+1 (non-binding) On Wed, May 5, 2010 at 1:30 AM, Paul Lindner <lind...@inuus.com> wrote: > +1 (non-binding) > > On Tue, May 4, 2010 at 3:48 PM, Simone Gianni <simo...@apache.org> wrote: > >> I would like to present for a vote the following proposal to be sponsored >> by >> the Shindig PMC for a new "Amber" podling. The goal is to build a >> community >> around delivering a OAuth v1.0, v1.0a and upcoming v2.0 API and >> implementation >> >> The proposal is available on the wiki at and included below: >> >> http://wiki.apache.org/incubator/AmberProposal >> >> [] +1 to accept Amber into the Incubator >> [] 0 don't care >> [] -1 object and reason why. >> >> Thanks, >> Simone Gianni >> >> --- Proposal text from the wiki --- >> >> = Amber = >> == Abstract == >> The following proposal is about Apache Amber, a Java development framework >> mainly aimed to build OAuth-aware applications. After a brief explanation >> of >> the OAuth protocol, the following proposal describes how Apache Amber >> solves >> issues related to the implementation of applications that adhere to such >> specification. >> >> == Proposal == >> Amber will have no or negligible dependencies and will provide both an API >> specification for, and an unconditionally compliant implementation of, the >> OAuth v1.0, v1.0a and v2.0 specifications. The API specification will be >> provided as a separate JAR file allowing re-use by other developers and >> permits configuration: >> >> * by XML >> * by the Java JAR Services "ServiceLoader" mechanism >> * programmatically >> >> The API component specifies that an implementation must provide default >> classes for Provider, Consumer and Token objects making Amber easy to >> integrate with existing infrastructure and OAuth client interactions >> possible with virtually no additional configuration. The API is flexible >> enough to allow programmatic customisation or replacement of much of the >> implementation, including the default HTTP transport. >> >> Amber will provide both client and server functionality, enabling >> developers >> to deploy robust OAuth services with minimal effort. >> >> == Background == >> Roughly, OAuth is a mechanism that allows users to share their private >> resources, like photo, videos or contacts, stored on a site with another >> site avoiding giving their username and password credentials. Hence, from >> the user point-of-view, OAuth could be the way to improve their experience >> across different applications with an enhanced privacy and security control >> in a simple and standard method from desktop and web applications. The >> protocol was initially developed by the oauth.net community and now is >> under >> IETF standardization process. >> >> The main idea behind OAuth is represented by the token concept. Each token >> grants access to a site, for a specific resource (or a group of resources), >> and for a precise time-interval. The user is only required to authenticate >> with the Provider of their original account, after which that entity >> provides a re-usable to token to the Consumer who can use it to access >> resources at the Provider, on the users behalf. >> >> Moreover, the total transparency to the user, that is completely unaware of >> using the protocol, represents one of the main valuable characteristics of >> the specification. >> >> Apache Amber community aims not just to create a simple low-level library, >> but rather to provide a complete OAuth framework easy to use with Java >> code, >> on top of which users can build new-generation killer applications. >> >> There are currently three implementation efforts going on in ASF for OAuth >> v1. A stable implementation of OAuth v1 is present in Apache Shindig, but >> it >> is not actively developed and not shared with other projects. A Lab having >> Simone Tripodi as its PI is working on an implementation for an OAuth >> library that could be used by other products. Zhihong Zhang wrote an OAuth >> plugin for JMeter. >> >> At the same time, on the IETF OAuth v2 mailing list, other people expressed >> interest for a Java API and implementation, among them two Apache >> committers >> and one active contributor. >> >> Outside the ASF there are three known Java OAuth 1.0/1.0a libraries >> >> * The oauth.net reference implementation by John Kristian, Praveen >> Alavilli >> and Dirk Balfanz. >> * OAuth SignPost - a simple OAuth message signing client for Java and >> Apache HttpComponents by Matthias Kaeppler. >> * OAuth Scribe - a simple OAuth client by Pablo Fernandez. >> * asmx-oauth (on google code) - a complete open source OAuth 1.0 Consumer >> and Service Provider implementation provided by Asemantics Srl (Simone >> Tripodi was involved). >> >> == Rationale == >> The key role played by the OAuth specification, within the overall Open >> Stack technologies, jointly with its high degree of adoption and maturity, >> strongly suggest having an Apache leaded incubator for suitable reference >> implementation. Furthermore, the OAuth specification is currently gaining >> value due to its involvement in a standardization process within the IETF, >> as the actual internet draft. Having the Apache Amber as an Apache >> Incubator >> could be an opportunity to enforce the actual Apache projects that already >> reference other IETF specifications. >> >> Moreover, other Apache Projects, such as Abdera, Shindig and Wink, are >> currently supporting the OAuth protocol, so having the OAuth Apache >> reference implementation should benefit not only the project and the >> related >> commmunity itself, but also existing and active Apache projects. Combining >> efforts from existing Apache projects is a logical step. >> >> Providing an Apache licensed library will make it easier for other Apache >> projects to integrate OAuth, like, for example: >> >> * It could be the foundation framework for Consumer developers; >> * It could be the foundation Framework for Service Provider developers; >> * It could be integrated into Apache Shindig; >> * It could be integrated into Apache Abdera; >> * It could be integrated into Apache Wink; >> * It could be integrated into Spring Security; >> * It could be integrated with JAAS (and be deployed in Tomcat-based >> Servlet >> Containers); >> * It could be integrated into Jakarta JMeter; >> * Apache Wookie (incubating) expressed interest in an OAuth >> implementation; >> * Most importantly, it could be a backend for dozens of useful new >> innovative projects that no-one has envisioned yet. >> >> = Current Status = >> Code in the [[http://svn.apache.org/viewvc/labs/amber|Amber Lab]] and in >> Apache Shindig is already licensed to the ASF. More contributions of code >> and ideas are expected from initial committers, so an implementation of >> OAuth v1 should be reached quickly, and act as a base for an OAuth v2 API >> and implementation. >> >> == Meritocracy == >> As a majority of the initial project members are existing ASF committers, >> we >> recognize the desirability of running the project as a meritocracy. We are >> eager to engage other members of the community and operate to the standard >> of meritocracy that Apache emphasizes; we believe this is the most >> effective >> method of growing our community and enabling widespread adoption. >> >> == Community == >> The amount of interest in the OAuth protocol from enterprises, social >> networks and individual developers suggests a strong community will develop >> once the framework to support one is laid. >> >> == Core Developers == >> * Simone Gianni <simoneg at apache dot org> (Semeru) >> * Simone Tripodi <simonetripodi at apache dot org> (Sourcesense) >> * Stuart "Pid" Williams <pid at pidster dot com> (Clubtickets.com) >> * David Recordon <recordond at apache dot org> (Facebook) >> * Tommaso Teofili <tommaso at apache dot org> (Sourcesense) >> >> == Alignment == >> The purpose of the project is to develop an implementation of OAuth v1 and >> OAuth v2 that can be used by other Apache projects. >> >> = Known Risks = >> == Orphaned Products == >> Being OAuth a standard receiving a lot of interest, and being v2 an ongoing >> work in IETF, we believe there is minimal risks of this work becoming >> non-strategic and the contributors are confident that a larger community >> will form within the project in a relatively short space of time. >> >> == Inexperience with Open Source == >> All of the committers have experience working in one or more open source >> projects inside and outside ASF. >> >> == Homogeneous Developers == >> The list of initial committers are geographically distributed across the >> U.S. and Europe with no one company being associated with a majority of the >> developers. Many of these initial developers are experienced Apache >> committers already and all are experienced with working in distributed >> development communities. >> >> == Reliance on Salaried Developers == >> To the best of our knowledge, none of the initial committers are being paid >> to develop code for this project. >> >> == Relationships with Other Apache Products == >> A number of existing ASF projects could benefit from an OAuth >> implementation, including Apache Shindig, Apache Abdera, Apache Wink, >> Jmeter >> which are already using partial and non standardized OAuth implementations. >> Basically any other server-side framework or application could benefit by >> using Amber. It is hoped that members of those projects will be interested >> in contributing to and adopting this implementation. >> >> == A Excessive Fascination with the Apache Brand == >> Amber fits naturally in the ASF because : >> >> * It is an implementation of an open standard >> * It is a server component on which many other projects can depend on >> >> = Documentation = >> [1] More information about OAuth can be found here:<<BR>> >> http://www.oauth.net/ >> >> [2] The IETF discussion about the emerging OAuth v2.0 specification is >> occuring on this mailing list<<BR>> oa...@ietf.org >> >> = Initial Source = >> The intial source comprises code developed inside Apache Labs, other Apache >> projects and contributed under the CLA. >> >> = Source and Intellectual Property Submission Plan = >> Source code will be moved from SVN space of Apache Labs, Apache Shindig and >> other appropriately licensed sources inside the SVN space of the podling. >> >> = External Dependencies = >> None known >> >> = Cryptography = >> The project will use cryptographic utilities available as standard in Java >> 6. >> >> = Required Resources = >> * Mailing lists >> * amber-private (with moderated subscriptions) >> * amber-dev >> * amber-user >> * amber-commits >> * Subversion directory >> * https://svn.apache.org/repos/asf/incubator/amber >> * Website >> * Confluence (AMBER) >> * Issue Tracking >> * JIRA (AMBER) >> >> = Initial Committers = >> Names of initial committers with affiliation and current ASF status: >> >> * Simone Gianni <simoneg at apache dot org> (Semeru) >> * Simone Tripodi <simonetripodi at apache dot org> (Sourcesense) >> * Stuart "Pid" Williams <pid at pidster dot com> (Clubtickets.com) (CLA >> filed) >> * David Recordon <recordond at apache dot org> (Facebook) >> * Tommaso Teofili <tommaso at apache dot org> (Sourcesense) >> * Paul Lindner <lindner at inuus dot com> (LinkedIn) >> * Pablo Fernandez <fernandezpablo85 at gmail dot com> (LinkedIn) >> >> = Sponsors = >> == Champion == >> * Brian McCallister <brianm at apache dot org> >> >> == Nominated Mentors == >> * Henning Schmiedehausen <henning at apache dot org> >> * Jean-Frederic Clere <jfclere at gmail dot com> >> * Gianugo Rabellino <gianugo at apache dot org> >> * David Jencks <djencks at apache dot org> (Waiting on IPMC) >> >> == Sponsoring Entity == >> * Shindig PMC - Confirmed Apr 29, 2010 >> >> = Other interested people = >> * Saleem Shafi <mshafi at paypal dot com> >> * Chirag Shah (Apache Shindig Committer) >> * Greg Brail <gbrail at sonoasystems dot com> >> >
-- http://www.somatik.be Microsoft gives you windows, Linux gives you the whole house. --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
