Java ee 8 + security overview

What can we expect in
Java EE 8
and in particular for Java EE Security?

Who Am I
Rudy De Busscher
C4J: Senior Java Web Developer, Java Coach
JSR375: Java EE Security API Expert group member
Java EE believer
@rdebusscher
http://jsfcorner.blogspot.be
http://javaeesquad.blogspot.be

Agenda
▪ Java EE
▪ How We Got Here
▪ Where We Are Going
▪ Servlet 4
▪ JSON-B
▪ Server sent Events
▪ MVC
▪ CDI
▪ Java EE Security API
▪ Why
▪ Terminology
▪ API for Authentication Mechanism
▪ API for Identity Store
▪ API for Role/Permission Assignment
▪ API for Security Context
▪ API for Authorization Interceptors

J2EE 1.3
CMP,
JCA
J2EE 1.4
Web
Services,
Mgmt,
Deplymnt
Java EE 5
Ease of Use,
EJB 3, JPA,
JSF, JAXB,
JAX-WS
Java EE 6
Pruning,
Ease of Use,
JAX-RS,
CDI,
Bean-
Validation
Web Profile
Servlet 3,
EJB 3.1 Lite
Java EE 7
JMS 2,
Batch, TX,
Concurr,
Web-
Sockets,
JSON
Web Profile
JAX-RS 2
J2EE 1.2
Servlet,
JSP, EJB,
JMS, RMI
Java EE Past, Present, &
Future

Connector
1.7
Managed Beans 1.0 EJB 3.2
Servlet 3.1
Eco-
system
JSF 2.2
JAX-RS
2
JMS 2JPA 2.1
EL 3
JTA 1.2
JSP 2.3
Interceptors 1.2 CDI 1.1
Common
Annotations 1.2
UpdatedMajor
Release
New
Concurrency
Utilities
Batch
Applications
Java API for JSON
Java API for
WebSocket
Bean
Validati
on 1.1
Java EE 7

https://java.net/downloads/javaee-spec/JavaEE8_Community_Survey_Results.pdf
https://blogs.oracle.com/ldemichiel/entry/results_from_the_java_ee
Java EE 8 Community Survey

Java EE 8 Possibilities
▪ Web Standards/HTML5 Alignment
• HTTP2, SSE, JSON-B, JSON-P, action-oriented web framework, hypermedia
▪ Cloud
• Simple security providers, REST management/monitoring
▪ CDI Alignment
• CDI 2, EJB services outside EJB, security interceptors, EJB pruning
▪ Enterprise
• JCache, Configuration, JMS
▪ Java SE 8 alignment

▪ Java EE 8 (JSR 366)
▪ CDI 2 (JSR 365)
▪ JSON-B (JSR 367)
▪ JMS 2.1 (JSR 368)
▪ Servlet 4 (JSR 369)
▪ JAX-RS 2.1 (JSR 370)
Current JSR
▪ MVC (JSR 371)
▪ JSF 2.3 (JSR 372)
▪ Java EE Management
(JSR 373)
▪ JSON-P 1.1 (JSR 374)
▪ Java EE Security (JSR
375)

▪ Principal goal to support HTTP/2
• Request/response multiplexing over single connection
• Multiple streams
• Stream Prioritisation
• Server Push
• Binary Framing
• Header Compression
Servlet 4

Servlet 4 resoures
• Edward Burns - Devnexus 2015 presentation -
http://www.slideshare.net/edburns/http2-comes-to-java-what-
servlet-40-means-to-you-devnexus-2015
• Mark Nottingham - Http/2 presentation -
http://www.slideshare.net/mnot/what-http20-will-do-for-you

Java API for JSON Binding
JSON-B
▪ API to marshal/unmarshal POJOs to/from JSON
• Very similar to JAXB in the XML world
▪ Default mapping of classes to JSON
• Annotations to customise the default mappings
• @JsonProperty, @JsonTransient, @JsonValue
▪ Draw from best of breed ideas in existing JSON binding solutions
• MOXy, Jackson, GSON, Genson, Xstream, …
• Allow switching providers
▪ Provide JAX-RS a standard way to support “application/json” for POJOs
• JAX-RS currently supports JSON-P

Server-Sent Events
(SSE)
▪ Lesser known part of HTML 5
• Standard JavaScript API on the browser
▪ Server-to-client streaming
• “Stock tickers”, monitoring applications
▪ Just plain long-lived HTTP
• Between the extremes of vanilla request/response and WebSocket
• Content-type ‘text/event-stream’
▪ Support via JAX-RS.next()
• Already supported in Jersey JAX-RS reference implementation

MVC
▪ Standard action-based web framework for Java EE
• JSF to continue on it’s evolution path, but not restricted too.
▪ Model
• CDI, Bean Validation, JPA
▪ View
• (Standard) Facelets, JSP (Other) Freemarker, …
▪ Controller
• Majority of work here
• Based on JAX-RS

• Component-based MVC
• like JSF, Wicket, …
• Action-based MVC
• like Struts 2, Spring MVC
MVC types

Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Component based MVC

Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Action Based MVC

@Path("/")
@View("my-index.xhtml")
public class Bookstore {
...
@GET
public List<Item> getItems() {
...
return items;
}
}
MVC Possibilities

CDI 2
▪ Java SE Bootstrap
▪ XML configuration
▪ Asynchronous events
▪ @Startup for CDI beans
▪ Portable Extension SPI simplification
▪ Small features and enhancements

Adopting Java SE 8
▪ Most of Java SE 8 can already be used with Java EE
• GlassFish, WildFly and WebLogic support JDK 8
▪ Some APIs could adopt features
• Repeatable Annotations
• Date-Time API/JDBC 4.2
• Completable Future
• Lambda expressions, streams
• Default methods

• Expert Group nominations:
EE API veterans: many JSRs, many years struggling with
Security API
3rd party security framework creators/developers
EE platform security implementers
• March 2015: Expert Group started discussions
Java EE Security API
JSR-375

What’s wrong with Java EE
Security?
• Java EE Security viewed as not portable,
abstract/confusing, antiquated
• Doesn’t fit cloud app developer paradigm: requires
app server configuration
• "The ultimate goal is to have basic security working
without the need of any kind of vendor specific
configuration, deployment descriptors, or whatever. ”
– Arjan Tijms

What to do?
• Plug the portability holes
• Modernize
Context Dependency Injection (CDI)
• Intercept at Access Enforcement Points: POJO methods
Expression Language (EL)
• Enable Access Enforcement Points with complex rules
• App Developer Friendly
• Common security configurations not requiring server changes
• Annotation defaults not requiring XML

Ideas
• Terminology
• API for Authentication Mechanism
• API for Identity Store
• API for Password Aliasing
• API for Role/Permission Assignment
• API for Security Context
• API for Authorization Interceptors
To modernize, standardise, simplify

Ideas - Terminology
• EG discussions revealed inconsistency in security API terms
• Different EE containers have different names for the same concepts
• When “something” gets authenticated, is that something a...
A User? (e.g. HttpServletRequest.getUserPrincipal)
A Caller? (e.g. EJBContext.getCallerPrincipal)
• What is a group?
A group of users?
A permission
Vs Role?

Ideas - Terminology
• What is that “something” where identities are stored?
security provider (WebLogic)
realm (Tomcat, some hints in Servlet spec)
(auth) repository
(auth) store
login module (JAAS)
identity manager (Undertow)
authenticator (Resin, OmniSecurity, Seam Security)
authentication provider (Spring Security)
identity provider

API for Authentication
Mechanism
• Application manages its own users and groups
• Application needs to authenticate users in order to assign
Roles
• Application authenticates based on application-domain
models
• Application needs to use an authentication method not
supported on the server, like OpenID Connect or OAuth2
• Developer wants to use portable EE Authentication standard

• Java Authentication Service Provider
Interface for Containers
• JSR 196, Maintenance Release 1.1,
in 2013
• Standardised, portable, thin, low-
level authentication framework
• JAAS (LoginModule) is Java SE and
thus not standard within Java EE
JASPIC

Authentication Events
• Throw standardised CDI events at important moments
PreAuthenticate Event
PostAuthenticate Event
PreLogout Event
PostLogout Event
• Possible uses:
Tracking number of logged-in users
Tracking failed login attempts per account
Side effects, like creating a new local user after initial successful authentication via a remote
authentication provider
Loading application-specific user preferences

• Where is the “user” info stored?
API for Identity Store
• Custom stores by annotated POJO’s

API for Role/Permission
Assignment
• After user/Caller is authenticated:
• Need to retrieve the roles/permissions/grants
• API to manage these assignments
• Dynamic role/permission assignment

Why role to group?
• Application; similar users are grouped in a Role
• Identity store
Used for more then 1 application
Probably has already some kind of grouping of users
(department, …)
• Map application Role to Identity store Group
• Today supported
Support in Deployment Descriptors, e.g. web.xml

Role vs Permission
• Role
Grouping of users
When “allowed actions” for a Role changes
Application needs to be changed an redeployed
• Permission
• “Key” to unlock some functionality. Permission is linked in code.
• User/Caller or even role has some permissions
• Changes -> only external where permissions are linked to users.

API for Security Context
• Application needs to access the security API
To get the authenticated user
To check roles
To invoke runAs.
• Application needs the same API to access security
context, regardless of container

API for Authorisation
Interceptors
• Application needs to restrict specific methods to
authorised users
• Application-model rules are used to make access
decisions
• Annotation based
• My requirements
Screen parts (like on JSF Component) needs certain permission
URL’s are protected based on permissions/roles/…

EL Authorization Rules
• To be used in security annotations
• Refer to any object, system or application defined
• Security rules tailored to the application.
• @EvaluateSecured("security.hasRoles('MANAGER')
&& schedule.nowIsOfficeHrs")
void transferFunds() {..};

Complex rules
• AccessDecisionVoter
• Concept from DeltaSpike / Octopus
• Complex logic written out in Java code (CDI bean)
• @Secured(AccountAccessDecisionVoter.class)
void transferFunds() {..};
• public void checkPermission
(AccessDecisionVoterContext ctx,
Set<SecurityViolation> violations) {

Get Involved
• Project Page: The starting point to all resources
https://java.net/projects/javaee-security-spec
• Users List: Subscribe and contribute users@javaee-
security-spec.java.net
• Github Playground: Fork and Play!
https://github.com/javaee-security-spec/javaee-
security-proposals

• What’s Coming in Java EE 8? - Reza Rahman
• http://www.slideshare.net/reza_rahman/javaee8
• Finally, EE Security API JSR 375 - Alex Kosowski
• http://www.slideshare.net/a_kosowski/devoxx-fr-ee8jsr375securityapiv1
• MVC in JavaEE 8 - Manfred Riem
• https://java.net/projects/ozark/downloads/download/Presentations/2014-javaone-
mvc-in-javaee8.pptx
Acknowledgements

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Public
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract.
It is not a commitment to deliver any material, code, or functionality, and should not be
relied upon in making purchasing decisions. The development, release, and timing of any
features or functionality described for Oracle’s products remains at the sole discretion of
Oracle.
Safe Harbor statement

Java ee 8 + security overview

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (20)

Semelhante a Java ee 8 + security overview

Semelhante a Java ee 8 + security overview (20)

Mais de Rudy De Busscher

Mais de Rudy De Busscher (14)

Último

Último (20)

Java ee 8 + security overview

Notas do Editor