Roadmap
Roadmap
The full status tracker lives in Konzept-V00.60.00.md. With the
00.60.00 release (2026-05-14) all eight Konzept points have shipped
as stable SPIs with default implementations, audit hooks and adapter
wiring. The open items are now graduation, polish and demo-side
mutation coverage.
Delivered
| # | Capability | Notes |
|---|---|---|
| 1 | Password hashing | PasswordHasher + PasswordHash (typed record) + Pbkdf2PasswordHasher (PBKDF2-HMAC-SHA256, 120 000 iter). needsRehash(...) drift detection; both demo stores rehash transparently on successful login. |
| 2 | Security audit pipeline | SecurityAuditService SPI with 16 sealed AuditEvent record types (incl. UserCreated/UserDeleted from the new admin UI). RingBufferAuditSink + LoggingAuditSink + CompositeAuditService. Vaadin /audit route + REST GET /api/audit. See Security Audit. |
| 3 | Brute-force protection | LoginAttemptPolicy SPI with sealed LoginAttemptDecision = Allowed | LockedOut. InMemoryLoginAttemptPolicy default. Red lockout banner in both Vaadin demo login views; 429 + Retry-After in REST. See Brute-Force Protection. |
| 4 | Session policies | SessionPolicy<U> SPI with TimeoutSessionPolicy default. Session-id rotation honoured on login as session-fixation defence. See Session Policy. |
| 5 | Role persistence | AuthorizationService stays the boundary; no RoleStore forced into core. Both Vaadin demos ship a /admin/roles UI with role assignment, user create + delete (with ConfirmDialog). |
| 6 | Multi-session logout | LogoutService.logout(SubjectId, LogoutScope) with LogoutScope = CurrentSession | AllSessionsOfSubject. SubjectSessionRegistry tracks active sessions; LogoutListener lets adapters plug in cleanup. See Logout Flows. |
| 7 | Action authorization | ActionAuthorizationService<U> SPI (stable, not just static helpers). ActionPermission record, StaticActionAuthorizationService default. Every denial automatically emits an ActionDenied audit event. |
| 8 | First-run bootstrap | Modes, token store (POSIX 0600), TTL parsing, race-safe admin creation, leak-free validation, brute-force-protected. See Bootstrap. |
Plus, beyond the Konzept
| Capability | Notes |
|---|---|
| Core-Java adapter | New security-standalone module (3 classes: Secured, StandaloneLoginFlow, ThreadLocalSubjectStore). Same annotations enforce security on plain Java services via dynamic proxy — no Vaadin, no REST. New demo-standalone CLI demonstrates. See Standalone Integration. |
SecurityServiceResolver | Central SPI cache for all eight services. Strict accessors throw IllegalStateException; find…() returns Optional; set…(…) is a programmatic test seam. |
| Role + User admin UI in both Vaadin demos | /admin/roles with single-role-set semantics; new-user dialog; per-row delete with ConfirmDialog. Backend-driven in demo-vaadin-rest-client over GET/POST/PUT/DELETE /api/admin/users. |
| Mutation-tested library | Pitest runs on all four library modules — 79 / 90 / 95 / 98 %. See Architecture → Quality. |
| Vaadin Browserless Testing | Wired in security-vaadin + both Vaadin demos. Real adapter-test suite covers LoginView policy ordering, action-gated UI patterns, B3 session-id rotation against MockHttpSession, lockout banner formatting, /audit grid filtering, /setup, /admin/roles flows, MainView tab matrix per role. Replaces the planned Karibu / TestBench setup — free since Vaadin 25.1. |
| ~570 tests across all modules | Reactor-wide mvn test. |
Open within the 00.60 line
| Capability | Why it matters |
|---|---|
PermissionName graduation | Still marked @ExperimentalSecurityApi. Konzept calls for stable status alongside the now-shipped ActionAuthorizationService SPI. |
| Demo mutation-coverage push | demo-rest (49 %) and demo-vaadin-rest-client (10 %) trail the library numbers. Pitest run pending for the next iteration. |
Planned future versions
None of the items below ship today. The two cards link to concept
documents describing what the next two releases will contain. SPIs,
module names, signatures, and scope may shift before they land. For
what is actually released today, see the
Release Notes.
Policies, Persistence and active Sessions. Policy API + Java Builder DSL, store-agnostic Persistence API with Eclipse Store as reference, tenant-ready records, role refresh + remote logout, password reset / email verification, API keys + refresh tokens + rate limiting, role hierarchy, session-management UI, OpenAPI security metadata.
High-security & identity integration. MFA / step-up, WebAuthn / Passkeys, OIDC-OAuth2 bridge, device + remember-me management, risk-based authentication, Argon2id, tamper-evident audit (hash-chaining), Security Event Bus, metrics + health, fail-closed strict mode, CSRF hardening, GDPR / retention / backup-restore.
Explicitly out of scope
- Built-in cluster mode. The SPIs (
SubjectSessionRegistry,SecurityAuditService,LoginAttemptPolicy) are deliberately shaped so Redis / database / IAM-backed implementations are drop-in replacements when needed. security-javafxas a dedicated module. Both 00.70 and 00.80 concepts hold the line:security-standalonecovers Swing / JavaFX / CLI functionally via manualSecured.wrap(...)+StandaloneLoginFlow. A JavaFX-specific module only makes sense once a real UI-lifecycle need surfaces.- Becoming a full IAM / OIDC stack. The 00.80 OIDC/OAuth2 bridge translates external identity into internal subjects; it does not replace established identity-provider clients.
License
EUPL 1.2