astralsign
diff --git a/‎src/main/jbake/content/security-api.adoc‎
Lines changed: 7 additions & 7 deletions b/‎src/main/jbake/content/security-api.adoc‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎src/main/jbake/content/security-api001.adoc‎
Lines changed: 77 additions & 60 deletions b/‎src/main/jbake/content/security-api001.adoc‎
Lines changed: 77 additions & 60 deletions
diff --git a/‎src/main/jbake/content/security-api002.adoc‎
Lines changed: 65 additions & 4 deletions b/‎src/main/jbake/content/security-api002.adoc‎
Lines changed: 65 additions & 4 deletions
diff --git a/‎src/main/jbake/content/security-api003.adoc‎
Lines changed: 1 addition & 1 deletion b/‎src/main/jbake/content/security-api003.adoc‎
Lines changed: 1 addition & 1 deletion
@@ -1,26 +1,26 @@
 type=page
 status=published
-title=Java API for Security
+title=Using the Java EE Security API
 next=security-api001.html
 prev=security-javaee003.html
 ~~~~~~
-= Java API for Security
+= Using the Java EE Security API
 
 
 
-[[java-api-for-security]]
-53 Java API for Security
-------------------------
+[[using-the-java-ee-security-api]]
+53 Using the Java EE Security API
+---------------------------------
 
 
-This chapter primarily describes the authentication and credential validation
+This chapter describes the authentication and credential validation
 functionality provided by the Java EE Security API. The API also
 defines a SecurityContext access point for programmatic security.
 
 
 The following topics are addressed here:
 
-* link:security-api001.html#about-the-java-api-for-security[About the Java API for Security]
+* link:security-api001.html#about-the-java-ee-security-api[About the Java EE Security API]
 * link:security-api002.html#overview-of-the-http-auth-mech-int[Overview of the HTTP Authentication Mechanism Interface]
 * link:security-api003.html#overview-of-the-identity-store-interfaces[Overview of the Identity Store Interfaces]
 * link:security-api004.html#running-the-built-in-database-identity-store-example[Running the Built-In Database Identity Store Example]
 
@@ -1,144 +1,161 @@
 type=page
 status=published
-title=Java API for Security
+title=About the Java EE Security API
 next=security-api002.html
 prev=security-api.html
 ~~~~~~
-= About the Java API for Security
-
-
-
-[[about-the-java-api-for-security]]
-About the Java API for Security
--------------------------------
+= About the Java EE Security API
 
+[[about-the-java-ee-security-api]]
+About the Java EE Security API
+------------------------------
 
 Java EE includes support for JSR 375, which defines portable, plug-in interfaces
 for authentication and identity stores, and a new injectable-type SecurityContext
 interface that provides an access point for programmatic security. You can use
 the built-in implementations of these APIs, or define custom
 implementations.
 
-The Java API for Security contains the following packages:
+The Java EE Security API contains the following packages:
 
 * The `javax.security.enterprise` package is the main Java EE security API package
 and contains classes and interfaces that span authentication, authorization, and
 identity concerns. link:#main-classes-and-interfaces-in-enterprise[Table 51-1] lists
 the main class and interfaces in this package.
 
 * The `javax.security.enterprise.authentication.mechanism.http` package contains
-classes and interfaces associated with authentication mechanisms that specifically
-target HTTP as an environment to interact with a caller (challenge/response, obtain
-credentials). This API is specified only for use in the servlet container.
+classes and interfaces associated with HTTP-based authentication mechanisms that
+can interact with a caller or third-parties as part of an authentication protocol.
 link:#main-classes-and-interfaces-in-authentication[Table 51-2] lists the main classes
 and interfaces in this package.
 
 * The `javax.javax.security.enterprise.credential` package contains classes and
-interfaces associated with submitting credentials. link:#main-classes-and-interfaces-in-credential[Table 51-3]
+interfaces for representing user credentials. link:#main-classes-and-interfaces-in-credential[Table 51-3]
 lists the main classes and interfaces in this package.
 
 * The `javax.security.enterprise.identitystore` package contains classes and
-interfaces associated with the identity store, which validate the credentials of the
-Caller, and access a Caller's identity attributes. link:#main-classes-and-interfaces-in-identitystore[Table 51-4]
+interfaces associated with identity stores that validate a caller's credentials
+and lookup caller groups. link:#main-classes-and-interfaces-in-identitystore[Table 51-4]
 lists the main classes and interfaces in this package.
 
 
+
 [[main-classes-and-interfaces-in-enterprise]]
 
 *Table 51-1  Main Classes and Interfaces in javax.security.enterprise*
 
-[width=99%,cols="25%,75%"]
+[width=99%,cols="35%,65%"]
 |=======================================================================
 |*Class or Interface* |*Description*
-|`SecurityContext` | Injectable-type interface that provides an access point for
+
+|`SecurityContext` |Injectable-type interface that provides an access point for
 programmatic security intended to be used by application code to query and interact
 with the Java EE Security API.
 
-|`CallerPrincipal` | Principal type that represents the identity of the
+|`CallerPrincipal` |Principal type that can represent the identity of the
 application caller.
 
-|`AuthenticationStatus` | Enum used as a return value, primarily by the
-`HttpAuthenticationMechanism` to indicate the result of the authentication process.
+|`AuthenticationStatus` |Enum used to indicate the return value from an authentication
+mechanism.
 
-|`AuthenticationException` | Indicates that a problem occurred during the
+|`AuthenticationException` |Indicates that a problem occurred during the
 authentication process.
 |=======================================================================
 
 [[main-classes-and-interfaces-in-authentication]]
 
+
 *Table 51-2 Main Classes and Interfaces in javax.security.enterprise.authentication.mechanism.http*
-[width=99%,cols="25%,75%"]
+[width=99%,cols="35%,65%"]
 |=======================================================================
 |*Class or Interface* |*Description*
-|`HttpAuthenticationMechanism` | Interface used to obtain a caller's credentials in some way,
-using the HTTP protocol where necessary.
 
-|`HttpMessageContext` | Interface that contains all of the per-request state
-information and encapsulates the client request, server response,
-container handler for authentication callbacks, and the subject representing
-the caller.
+|`HttpAuthenticationMechanism` |Interface representing an HTTP authentication mechanism.
+Developers can provide their own implementation of this interface, or use one of
+several built-in HTTP authentication mechanisms.
+
+|`HttpMessageContext` |Interface representing the parameters passed to/from methods
+of an `HttpAuthenticationMechanism` at runtime.
 
-|`AuthenticationParameters` | Parameters that are provided with the authentication
-request.
+|`AuthenticationParameters` |Class that carries parameters passed to the
+`SecurityContext.authenticate()` method.
 
-|`HttpMessageContextWrapper` | Class that is an implementation of the
-HttpMessageContext interface that can be subclassed by developers wishing to
-provide extra or different functionality.
+|`HttpMessageContextWrapper` |Abstract class developers can extend to
+customize `HttpMessageContext` behavior.
+|=======================================================================
+
+[width="100%",cols="100%",]
+|=======================================================================
+a|
+*Note:*
+
+The 'javax.security.enterprise.authentication.mechanism.http' package also includes
+a number of annotation classes that can be used to configure/enable the built-in
+authentication mechanisms or modify that behavior of an authentication mechanism.
 |=======================================================================
 
 
 [[main-classes-and-interfaces-in-credential]]
 
 *Table 51-3 Main Classes and Interfaces in javax.security.enterprise.credential*
-[width=99%,cols="25%,75%"]
+[width=99%,cols="35%,65%"]
 |=======================================================================
 |*Class or Interface* |*Description*
-|`Credential` | Represents the credential the caller uses to authenticate.
 
-|`AbstractClearableCredential` | Class that contains behavior common to `credential`
-implementations that can be meaningfully cleared.
+|`Credential` |Interface that represents a generic credential and defines
+several methods to operate on credentials. All other classes in this package
+are implementations of the Credential interface.
+
+|`AbstractClearableCredential` |Abstract class implementing behavior common to
+Credentials that can be meaningfully cleared.
 
-|`BasicAuthenticationCredential` | Class that extends `UsernamePasswordCredential`
+|`BasicAuthenticationCredential` |Class that extends `UsernamePasswordCredential`
 to represent credentials used by HTTP Basic Authentication.
 
-|`CallerOnlyCredential` | Class that represents a credential that contains only a
-caller name and no secret of any kind.
+|`CallerOnlyCredential` |Credential that contains a caller name only; can be
+used to assert an identity, but not to authenticate a user, due to the lack of
+any secret or other credential that can be validated.
 
-|`Password` | Class that represents a text-based password, and includes a built-in
-mechanism for securely clearing the value.
+|`Password` |Class that represents a text-based password.
 
-|`RememberMeCredential` | Class that represents a credential presented as a token,
+|`RememberMeCredential` |Class that represents a credential presented as a token,
 for the explicit usage with the JSR 375 remember me function.
 
-|`UsernamePasswordCredential` | Class that represents the credentials typically
+|`UsernamePasswordCredential` |Class that represents the credentials typically
 used by standard caller name/password authentication.
 |=======================================================================
 
 [[main-classes-and-interfaces-in-identitystore]]
 
 *Table 51-4 Main Classes and Interfaces in javax.security.enterprise.identitystore*
-[width=99%,cols="25%,75%"]
+[width=99%,cols="35%,65%"]
 |=======================================================================
 |*Class or Interface* |*Description*
-|`IdentityStore` |  Mechanism for validating a caller's credentials and
-accessing a caller's identity attributes.
 
-|`IdentityStoreHandler` | Mechanism for validating a caller's credentials,
-and accessing a caller's identity attributes, by consulting a set of one or more
-'IdentityStore's.
+|`IdentityStore` |Interface representing an Identity Store.
+Developers can provide their own implementation of this interface, or use one of
+the built-in Identity Stores.
+
+|`IdentityStoreHandler` |Interface that defines the method applications use to
+interact with Identity Stores. Applications can use the built-in
+IdentityStoreHandler, or supply their own implementation if custom behavior is desired.
 
-|`PasswordHash` |  Interface for objects that can generate and verify password hashes.
+|`PasswordHash` |Interface defining methods for generating and
+validating password hashes, needed to securely validate passwords when using
+the built-in Database Identity Store. Developers can implement this interface
+to generate/validate password hashes using any desired algorithm.
 
-|`Pbkdf2PasswordHash` | Interface that represents the built-in `Pbkdf2PasswordHash`
-implementation.
+|`Pbkdf2PasswordHash` |Marker interface implemented by the built-in PBKDF2
+PasswordHash implementation. Developers can use this interface to select the
+built-in PBKDF2 algorithm when configuring the Database Identity Store.
 
-|`RememberMeIdentityStore` | Mechanism for validating a caller's credentials and
-accessing a caller's identity attributes. This interface is specifically tailored
-for the "remember me" feature.
+|`RememberMeIdentityStore` |Interface defining a special type of Identity Store,
+used in conjunction with the RememberMe annotation to provide RememberMe
+behavior for an application.
 
-|`CredentialValidationResult` | Class that represents the result from an attempt
-to validate an instance of `Credential`.
+|`CredentialValidationResult` |Class that represents the result from an attempt
+to validate a Credential.
 
-|`IdentityStorePermission` | Class for IdentityStore permissions. The permission
-name currently defined is `getGroups`.
+|`IdentityStorePermission` |Permission required to invoke the `getGroups` method of an
+IdentityStore, when a SecurityManager is configured.
 |=======================================================================
@@ -1,6 +1,6 @@
 type=page
 status=published
-title=Java API for Security
+title=Overview of the HTTP Authentication Mechanism Interface
 next=security-api003.html
 prev=security-api001.html
 ~~~~~~
@@ -10,6 +10,67 @@ prev=security-api001.html
 [[overview-of-the-http-auth-mech-int]]
 Overview of the HTTP Authentication Mechanism Interface
 -------------------------------------------------------
-Include a discussion about how the standard HTTPAuthenticationMechanism interface
- implementations can be used, and how you can create a custom
- HttpAuthenticationMechanism if desired.
+
+The `HttpAuthenticationMechanism` interface defines an SPI for writing
+authentication mechanisms that can be provided with an application and
+deployed using CDI. Developers can write their own implementations of `HttpAuthenticationMechanism`
+to support specific authentication token types or protocols. There are also several
+built-in authentication mechanisms that perform BASIC, FORM, and Custom FORM
+authentication.
+
+The built-in authentication mechanisms are enabled and configured through the use
+of one of the following annotations:
+
+* BasicAuthenticationMechanismDefinition -- implements BASIC authentication that
+conforms to the behavior of the servlet container when BASIC <auth-method> is
+declared in web.xml.
+
+* FormAuthenticationMechanismDefinition -- implements FORM authentication that
+conforms to the behavior of the servlet container when the FORM <auth-method>
+is declared in web.xml.
+
+* CustomFormAuthenticationMechanismDefinition -- implements a modified version of
+FORM authentication in which custom handling replaces the POST to j_security_check.
+
+An implementation of HttpAuthenticationMechanism must be a CDI bean to be
+recognized and deployed at runtime, and is assumed to be normal scoped.
+During bean discovery, the servlet container looks for a bean that implements
+`HttpAuthenticationMechanism` -- there should be only one per application -- and,
+if found, arranges for it to be deployed to authenticate the application's callers.
+
+The servlet container leverages JASPIC, the Java Authentication Service
+Provider Interface for Containers, to deploy authentication mechanisms.
+The container provides a JASPIC Server Auth Module (SAM) that can delegate to an
+`HttpAuthenticationMechanism`, and arranges for that "bridge" SAM to be registered
+with the JASPIC `AuthConfigFactory`. At runtime, normal JASPIC processing invokes
+the bridge SAM, which then delegates to the `HttpAuthenticationMechanism` to
+perform the authentication and drive any necessary dialog with the caller, or with
+third parties involved in the authentication protocol flow.
+
+The HttpAuthenticationMechanism interface defines the following three methods,
+which correspond to the three methods defined by the JASPIC ServerAuth interface.
+When one of the JASPIC methods is invoked on the bridge SAM, it delegates to the
+corresponding method of the `HttpAuthenticationMechanism`. Although the method names
+are identical, the method signatures are not; the bridge SAM maps back and forth
+between the parameters passed to it by the JASPIC framework, and the parameters
+expected by an `HttpAuthenticationMechanism`.
+
+* `validateRequest()` -- validate an incoming request and authenticates the caller.
+* `secureResponse()` -- (optional if default is sufficient) secure a response message.
+* `cleanSubject()` -- (optional if default is sufficient) clear the provided Subject of
+principals and credentials.
+
+Only the `validateRequest()` method must be implemented by an `HttpAuthenticationMechanism`;
+the interface includes default implementations for secureResponse()` and `cleanSubject()` that will
+often be sufficient.
+
+The following annotations can be used to add additional behaviors to an `HttpAuthenticationMechanism`:
+
+* `AutoApplySession` -- indicates that the JASPIC `registerSession` functionality
+should be enabled such that the the caller's authenticated identity is
+persisted in the caller's servlet session.
+* `LoginToContinue` -- mechanism to specify properties for FORM login --
+login page, error page, etc. The built-in FORM authentication mechanisms use
+LoginToContinue to configure the necessary parameters.
+* `RememberMe` -- specifies that a `RememberMe` identity store should be used to
+enable `RememberMe` functionality for the authentication mechanism.
@@ -1,6 +1,6 @@
 type=page
 status=published
-title=Java API for Security
+title=Overview of the Identity Store Interfaces
 next=security-api004.html
 prev=security-api002.html
 ~~~~~~