<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br><div><div>On May 23, 2013, at 3:36 PM, Bruno Oliveira wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div><br><br>Jay Balunas wrote:<br><blockquote type="cite">On May 23, 2013, at 2:45 PM, Bruno Oliveira wrote:<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><blockquote type="cite">How to properly file jiras?<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Once security is a cross-cutting concern affecting most part of the<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">projects on AeroGear, people might get confused about how to file a JIRA<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">for security.<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">So here comes my recommendation:<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">- Issues related with specific projects like JS, Android and iOS should<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">be created into the respective jiras: AGJS, AGDROID and AGIOS. (is my<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">suggestion only)<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">- If the issue is something that abstractj|slacker should definitely<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">take a look or should work on it, please, create a link into AGSEC. For<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">example: <a href="https://issues.jboss.org/browse/AGSEC-28">https://issues.jboss.org/browse/AGSEC-28</a><br></blockquote></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">I think this makes sense to me.<br></blockquote><br>I can document it if necessary.<br></div></blockquote><div><br></div><div>+1, but where - in the AGSEC description section, or somewhere on in the docs? Perhaps in an updated version of <a href="http://aerogear.org/docs/guides/JIRAUsage/">http://aerogear.org/docs/guides/JIRAUsage/</a> ?</div><div><br></div><div>It needs to be updated for the different jira sub-projects anyway.</div><br><blockquote type="cite"><div><br><blockquote type="cite"><br></blockquote><blockquote type="cite"><blockquote type="cite">Here is the list of planned components for the AGSEC project in JIRA:<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">- examples: demos, example of usage, snippets<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">- docs: documentation about how to make use of security libraries, blog<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">posts, updates on <a href="http://aerogear.org">aerogear.org</a><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">- CI: updates on CI like new jobs to be created or improvements<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">- OTP: TOTP& HOTP components which affects the server, iOS, Android and JS<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">- crypto: implementations of cryptographic algorithms to support<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">server/client side<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">- security-*: aerogear-security, aerogear-security-picketlink and<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">aerogear-security-shiro.<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">- social: Twitter, Facebook, Google (any social networks to share your<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">password with friends)<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">- auth: authentication methods to be provided (Basic, Digest, LDAP,<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">OAuth2, Hawk, Mozilla Persona, Two-factor)<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">- authZ: authorization methods to be implemented or supported.<br></blockquote></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Not sure of the diff with auth and authZ?<br></blockquote><br>auth - will be issues or feature requests for authentication.<br>Ex:<br><br>- Add two-factor authentication support to JS<br>- Application X raises http 500 on login<br>- AeroGear security should provide support for captchas (meh)<br><br>authZ - anything directly related with authorization<br>Ex:<br><br>- Add Role-Based Authorization support on AeroGear security<br>- Even after provide the correct credentials user Homer is receiving <br>HTTP 401 response<br><br>Makes sense?<br></div></blockquote><div><br></div><div>Yup, now I see what you mean. Would it be better to spell them out all the way then? authentication and authorization ?</div><br><blockquote type="cite"><div><br><blockquote type="cite"><br></blockquote><blockquote type="cite"><blockquote type="cite">- storage: issues and features related with encrypted storage<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">- cache: issues and features related with encrypted cache<br></blockquote></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">To you want to add in general components like openshift, testing, tooling, etc...?<br></blockquote><br>Initially I'm not sure if it's necessary, but of course we can add it. <br></div></blockquote><div><br></div><div>+1 we don't need to add right away, but be able to add as needed.</div><br><blockquote type="cite"><div>What do you have in mind is something like:<br><br>- openshift: for examples on OpenShift and eventual issues</div></blockquote><blockquote type="cite"><div><br>So if some demo has security issues the correct approach would be: <br>openshift, examples?<br></div></blockquote><div><br></div><div>Or if there are issues directly related to security features when hosted on OpenShift, or specific security integration for openshift, etc...</div><br><blockquote type="cite"><div><br>- testing: For the efforts leaded by Karel, I'm +1000. For unit testing <br>we assume that Bruno should write it, if not, I promise to punish him.<br><br>- tooling: Nor sure which kind of tasks to include here. Once we already <br>have AGRAD and security is all around I'm concerned about overlapping, <br>so I'm trying to be cautious.<br></div></blockquote><div><br></div><div>Yeah, not as concerned about this one good point</div><br><blockquote type="cite"><div><br><br><br>_______________________________________________<br>aerogear-dev mailing list<br><a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>https://lists.jboss.org/mailman/listinfo/aerogear-dev<br></div></blockquote></div><br></body></html>