What can we expect in Java EE 8

and in particular for Java EE Security?

Who Am IRudy De Busscher

C4J: Senior Java Web Developer, Java CoachJSR375: Java EE Security API Expert group member

Java EE believer

@rdebusscher

http://jsfcorner.blogspot.behttp://javaeesquad.blogspot.be

Agenda▪ Java EE

▪ How We Got Here

▪ Where We Are Going

▪ Servlet 4

▪ JSON-B

▪ Server sent Events

▪ MVC

▪ CDI

▪ Java EE Security API

▪ Why

▪ Terminology

▪ API for Authentication Mechanism

▪ API for Identity Store

▪ API for Role/Permission Assignment

▪ API for Security Context

▪ API for Authorization Interceptors

J2EE 1.3

CMP,JCA

J2EE 1.4

Web Services,

Mgmt, Deplymnt

Java EE 5

Ease of Use,EJB 3, JPA, JSF, JAXB,

JAX-WS

Java EE 6

Pruning,Ease of Use,

JAX-RS,CDI,

Bean-Validation

Web Profile

Servlet 3,EJB 3.1 Lite

Java EE 7

JMS 2, Batch, TX, Concurr,

Web-Sockets,

JSON

Web Profile

JAX-RS 2J2EE 1.2

Servlet, JSP, EJB, JMS,

RMI

Java EE Past, Present, & Future

J2EE 1.3

CMP,JCA

J2EE 1.4

Web Services,

Mgmt, Deplymnt

Java EE 5

Ease of Use,EJB 3, JPA, JSF, JAXB,

JAX-WS

Java EE 6

Pruning,Ease of Use,

JAX-RS,CDI,

Bean-Validation

Web Profile

Servlet 3,EJB 3.1 Lite

Java EE 7

JMS 2, Batch, TX, Concurr,

Web-Sockets,

JSON

Web Profile

JAX-RS 2J2EE 1.2

Servlet, JSP, EJB, JMS,

RMI

Java EE Past, Present, & Future

J2EE 1.3

CMP,JCA

J2EE 1.4

Web Services,

Mgmt, Deplymnt

Java EE 5

Ease of Use,EJB 3, JPA, JSF, JAXB,

JAX-WS

Java EE 6

Pruning,Ease of Use,

JAX-RS,CDI,

Bean-Validation

Web Profile

Servlet 3,EJB 3.1 Lite

Java EE 7

JMS 2, Batch, TX, Concurr,

Web-Sockets,

JSON

Web Profile

JAX-RS 2J2EE 1.2

Servlet, JSP, EJB, JMS,

RMI

Java EE Past, Present, & Future

J2EE 1.3

CMP,JCA

J2EE 1.4

Web Services,

Mgmt, Deplymnt

Java EE 5

Ease of Use,EJB 3, JPA, JSF, JAXB,

JAX-WS

Java EE 6

Pruning,Ease of Use,

JAX-RS,CDI,

Bean-Validation

Web Profile

Servlet 3,EJB 3.1 Lite

Java EE 7

JMS 2, Batch, TX, Concurr,

Web-Sockets,

JSON

Web Profile

JAX-RS 2J2EE 1.2

Servlet, JSP, EJB, JMS,

RMI

Java EE Past, Present, & Future

J2EE 1.3

CMP,JCA

J2EE 1.4

Web Services,

Mgmt, Deplymnt

Java EE 5

Ease of Use,EJB 3, JPA, JSF, JAXB,

JAX-WS

Java EE 6

Pruning,Ease of Use,

JAX-RS,CDI,

Bean-Validation

Web Profile

Servlet 3,EJB 3.1 Lite

Java EE 7

JMS 2, Batch, TX, Concurr,

Web-Sockets,

JSON

Web Profile

JAX-RS 2J2EE 1.2

Servlet, JSP, EJB, JMS,

RMI

Java EE Past, Present, & Future

Connector 1.7

Managed Beans 1.0 EJB 3.2

Servlet 3.1

Eco-system

JSF 2.2 JAX-RS 2

JMS 2JPA 2.1

EL 3

JTA 1.2

JSP 2.3

Interceptors 1.2 CDI 1.1Common Annotations 1.2

UpdatedMajorRelease

New

Concurrency Utilities

Batch Applications

Java API for JSON

Java API for WebSocket

Bean Validation 1.1

Java EE 7

https://java.net/downloads/javaee-spec/JavaEE8_Community_Survey_Results.pdf

https://blogs.oracle.com/ldemichiel/entry/results_from_the_java_ee

Java EE 8 Community Survey

Java EE 8 Possibilities▪Web Standards/HTML5 Alignment

• HTTP2, SSE, JSON-B, JSON-P, action-oriented web framework, hypermedia

▪Cloud• Simple security providers, REST management/monitoring

▪CDI Alignment• CDI 2, EJB services outside EJB, security interceptors, EJB pruning

▪Enterprise• JCache, Configuration, JMS

▪ Java SE 8 alignment

▪ Java EE 8 (JSR 366)

▪ CDI 2 (JSR 365)

▪ JSON-B (JSR 367)

▪ JMS 2.1 (JSR 368)▪ Servlet 4 (JSR 369)

▪ JAX-RS 2.1 (JSR 370)

Current JSR▪ MVC (JSR 371)

▪ JSF 2.3 (JSR 372)

▪ Java EE Management (JSR 373)

▪ JSON-P 1.1 (JSR 374)

▪ Java EE Security (JSR 375)

▪ Principal goal to support HTTP/2• Request/response multiplexing over single connection

• Multiple streams

• Stream Prioritisation

• Server Push

• Binary Framing

• Header Compression

Servlet 4

Servlet 4 resoures• Edward Burns - Devnexus 2015 presentation -

http://www.slideshare.net/edburns/http2-comes-to-java-what-servlet-40-means-to-you-devnexus-2015

• Mark Nottingham - Http/2 presentation - http://www.slideshare.net/mnot/what-http20-will-do-for-you

Java API for JSON BindingJSON-B

▪ API to marshal/unmarshal POJOs to/from JSON• Very similar to JAXB in the XML world

▪ Default mapping of classes to JSON• Annotations to customise the default mappings

• @JsonProperty, @JsonTransient, @JsonValue

▪ Draw from best of breed ideas in existing JSON binding solutions• MOXy, Jackson, GSON, Genson, Xstream, …

• Allow switching providers

▪ Provide JAX-RS a standard way to support “application/json” for POJOs• JAX-RS currently supports JSON-P

Server-Sent Events (SSE)

▪ Lesser known part of HTML 5• Standard JavaScript API on the browser

▪ Server-to-client streaming• “Stock tickers”, monitoring applications

▪ Just plain long-lived HTTP• Between the extremes of vanilla request/response and WebSocket

• Content-type ‘text/event-stream’

▪ Support via JAX-RS.next()• Already supported in Jersey JAX-RS reference implementation

MVC▪ Standard action-based web framework for Java EE

• JSF to continue on it’s evolution path, but not restricted too.

▪ Model• CDI, Bean Validation, JPA

▪ View• (Standard) Facelets, JSP (Other) Freemarker, …

▪ Controller• Majority of work here

• Based on JAX-RS

• Component-based MVC• like JSF, Wicket, …

• Action-based MVC• like Struts 2, Spring MVC

MVC types

Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

Component based MVC

Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

Action Based MVC

@Path("/")@View("my-index.xhtml")public class Bookstore { ... @GET public List<Item> getItems() { ... return items; }}

MVC Possibilities

CDI 2▪ Java SE Bootstrap

▪ XML configuration

▪ Asynchronous events

▪ @Startup for CDI beans

▪ Portable Extension SPI simplification

▪ Small features and enhancements

Adopting Java SE 8▪ Most of Java SE 8 can already be used with Java

EE• GlassFish, WildFly and WebLogic support JDK 8

▪ Some APIs could adopt features• Repeatable Annotations

• Date-Time API/JDBC 4.2

• Completable Future

• Lambda expressions, streams

• Default methods

• Expert Group nominations: EE API veterans: many JSRs, many years struggling with Security API

3rd party security framework creators/developers

EE platform security implementers

• March 2015: Expert Group started discussions

Java EE Security API JSR-375

What’s wrong with Java EE Security?

• Java EE Security viewed as not portable, abstract/confusing, antiquated

• Doesn’t fit cloud app developer paradigm: requires app server configuration

• "The ultimate goal is to have basic security working without the need of any kind of vendor specific configuration, deployment descriptors, or whatever. ” – Arjan Tijms

What to do? • Plug the portability holes

• ModernizeContext Dependency Injection (CDI) • Intercept at Access Enforcement Points: POJO methods

Expression Language (EL) • Enable Access Enforcement Points with complex rules

• App Developer Friendly • Common security configurations not requiring server changes• Annotation defaults not requiring XML

Ideas • Terminology• API for Authentication Mechanism• API for Identity Store• API for Password Aliasing• API for Role/Permission Assignment• API for Security Context• API for Authorization Interceptors

To modernize, standardise, simplify

Ideas - Terminology • EG discussions revealed inconsistency in security API terms

• Different EE containers have different names for the same concepts

• When “something” gets authenticated, is that something a...

A User? (e.g. HttpServletRequest.getUserPrincipal)

A Caller? (e.g. EJBContext.getCallerPrincipal)

• What is a group?A group of users?

A permission

Vs Role?

Ideas - Terminology • What is that “something” where identities are stored?

security provider (WebLogic)

realm (Tomcat, some hints in Servlet spec)

(auth) repository

(auth) store

login module (JAAS)

identity manager (Undertow)

authenticator (Resin, OmniSecurity, Seam Security)

authentication provider (Spring Security)

identity provider

API for Authentication Mechanism• Application manages its own users and groups

• Application needs to authenticate users in order to assign Roles

• Application authenticates based on application-domain models

• Application needs to use an authentication method not supported on the server, like OpenID Connect or OAuth2

• Developer wants to use portable EE Authentication standard

• Java Authentication Service Provider Interface for Containers

• JSR 196, Maintenance Release 1.1, in 2013

• Standardised, portable, thin, low-level authentication framework

• JAAS (LoginModule) is Java SE and thus not standard within Java EE

JASPIC

Authentication Events

• Throw standardised CDI events at important moments PreAuthenticate Event

PostAuthenticate Event

PreLogout Event

PostLogout Event

• Possible uses: Tracking number of logged-in users

Tracking failed login attempts per account

Side effects, like creating a new local user after initial successful authentication via a remote authentication provider

Loading application-specific user preferences

• Where is the “user” info stored?

API for Identity Store

• Custom stores by annotated POJO’s

API for Role/Permission Assignment

• After user/Caller is authenticated:• Need to retrieve the roles/permissions/grants

• API to manage these assignments

• Dynamic role/permission assignment

Why role to group?• Application; similar users are grouped in a

Role

• Identity storeUsed for more then 1 application

Probably has already some kind of grouping of users (department, …)

• Map application Role to Identity store Group• Today supported

Support in Deployment Descriptors, e.g. web.xml

No More Roles

Role vs Permission• Role

Grouping of users

When “allowed actions” for a Role changes

Application needs to be changed an redeployed

• Permission• “Key” to unlock some functionality. Permission is linked in

code.• User/Caller or even role has some permissions• Changes -> only external where permissions are linked to

users.

API for Security Context

• Application needs to access the security APITo get the authenticated user

To check roles

To invoke runAs.

• Application needs the same API to access security context, regardless of container

API for Authorisation Interceptors

• Application needs to restrict specific methods to authorised users

• Application-model rules are used to make access decisions

• Annotation based

• My requirementsScreen parts (like on JSF Component) needs certain permission

URL’s are protected based on permissions/roles/…

EL Authorization Rules

• To be used in security annotations

• Refer to any object, system or application defined

• Security rules tailored to the application.

• @EvaluateSecured("security.hasRoles('MANAGER') && schedule.nowIsOfficeHrs")void transferFunds() {..};

Complex rules• AccessDecisionVoter

• Concept from DeltaSpike / Octopus

• Complex logic written out in Java code (CDI bean)

• @Secured(AccountAccessDecisionVoter.class)void transferFunds() {..};• public void checkPermission

(AccessDecisionVoterContext ctx,Set<SecurityViolation> violations) {

Get Involved • Project Page: The starting point to all

resources https://java.net/projects/javaee-security-spec

• Users List: Subscribe and contribute users@javaee-security-spec.java.net

• Github Playground: Fork and Play! https://github.com/javaee-security-spec/javaee-security-proposals

• What’s Coming in Java EE 8? - Reza Rahman• http://www.slideshare.net/reza_rahman/javaee8

• Finally, EE Security API JSR 375 - Alex Kosowski• http://www.slideshare.net/a_kosowski/devoxx-fr-ee8jsr375securityapiv1

• MVC in JavaEE 8 - Manfred Riem• https://java.net/projects/ozark/downloads/download/Presentations/2014-ja

vaone-mvc-in-javaee8.pptx

Acknowledgements

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Public

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract.It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

Safe Harbor statement

Q&A