[aerogear-dev] AGSEC - Component planning

Bruno Oliveira bruno at abstractj.org
Thu May 23 15:36:58 EDT 2013



Jay Balunas wrote:
> On May 23, 2013, at 2:45 PM, Bruno Oliveira wrote:
>
>> How to properly file jiras?
>>
>> Once security is a cross-cutting concern affecting most part of the
>> projects on AeroGear, people might get confused about how to file a JIRA
>> for security.
>>
>> So here comes my recommendation:
>>
>> - Issues related with specific projects like JS, Android and iOS should
>> be created into the respective jiras: AGJS, AGDROID and AGIOS. (is my
>> suggestion only)
>>
>> - If the issue is something that abstractj|slacker should definitely
>> take a look or should work on it, please, create a link into AGSEC. For
>> example: https://issues.jboss.org/browse/AGSEC-28
>
> I think this makes sense to me.

I can document it if necessary.

>
>> Here is the list of planned components for the AGSEC project in JIRA:
>>
>> - examples: demos, example of usage, snippets
>> - docs: documentation about how to make use of security libraries, blog
>> posts, updates on aerogear.org
>> - CI: updates on CI like new jobs to be created or improvements
>> - OTP: TOTP&  HOTP components which affects the server, iOS, Android and JS
>> - crypto: implementations of cryptographic algorithms to support
>> server/client side
>> - security-*: aerogear-security, aerogear-security-picketlink and
>> aerogear-security-shiro.
>> - social: Twitter, Facebook, Google (any social networks to share your
>> password with friends)
>> - auth: authentication methods to be provided (Basic, Digest, LDAP,
>> OAuth2, Hawk, Mozilla Persona, Two-factor)
>> - authZ: authorization methods to be implemented or supported.
>
> Not sure of the diff with auth and authZ?

auth - will be issues or feature requests for authentication.
Ex:

- Add two-factor authentication support to JS
- Application X raises http 500 on login
- AeroGear security should provide support for captchas (meh)

authZ - anything directly related with authorization
Ex:

- Add Role-Based Authorization support on AeroGear security
- Even after provide the correct credentials user Homer is receiving 
HTTP 401 response

Makes sense?

>
>> - storage: issues and features related with encrypted storage
>> - cache: issues and features related with encrypted cache
>
> To you want to add in general components like openshift, testing, tooling, etc...?

Initially I'm not sure if it's necessary, but of course we can add it. 
What do you have in mind is something like:

- openshift: for examples on OpenShift and eventual issues

So if some demo has security issues the correct approach would be: 
openshift, examples?

- testing: For the efforts leaded by Karel, I'm +1000. For unit testing 
we assume that Bruno should write it, if not, I promise to punish him.

- tooling: Nor sure which kind of tasks to include here. Once we already 
have AGRAD and security is all around I'm concerned about overlapping, 
so I'm trying to be cautious.





More information about the aerogear-dev mailing list