On May 23, 2013, at 3:36 PM, Bruno Oliveira wrote:
Jay Balunas wrote:
On May 23, 2013, at 2:45 PM, Bruno Oliveira wrote:
How to properly file jiras?
Once security is a cross-cutting concern affecting most part of the
projects on AeroGear, people might get confused about how to file a JIRA
for security.
So here comes my recommendation:
- Issues related with specific projects like JS, Android and iOS should
be created into the respective jiras: AGJS, AGDROID and AGIOS. (is my
suggestion only)
- If the issue is something that abstractj|slacker should definitely
take a look or should work on it, please, create a link into AGSEC. For
example: https://issues.jboss.org/browse/AGSEC-28
I think this makes sense to me.
I can document it if necessary.
It needs to be updated for the different jira sub-projects anyway.
Here is the list of planned components for the AGSEC project in JIRA:
- examples: demos, example of usage, snippets
- docs: documentation about how to make use of security libraries, blog
posts, updates on aerogear.org
- CI: updates on CI like new jobs to be created or improvements
- OTP: TOTP& HOTP components which affects the server, iOS, Android and JS
- crypto: implementations of cryptographic algorithms to support
server/client side
- security-*: aerogear-security, aerogear-security-picketlink and
aerogear-security-shiro.
- social: Twitter, Facebook, Google (any social networks to share your
password with friends)
- auth: authentication methods to be provided (Basic, Digest, LDAP,
OAuth2, Hawk, Mozilla Persona, Two-factor)
- authZ: authorization methods to be implemented or supported.
Not sure of the diff with auth and authZ?
auth - will be issues or feature requests for authentication.
Ex:
- Add two-factor authentication support to JS
- Application X raises http 500 on login
- AeroGear security should provide support for captchas (meh)
authZ - anything directly related with authorization
Ex:
- Add Role-Based Authorization support on AeroGear security
- Even after provide the correct credentials user Homer is receiving
HTTP 401 response
Makes sense?
Yup, now I see what you mean. Would it be better to spell them out all the way then? authentication and authorization ?