[aerogear-dev] AGSEC - Component planning

[Jay Balunas]

On May 23, 2013, at 3:36 PM, Bruno Oliveira wrote:

> 
> 
> Jay Balunas wrote:
>> On May 23, 2013, at 2:45 PM, Bruno Oliveira wrote:
>> 
>>> How to properly file jiras?
>>> 
>>> Once security is a cross-cutting concern affecting most part of the
>>> projects on AeroGear, people might get confused about how to file a JIRA
>>> for security.
>>> 
>>> So here comes my recommendation:
>>> 
>>> - Issues related with specific projects like JS, Android and iOS should
>>> be created into the respective jiras: AGJS, AGDROID and AGIOS. (is my
>>> suggestion only)
>>> 
>>> - If the issue is something that abstractj|slacker should definitely
>>> take a look or should work on it, please, create a link into AGSEC. For
>>> example: https://issues.jboss.org/browse/AGSEC-28
>> 
>> I think this makes sense to me.
> 
> I can document it if necessary.

+1, but where - in the AGSEC description section, or somewhere on in the docs?  Perhaps in an updated version of http://aerogear.org/docs/guides/JIRAUsage/ ?

It needs to be updated for the different jira sub-projects anyway.

> 
>> 
>>> Here is the list of planned components for the AGSEC project in JIRA:
>>> 
>>> - examples: demos, example of usage, snippets
>>> - docs: documentation about how to make use of security libraries, blog
>>> posts, updates on aerogear.org
>>> - CI: updates on CI like new jobs to be created or improvements
>>> - OTP: TOTP&  HOTP components which affects the server, iOS, Android and JS
>>> - crypto: implementations of cryptographic algorithms to support
>>> server/client side
>>> - security-*: aerogear-security, aerogear-security-picketlink and
>>> aerogear-security-shiro.
>>> - social: Twitter, Facebook, Google (any social networks to share your
>>> password with friends)
>>> - auth: authentication methods to be provided (Basic, Digest, LDAP,
>>> OAuth2, Hawk, Mozilla Persona, Two-factor)
>>> - authZ: authorization methods to be implemented or supported.
>> 
>> Not sure of the diff with auth and authZ?
> 
> auth - will be issues or feature requests for authentication.
> Ex:
> 
> - Add two-factor authentication support to JS
> - Application X raises http 500 on login
> - AeroGear security should provide support for captchas (meh)
> 
> authZ - anything directly related with authorization
> Ex:
> 
> - Add Role-Based Authorization support on AeroGear security
> - Even after provide the correct credentials user Homer is receiving 
> HTTP 401 response
> 
> Makes sense?

Yup, now I see what you mean.  Would it be better to spell them out all the way then?  authentication and authorization ?

> 
>> 
>>> - storage: issues and features related with encrypted storage
>>> - cache: issues and features related with encrypted cache
>> 
>> To you want to add in general components like openshift, testing, tooling, etc...?
> 
> Initially I'm not sure if it's necessary, but of course we can add it. 

+1 we don't need to add right away, but be able to add as needed.

> What do you have in mind is something like:
> 
> - openshift: for examples on OpenShift and eventual issues
> 
> So if some demo has security issues the correct approach would be: 
> openshift, examples?

Or if there are issues directly related to security features when hosted on OpenShift, or specific security integration for openshift, etc...

> 
> - testing: For the efforts leaded by Karel, I'm +1000. For unit testing 
> we assume that Bruno should write it, if not, I promise to punish him.
> 
> - tooling: Nor sure which kind of tasks to include here. Once we already 
> have AGRAD and security is all around I'm concerned about overlapping, 
> so I'm trying to be cautious.

Yeah, not as concerned about this one good point

> 
> 
> 
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130523/69a234aa/attachment-0001.html