As an initial proposal, this JSR proposes to deliver standard interfaces and functionality at 3 layers.
Layer 1: Representation and JRE integration
We propose to define new attribute interfaces to represent identity attributes and associated meta-data. These interfaces would be used to facilitate common representation of existing Java Object types as identity attributes, to convey identity attributes within the Java access control context, to facilitate integration with the standard java.security.Policy decision interface, and to reference and represent content acquired from the attribute service.
We expect consideration of the representation of relationships among attributes and collections of attributes to factor in the definition of the representation layer.
Layer 2: Services
We propose to define Attribute Service interfaces to support interaction with attributes in one or more attribute repositories, and to support the integration of applications as attribute providers accessible within this service framework.
For the reference implementation, we will provide a Policy subsystem that is able to consume policies that are contingent on identity attributes acquired from the Attribute Service.
The reference implementation will also include one or more attribute providers that facilitate integration with existing identity repositories and protocols. The specific integrations included in the reference implementation will be decided by the Expert Group; while recognizing that the specification will define contracts to facilitate additional repository integrations by third parties. FaceBook, Twitter, and LinkedIn will be among the identity repositories considered for integration within the reference integration, as will their associated programming interfaces and protocols, including FaceBook Connect, OpenID Connect, and OAUTH 2.0.
We expect consideration of support for multi-tenancy to factor in the definition of the services layer.
Layer 3: Application development
We propose to define annotations that will cause the injection of Identity attributes and or references to identity attributes into applications. We also propose to define annotations that will cause application fields to be exported as attributes to the attribute service.
We also intend to describe the use of annotations to cause the insertion of attribute-based policy enforcement points within applications. Where feasible, we will reuse or extend extend existing standard annotations. We will also propose and advocate for improvements in the existing Java access control interfaces to facilitate more efficient enforcement of user-centric access control decisions.