On May 23, 2013, at 2:55 PM, Jay Balunas <jbalunas@redhat.com> wrote:


On May 23, 2013, at 3:36 PM, Bruno Oliveira wrote:



Jay Balunas wrote:
On May 23, 2013, at 2:45 PM, Bruno Oliveira wrote:

How to properly file jiras?

Once security is a cross-cutting concern affecting most part of the
projects on AeroGear, people might get confused about how to file a JIRA
for security.

So here comes my recommendation:

- Issues related with specific projects like JS, Android and iOS should
be created into the respective jiras: AGJS, AGDROID and AGIOS. (is my
suggestion only)

- If the issue is something that abstractj|slacker should definitely
take a look or should work on it, please, create a link into AGSEC. For
example: https://issues.jboss.org/browse/AGSEC-28

I think this makes sense to me.

I can document it if necessary.

+1, but where - in the AGSEC description section, or somewhere on in the docs?  Perhaps in an updated version of http://aerogear.org/docs/guides/JIRAUsage/ ?

It needs to be updated for the different jira sub-projects anyway.



Here is the list of planned components for the AGSEC project in JIRA:

- examples: demos, example of usage, snippets
- docs: documentation about how to make use of security libraries, blog
posts, updates on aerogear.org
- CI: updates on CI like new jobs to be created or improvements
- OTP: TOTP&  HOTP components which affects the server, iOS, Android and JS
- crypto: implementations of cryptographic algorithms to support
server/client side
- security-*: aerogear-security, aerogear-security-picketlink and
aerogear-security-shiro.
- social: Twitter, Facebook, Google (any social networks to share your
password with friends)
- auth: authentication methods to be provided (Basic, Digest, LDAP,
OAuth2, Hawk, Mozilla Persona, Two-factor)
- authZ: authorization methods to be implemented or supported.

Not sure of the diff with auth and authZ?

auth - will be issues or feature requests for authentication.
Ex:

- Add two-factor authentication support to JS
- Application X raises http 500 on login
- AeroGear security should provide support for captchas (meh)

authZ - anything directly related with authorization
Ex:

- Add Role-Based Authorization support on AeroGear security
- Even after provide the correct credentials user Homer is receiving
HTTP 401 response

Makes sense?

Yup, now I see what you mean.  Would it be better to spell them out all the way then?  authentication and authorization ?

+1 - It's not obvious what authZ is at a glance.



- storage: issues and features related with encrypted storage
- cache: issues and features related with encrypted cache

To you want to add in general components like openshift, testing, tooling, etc...?

Initially I'm not sure if it's necessary, but of course we can add it.

+1 we don't need to add right away, but be able to add as needed.

What do you have in mind is something like:

- openshift: for examples on OpenShift and eventual issues

So if some demo has security issues the correct approach would be:
openshift, examples?

Or if there are issues directly related to security features when hosted on OpenShift, or specific security integration for openshift, etc...


- testing: For the efforts leaded by Karel, I'm +1000. For unit testing
we assume that Bruno should write it, if not, I promise to punish him.

- tooling: Nor sure which kind of tasks to include here. Once we already
have AGRAD and security is all around I'm concerned about overlapping,
so I'm trying to be cautious.

Yeah, not as concerned about this one good point




_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev

_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev