we would like to acknowledge Ron Monzillo, and the various expert groups he has led or worked with over the years, for putting in place the foundational security APIs and SPIs upon which JSR-375 was built.

==== Specification Lead

Expand Down
4 changes: 2 additions & 2 deletions spec/src/main/asciidoc/security-spec.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@
//

= Jakarta Security
:authors: Jakarta Security Team, https://projects.eclipse.org/projects/ee4j.es
:email: https://dev.eclipse.org/mailman/listinfo/security.enterprise-api-dev
:authors: Jakarta Security Community, https://projects.eclipse.org/projects/ee4j.es
:email: https://dev.eclipse.org/mailman/listinfo/es-dev
:version-label!:
:doctype: book
:license: Eclipse Foundation Specification License v1.0
Expand Down
20 changes: 10 additions & 10 deletions spec/src/main/asciidoc/securityContext.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ The Jakarta EE platform defines a declarative security model for protecting appl

This specification provides an access point for programmatic security -- a security context -- represented by the _SecurityContext_ interface.

In this version of the specification, the _SecurityContext_ MUST be available in the Servlet container and the EJB container. Application servers MAY make _SecurityContext_ available in other containers, but are NOT REQUIRED to.
In this version of the specification, the _SecurityContext_ MUST be available in the Servlet container and the enterprise beans container. Application servers MAY make _SecurityContext_ available in other containers, but are NOT REQUIRED to.

=== Retrieving and Testing for Caller Data

Expand All @@ -25,7 +25,7 @@ Principal getCallerPrincipal();
boolean isCallerInRole(String role);
----

The _getCallerPrincipal()_ method retrieves the _Principal_ representing the caller. This is the container-specific representation of the caller principal, and the type may differ from the type of the caller principal originally established by an _HttpAuthenticationMechanism_. This method returns null for an unauthenticated caller. (Note that this behavior differs from the behavior of _EJBContext.getCallerPrincipal()_, which, per JSR-345, "Enterprise JavaBeans", version 3.2 [https://jcp.org/aboutJava/communityprocess/final/jsr345/index.html[EJB32]], returns a principal with a "product-specific unauthenticated principal name" to represent an unauthenticated caller.)
The _getCallerPrincipal()_ method retrieves the _Principal_ representing the caller. This is the container-specific representation of the caller principal, and the type may differ from the type of the caller principal originally established by an _HttpAuthenticationMechanism_. This method returns null for an unauthenticated caller. (Note that this behavior differs from the behavior of _EJBContext.getCallerPrincipal()_, which, per Jakarta Enterprise Beans spec, version 3.2 [https://jakarta.ee/specifications/enterprise-beans/3.2/[JEB32]], returns a principal with a "product-specific unauthenticated principal name" to represent an unauthenticated caller.)

The _getPrincipalsByType()_ method retrieves all principals of the given type. This method can be used to retrieve an application-specific caller principal established during authentication. This method is primarily useful in the case that the container's caller principal is a different type than the application caller principal, and the application needs specific information behavior available only from the application principal. This method returns an empty _Set_ if the caller is unauthenticated, or if the requested type is not found.

Expand All @@ -44,7 +44,7 @@ The _SecurityContext_ interface defines a method for programmatically testing ac
boolean hasAccessToWebResource(String resource, String... methods);
----

The _hasAccessToWebResource()_ method determines if the caller has access to the specified web resource for the specified HTTP methods, as determined by the security constraints configured for the application. See section 13.8 of [https://jcp.org/aboutJava/communityprocess/final/jsr340/index.html[SERVLET31]] for a description of web application security constraints.
The _hasAccessToWebResource()_ method determines if the caller has access to the specified web resource for the specified HTTP methods, as determined by the security constraints configured for the application. See section 13.8 of [https://jakarta.ee/specifications/servlet/4.0/[SERVLET40]] for a description of web application security constraints.

The resource parameter is an _URLPatternSpec_ that identifies an application-specific web resource. See the javadoc for more detail.

Expand Down Expand Up @@ -85,14 +85,14 @@ The _authenticate()_ method allows an application to signal to the container tha

=== Relationship to Other Specifications

The _SecurityContext_ implementation is a CDI bean, as defined by [https://jcp.org/aboutJava/communityprocess/mrel/jsr346/index.html[CDI12]].
The _SecurityContext_ implementation is a CDI bean, as defined by [https://jakarta.ee/specifications/cdi/2.0/[CDI20]].

Various specifications in Jakarta EE provide similar or even identical methods to those provided be the _SecurityContext_. It is the intention of this specification to eventually supersede those methods and provide a cross-specification, platform alternative. The following gives an overview:

* Servlet - _HttpServletRequest#getUserPrincipal_, _HttpServletRequest#isUserInRole_
* EJB - _EJBContext#getCallerPrincipal_, _EJBContext#isCallerInRole_
* JAX-WS - _WebServiceContext#getUserPrincipal_, _WebServiceContext#isUserInRole_
* JAX-RS - _SecurityContext#getUserPrincipal_, _SecurityContext#isUserInRole_
* JSF - _ExternalContext#getUserPrincipal_, _ExternalContext#isUserInRole_
* CDI - _@Inject Principal_
* WebSockets - _Session#getUserPrincipal_
* Enterprise Beans - _EJBContext#getCallerPrincipal_, _EJBContext#isCallerInRole_
* XML Web Services - _WebServiceContext#getUserPrincipal_, _WebServiceContext#isUserInRole_
* RESTful Web Services - _SecurityContext#getUserPrincipal_, _SecurityContext#isUserInRole_
* Server Faces - _ExternalContext#getUserPrincipal_, _ExternalContext#isUserInRole_
* Contexts and Dependency Injection - _@Inject Principal_
* WebSocket - _Session#getUserPrincipal_

0 comments on commit cca76fe

Please sign in to comment.