Re: [es-dev] [External] : Re: [glassfish-dev] [jacc-dev] Jakarta Authori

[Ed Bratt <ed.bratt@xxxxxxxxxx>]

It would be great to receive these contributions. If the consensus is to move this forward, please be sure to contribute these through the Contribution Questionnaire process (Click the link "Create a Contribution Questionnaire" from the Jakarta Security project page (here). If you have any questions, you can reach out to Wayne and/or the PMC.

Much appreciated!

-- Ed

On 3/18/2021 9:56 AM, arjan tijms wrote:

Hi,

On Thu, Mar 18, 2021 at 4:48 PM Jean-Louis Monteiro <jlmonteiro@xxxxxxxxxxxxx> wrote:

Good idea and good proposal.

Thanks!

 

You are talking about an Eclipse proposal based on Glassfish implementation. But the github repo is in the omnifaces organization and the java packages is also org.omnifaces. 

The repo seems to have 2 years old files committed.

So I'm a bit lost to where the code actually comes from.

Two years ago I started this project, using my own code for an authorization module and code to make the project usable standalone (by e.g. Piranha Cloud, as well as Tomcat), and taking the GlassFish code for the transformation of constraints to permissions. Later I also added the GlassFish authorization module to offer some choice (it's mostly educational and not strictly needed to have two modules). 

So it's a combination of my own code, and the code from GlassFish. If the proposal would be accepted, and the project graduated, the packages of the current Exousia project will not stay omnifaces of course. They would be renamed to likely org.glassfish.exousia.

As mentioned, part of the code is my own, e.g. this one:

https://github.com/omnifaces/exousia/blob/master/src/main/java/org/omnifaces/exousia/AuthorizationService.java

I've marked these by "Copyright (c) ... OmniFaces".

Other parts are taken from GlassFish, most importantly the tricky transformation of constraints to permissions:

• https://github.com/omnifaces/exousia/blob/master/src/main/java/org/omnifaces/exousia/constraints/transformer/ConstraintsToPermissionsTransformer.java
  
• https://github.com/omnifaces/exousia/blob/master/src/main/java/org/omnifaces/exousia/constraints/transformer/PatternBuilder.java
  
• https://github.com/omnifaces/exousia/blob/master/src/main/java/org/omnifaces/exousia/permissions/RolesToPermissionsTransformer.java
  
• https://github.com/omnifaces/exousia/blob/master/src/main/java/org/omnifaces/exousia/constraints/transformer/MethodValue.java
  

As mentioned, one of the two authorization modules (corresponding to the default Servlet/EJB collection/implies algorithm) is taken from GlassFish:

• https://github.com/omnifaces/exousia/tree/master/src/main/java/org/omnifaces/exousia/modules/locked
  

This one has an alternative that's my own code:

• https://github.com/omnifaces/exousia/tree/master/src/main/java/org/omnifaces/exousia/modules/def
  

The original GlassFish code all has the original headers, marked by "Copyright (c) 1997, 2018 Oracle and/or its affiliates. All rights reserved."

Most of the headers are two years old, since a) some code was taken 2 years ago, but b) code that was taken more recently is also 2018, since it hasn't changed since then and the GlassFish repo still has 2018 as well. See e.g.

• https://github.com/eclipse-ee4j/glassfish/blob/master/appserver/security/inmemory.jacc.provider/src/main/java/com/sun/enterprise/security/jacc/provider/SimplePolicyConfiguration.java
  

Hope this makes it more clear.

Kind regards,

Arjan

 

_______________________________________________
es-dev mailing list
es-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://urldefense.com/v3/__https://www.eclipse.org/mailman/listinfo/es-dev__;!!GqivPVa7Brio!MK7A0JgDZequSbs1nX5MFWpNKCcykfcTo9BLLOhDfJswhEN9OxuYbiq8RSXvMxI$