Equinox Security - DRAFT 3.4 Plan

Overview

Last revised 18:35 EST August 08, 2007

This plan is under continuous refinement. Please send comments about this plan to the equinox-dev@eclipse.org developer mailing list.

Goals

This section lists the goals for Eclipse 3.4 for the Equinox Security project. Note that any time estimates are only provided as an indication of the amount of work implied; these are our best guess and could be revised while addressing these work items.

[1] Java Security Provider Integration. Integrate and expose functionality in support of Java's core security mechanisms (java.security.Security, java.security.Provider et al).

[2] User Authentication Framework. Enable applications to perform a login operation during the client lifecycle.

[3] User Credential Management. Provide mechanisms for users and applications to manage passwords, keys and trusted roots.

[4] Code Authorization Support. Provide support for authorization of signed code at various decision points - including install-time, load-time and run-time.

Work Items

This section lists the possible Security work items for the Eclipse 3.4 release with the corresponding [goal]. Some of the items have a higher priority than others.

Committed

• (0 items)

Proposed

• #199330 - Support Java security provider framework (JCA) in Eclipse [1]
• #153850 - Support user authentication based on the JAAS login framework [2]
• #153851 - Implement credential management in support of signed bundles [3]
• #153847 - Support for signature checking at bundle load-time [4]
• #153854 - Analyze and scope impact of enabling Java2 permission checking [4]

Deferred

• (0 items)

Cross Team Issues

This section contains cross team issues that have to be clarified. The concrete outcome affects the plan items listed above.

TBD

Milestone 3 (M3) - 2007/11/09

Themes: Provider management, Load-time signature checking implementation

Committed

• Ongoing work items
  • 3.4 & 3.4M3 planning
  • Wiki & site authoring
  • Bugzilla queue monitoring
  • Sample & unit test development
  • Eclipse.org code scanning.

Proposed

• #204057 - Support enabling OSGi provider without editing java.security
• #196359 - Need a way to view and edit security configuration
• #199921 - Implement API for obtaining system certificate store
• #199943 - Alert framework and widget for load-time security failure notifications
• #201417 - Define launch variable to enable load-time authorization
• #201419 - OSGi changes to enable load-time authorization in classloader
• #201420 - Implement OSGI decision point to load bundle
• #201421 - SPI to be called when load-time authorization is checked
• #199761 - Implement API for editing security file
• #199764 - Support saving java.security changes to current system
• #199767 - Support listing of active security properties
• #204058 - Add console support for OSGi-based security services
• #206465 - Enable daily code scanning...
• #206467 - Integrate generated reports with viewcvs.
• #206471 - Templated code scanning for Eclipse.org projects

Deferred

• (0 items)

Legend

	item is under development.		item is under investigation.
	item is finished.	( )	item is time permitted.
[xyz]	item is deferred (>) from xyz or continues in xyz.		new