[aerogear-dev] AGSEC - Component planning

Kris Borchers kris at redhat.com
Thu May 23 15:58:16 EDT 2013 

On May 23, 2013, at 2:55 PM, Jay Balunas <jbalunas at redhat.com> wrote:

> 
> On May 23, 2013, at 3:36 PM, Bruno Oliveira wrote:
> 
>> 
>> 
>> Jay Balunas wrote:
>>> On May 23, 2013, at 2:45 PM, Bruno Oliveira wrote:
>>> 
>>>> How to properly file jiras?
>>>> 
>>>> Once security is a cross-cutting concern affecting most part of the
>>>> projects on AeroGear, people might get confused about how to file a JIRA
>>>> for security.
>>>> 
>>>> So here comes my recommendation:
>>>> 
>>>> - Issues related with specific projects like JS, Android and iOS should
>>>> be created into the respective jiras: AGJS, AGDROID and AGIOS. (is my
>>>> suggestion only)
>>>> 
>>>> - If the issue is something that abstractj|slacker should definitely
>>>> take a look or should work on it, please, create a link into AGSEC. For
>>>> example: https://issues.jboss.org/browse/AGSEC-28
>>> 
>>> I think this makes sense to me.
>> 
>> I can document it if necessary.
> 
> +1, but where - in the AGSEC description section, or somewhere on in the docs?  Perhaps in an updated version of http://aerogear.org/docs/guides/JIRAUsage/ ?
> 
> It needs to be updated for the different jira sub-projects anyway.
> 
>> 
>>> 
>>>> Here is the list of planned components for the AGSEC project in JIRA:
>>>> 
>>>> - examples: demos, example of usage, snippets
>>>> - docs: documentation about how to make use of security libraries, blog
>>>> posts, updates on aerogear.org
>>>> - CI: updates on CI like new jobs to be created or improvements
>>>> - OTP: TOTP&  HOTP components which affects the server, iOS, Android and JS
>>>> - crypto: implementations of cryptographic algorithms to support
>>>> server/client side
>>>> - security-*: aerogear-security, aerogear-security-picketlink and
>>>> aerogear-security-shiro.
>>>> - social: Twitter, Facebook, Google (any social networks to share your
>>>> password with friends)
>>>> - auth: authentication methods to be provided (Basic, Digest, LDAP,
>>>> OAuth2, Hawk, Mozilla Persona, Two-factor)
>>>> - authZ: authorization methods to be implemented or supported.
>>> 
>>> Not sure of the diff with auth and authZ?
>> 
>> auth - will be issues or feature requests for authentication.
>> Ex:
>> 
>> - Add two-factor authentication support to JS
>> - Application X raises http 500 on login
>> - AeroGear security should provide support for captchas (meh)
>> 
>> authZ - anything directly related with authorization
>> Ex:
>> 
>> - Add Role-Based Authorization support on AeroGear security
>> - Even after provide the correct credentials user Homer is receiving 
>> HTTP 401 response
>> 
>> Makes sense?
> 
> Yup, now I see what you mean.  Would it be better to spell them out all the way then?  authentication and authorization ?

+1 - It's not obvious what authZ is at a glance.
> 
>> 
>>> 
>>>> - storage: issues and features related with encrypted storage
>>>> - cache: issues and features related with encrypted cache
>>> 
>>> To you want to add in general components like openshift, testing, tooling, etc...?
>> 
>> Initially I'm not sure if it's necessary, but of course we can add it. 
> 
> +1 we don't need to add right away, but be able to add as needed.
> 
>> What do you have in mind is something like:
>> 
>> - openshift: for examples on OpenShift and eventual issues
>> 
>> So if some demo has security issues the correct approach would be: 
>> openshift, examples?
> 
> Or if there are issues directly related to security features when hosted on OpenShift, or specific security integration for openshift, etc...
> 
>> 
>> - testing: For the efforts leaded by Karel, I'm +1000. For unit testing 
>> we assume that Bruno should write it, if not, I promise to punish him.
>> 
>> - tooling: Nor sure which kind of tasks to include here. Once we already 
>> have AGRAD and security is all around I'm concerned about overlapping, 
>> so I'm trying to be cautious.
> 
> Yeah, not as concerned about this one good point
> 
>> 
>> 
>> 
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
> 
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130523/45945d36/attachment-0001.html

More information about the aerogear-dev mailing list