[aerogear-dev] AGSEC - Roadmap

Bruno Oliveira bruno at abstractj.org
Fri May 24 11:23:41 EDT 2013 

Ahoy, based on the feedback from Matthias, I just updated AGSEC roadmap. 
Let me know what do you guys think, please.

gist: https://gist.github.com/abstractj/b50cee4eb8163ccf4c26

# Component planning

- examples: demos, example of usage, snippets
- docs: documentation about how to make use of security libraries, blog 
posts, updates on aerogear.org
- CI: updates on CI like new jobs to be created or improvements
- OTP: TOTP & HOTP components which affects the server, iOS, Android and JS
- crypto: implementations of cryptographic algorithms to support 
server/client side
- security-*: aerogear-security, aerogear-security-picketlink and 
aerogear-security-shiro.
- social: Twitter, Facebook, Google (any social networks to share your 
password with friends)
- authentication: authentication methods to be provided (Basic, Digest, 
LDAP, OAuth2, Hawk, Mozilla Persona, Two-factor)
- authorization: authorization methods to be implemented or supported.
- storage: issues and features related with encrypted storage
- cache: issues and features related with encrypted cache
- openshift: for examples on OpenShift and eventual issues
- testing: For the efforts leaded by Karel.

# AeroGear Security - Roadmap

## 1.0.1

* Bug fixes on examples and updates on AeroGear Security

* AGSEC-16: Support for multiple roles for AerogearUser (TBD with sblanc)

* AGSEC-29: Documentation with the overview and description on AeroGear 
Security

* AGSEC-36: Add a method to retrieve all registered users on the 
AuthenticationManager interface (TBD with sblanc)

* AGSEC-36: Add CRUD methods for AerogearUser

* Initial support for OTP on JS

## 1.1.0 (Mid June)

* AGSEC-13: Add HTTP basic authentication support to the client side

     * AGDROID-27 Add HTTP basic authentication support on AeroGear 
Android (summers)

     * AGIOS-4 Add HTTP basic authentication support on AeroGear iOS 
(christos)

     * AGJS-18 Add HTTP basic authentication support on AeroGear.js (I 
can help on it, I'm just following the JS roadmap)

* AGSEC-18: Add session management support

* AGSEC-27: Provide a detailed specification and which kind of 
authentication schemes will be supported

* AGSEC-28: HOTP support

     * AGDROID-30: Add HOTP support to aerogear-otp-java

     * AGIOS-1: Add HOTP support to aerogear-otp-ios


* AGSEC-55: Various security tasks for the Unified Push server

     * AGSEC-30: Unified Push (Add Client Access Key)

     * AGSEC-33: Unified Push: Sec: Add OAuth component to PushEE

     * AGSEC-34: Unified Push: Sec: Add Security Framework to PushEE

     * AGSEC-50: Unified Push: Secure registration of Mobile Variant 
instance with the server

     * AGSEC-51 Unified Push: Secure registration of Push Application

     * AGSEC-52 Unified Push: Secure registration of Mobile Variant

* AGSEC-48: Add Apache Shiro support on AeroGear Security


## 1.2.0 (Mid August)

* AGSEC-6:	Encryption for mobile devices

     * AGDROID-34 Implementation and API usage for android crypto

     * AGIOS-3 Implementation and API usage for iOS crypto

* AGSEC-15: Add HTTP digest authentication support to the client side

     * AGDROID-10 Add HTTP digest authentication support on AeroGear 
Android	 (Summers)


     * AGIOS-5 Add HTTP digest authentication support on AeroGear iOS 
(Christos)	

     * AGIOS-6 Provide a parameter on iOS to enable/disable the usage 
of cookies	 (abstractj)

     * AGJS-23 Add HTTP digest authentication support on AeroGear.js

* AGSEC-26: Authentication schemes for mobile devices

* AGSEC-49: Add Hawk support on AeroGear Security

* AGSEC-55: Various security tasks for the Unified Push server

     * AGSEC-31: Unified Push: Evaluate non repudiation for each 
application on the server

     * AGSEC-53 Unified Push: Secure Admin UI

     * AGSEC-54 Unified Push: Secure http endpoint for sending push 
notification


## 1.3.0 (Mid October)

* AGSEC-2: Secure storage and cache

     * AGSEC-7: Provide a detailed specification about how it should work

* AGSEC-3: Url and Forms that perform important operations must be 
protected by random tokens (hidden nonce values)

* AGSEC-4: Authentication of RESTful requests per transactions must be 
provided as alternative on AeroGear Security

* AGSEC-14: HTTP signed requests

* AGSEC-17: Mobile devices blacklist support


## 1.4.0 (Mid January)

* AGSEC-12: Offline authentication

* AGSEC-25: Include rate-limit to incoming requests from the same origin


## 2.0.0

* AGSEC-5: Social login

     * AGSEC-8: Provide a detailed specification about which methods 
will be supported

* AGSEC-19: Security & privacy policy (geo, user, misc data)

* Biometric authentication (TBD)





Matthias Wessendorf wrote:
> Hi Bruno,
>
> https://issues.jboss.org/browse/AGSEC-55
> I added the new items to this "umbrella" ticket.
>
>
> I'd say, we move the other "unified push" JIRAs to this parent as well.
>
> If you agree, let me move the bits!

More information about the aerogear-dev mailing list