java ee 8 + security overview
TRANSCRIPT
What can we expect in Java EE 8
and in particular for Java EE Security?
Who Am IRudy De Busscher
C4J: Senior Java Web Developer, Java CoachJSR375: Java EE Security API Expert group member
Java EE believer
@rdebusscher
http://jsfcorner.blogspot.behttp://javaeesquad.blogspot.be
Agenda▪ Java EE
▪ How We Got Here
▪ Where We Are Going
▪ Servlet 4
▪ JSON-B
▪ Server sent Events
▪ MVC
▪ CDI
▪ Java EE Security API
▪ Why
▪ Terminology
▪ API for Authentication Mechanism
▪ API for Identity Store
▪ API for Role/Permission Assignment
▪ API for Security Context
▪ API for Authorization Interceptors
J2EE 1.3
CMP,JCA
J2EE 1.4
Web Services,
Mgmt, Deplymnt
Java EE 5
Ease of Use,EJB 3, JPA, JSF, JAXB,
JAX-WS
Java EE 6
Pruning,Ease of Use,
JAX-RS,CDI,
Bean-Validation
Web Profile
Servlet 3,EJB 3.1 Lite
Java EE 7
JMS 2, Batch, TX, Concurr,
Web-Sockets,
JSON
Web Profile
JAX-RS 2J2EE 1.2
Servlet, JSP, EJB, JMS,
RMI
Java EE Past, Present, & Future
J2EE 1.3
CMP,JCA
J2EE 1.4
Web Services,
Mgmt, Deplymnt
Java EE 5
Ease of Use,EJB 3, JPA, JSF, JAXB,
JAX-WS
Java EE 6
Pruning,Ease of Use,
JAX-RS,CDI,
Bean-Validation
Web Profile
Servlet 3,EJB 3.1 Lite
Java EE 7
JMS 2, Batch, TX, Concurr,
Web-Sockets,
JSON
Web Profile
JAX-RS 2J2EE 1.2
Servlet, JSP, EJB, JMS,
RMI
Java EE Past, Present, & Future
J2EE 1.3
CMP,JCA
J2EE 1.4
Web Services,
Mgmt, Deplymnt
Java EE 5
Ease of Use,EJB 3, JPA, JSF, JAXB,
JAX-WS
Java EE 6
Pruning,Ease of Use,
JAX-RS,CDI,
Bean-Validation
Web Profile
Servlet 3,EJB 3.1 Lite
Java EE 7
JMS 2, Batch, TX, Concurr,
Web-Sockets,
JSON
Web Profile
JAX-RS 2J2EE 1.2
Servlet, JSP, EJB, JMS,
RMI
Java EE Past, Present, & Future
J2EE 1.3
CMP,JCA
J2EE 1.4
Web Services,
Mgmt, Deplymnt
Java EE 5
Ease of Use,EJB 3, JPA, JSF, JAXB,
JAX-WS
Java EE 6
Pruning,Ease of Use,
JAX-RS,CDI,
Bean-Validation
Web Profile
Servlet 3,EJB 3.1 Lite
Java EE 7
JMS 2, Batch, TX, Concurr,
Web-Sockets,
JSON
Web Profile
JAX-RS 2J2EE 1.2
Servlet, JSP, EJB, JMS,
RMI
Java EE Past, Present, & Future
J2EE 1.3
CMP,JCA
J2EE 1.4
Web Services,
Mgmt, Deplymnt
Java EE 5
Ease of Use,EJB 3, JPA, JSF, JAXB,
JAX-WS
Java EE 6
Pruning,Ease of Use,
JAX-RS,CDI,
Bean-Validation
Web Profile
Servlet 3,EJB 3.1 Lite
Java EE 7
JMS 2, Batch, TX, Concurr,
Web-Sockets,
JSON
Web Profile
JAX-RS 2J2EE 1.2
Servlet, JSP, EJB, JMS,
RMI
Java EE Past, Present, & Future
Connector 1.7
Managed Beans 1.0 EJB 3.2
Servlet 3.1
Eco-system
JSF 2.2 JAX-RS 2
JMS 2JPA 2.1
EL 3
JTA 1.2
JSP 2.3
Interceptors 1.2 CDI 1.1Common Annotations 1.2
UpdatedMajorRelease
New
Concurrency Utilities
Batch Applications
Java API for JSON
Java API for WebSocket
Bean Validation 1.1
Java EE 7
https://java.net/downloads/javaee-spec/JavaEE8_Community_Survey_Results.pdf
https://blogs.oracle.com/ldemichiel/entry/results_from_the_java_ee
Java EE 8 Community Survey
Java EE 8 Possibilities▪Web Standards/HTML5 Alignment
• HTTP2, SSE, JSON-B, JSON-P, action-oriented web framework, hypermedia
▪Cloud• Simple security providers, REST management/monitoring
▪CDI Alignment• CDI 2, EJB services outside EJB, security interceptors, EJB pruning
▪Enterprise• JCache, Configuration, JMS
▪ Java SE 8 alignment
▪ Java EE 8 (JSR 366)
▪ CDI 2 (JSR 365)
▪ JSON-B (JSR 367)
▪ JMS 2.1 (JSR 368)▪ Servlet 4 (JSR 369)
▪ JAX-RS 2.1 (JSR 370)
Current JSR▪ MVC (JSR 371)
▪ JSF 2.3 (JSR 372)
▪ Java EE Management (JSR 373)
▪ JSON-P 1.1 (JSR 374)
▪ Java EE Security (JSR 375)
▪ Principal goal to support HTTP/2• Request/response multiplexing over single connection
• Multiple streams
• Stream Prioritisation
• Server Push
• Binary Framing
• Header Compression
Servlet 4
Servlet 4 resoures• Edward Burns - Devnexus 2015 presentation -
http://www.slideshare.net/edburns/http2-comes-to-java-what-servlet-40-means-to-you-devnexus-2015
• Mark Nottingham - Http/2 presentation - http://www.slideshare.net/mnot/what-http20-will-do-for-you
Java API for JSON BindingJSON-B
▪ API to marshal/unmarshal POJOs to/from JSON• Very similar to JAXB in the XML world
▪ Default mapping of classes to JSON• Annotations to customise the default mappings
• @JsonProperty, @JsonTransient, @JsonValue
▪ Draw from best of breed ideas in existing JSON binding solutions• MOXy, Jackson, GSON, Genson, Xstream, …
• Allow switching providers
▪ Provide JAX-RS a standard way to support “application/json” for POJOs• JAX-RS currently supports JSON-P
Server-Sent Events (SSE)
▪ Lesser known part of HTML 5• Standard JavaScript API on the browser
▪ Server-to-client streaming• “Stock tickers”, monitoring applications
▪ Just plain long-lived HTTP• Between the extremes of vanilla request/response and WebSocket
• Content-type ‘text/event-stream’
▪ Support via JAX-RS.next()• Already supported in Jersey JAX-RS reference implementation
MVC▪ Standard action-based web framework for Java EE
• JSF to continue on it’s evolution path, but not restricted too.
▪ Model• CDI, Bean Validation, JPA
▪ View• (Standard) Facelets, JSP (Other) Freemarker, …
▪ Controller• Majority of work here
• Based on JAX-RS
• Component-based MVC• like JSF, Wicket, …
• Action-based MVC• like Struts 2, Spring MVC
MVC types
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Component based MVC
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Action Based MVC
@Path("/")@View("my-index.xhtml")public class Bookstore { ... @GET public List<Item> getItems() { ... return items; }}
MVC Possibilities
CDI 2▪ Java SE Bootstrap
▪ XML configuration
▪ Asynchronous events
▪ @Startup for CDI beans
▪ Portable Extension SPI simplification
▪ Small features and enhancements
Adopting Java SE 8▪ Most of Java SE 8 can already be used with Java
EE• GlassFish, WildFly and WebLogic support JDK 8
▪ Some APIs could adopt features• Repeatable Annotations
• Date-Time API/JDBC 4.2
• Completable Future
• Lambda expressions, streams
• Default methods
• Expert Group nominations: EE API veterans: many JSRs, many years struggling with Security API
3rd party security framework creators/developers
EE platform security implementers
• March 2015: Expert Group started discussions
Java EE Security API JSR-375
What’s wrong with Java EE Security?
• Java EE Security viewed as not portable, abstract/confusing, antiquated
• Doesn’t fit cloud app developer paradigm: requires app server configuration
• "The ultimate goal is to have basic security working without the need of any kind of vendor specific configuration, deployment descriptors, or whatever. ” – Arjan Tijms
What to do? • Plug the portability holes
• ModernizeContext Dependency Injection (CDI) • Intercept at Access Enforcement Points: POJO methods
Expression Language (EL) • Enable Access Enforcement Points with complex rules
• App Developer Friendly • Common security configurations not requiring server changes• Annotation defaults not requiring XML
Ideas • Terminology• API for Authentication Mechanism• API for Identity Store• API for Password Aliasing• API for Role/Permission Assignment• API for Security Context• API for Authorization Interceptors
To modernize, standardise, simplify
Ideas - Terminology • EG discussions revealed inconsistency in security API terms
• Different EE containers have different names for the same concepts
• When “something” gets authenticated, is that something a...
A User? (e.g. HttpServletRequest.getUserPrincipal)
A Caller? (e.g. EJBContext.getCallerPrincipal)
• What is a group?A group of users?
A permission
Vs Role?
Ideas - Terminology • What is that “something” where identities are stored?
security provider (WebLogic)
realm (Tomcat, some hints in Servlet spec)
(auth) repository
(auth) store
login module (JAAS)
identity manager (Undertow)
authenticator (Resin, OmniSecurity, Seam Security)
authentication provider (Spring Security)
identity provider
API for Authentication Mechanism• Application manages its own users and groups
• Application needs to authenticate users in order to assign Roles
• Application authenticates based on application-domain models
• Application needs to use an authentication method not supported on the server, like OpenID Connect or OAuth2
• Developer wants to use portable EE Authentication standard
• Java Authentication Service Provider Interface for Containers
• JSR 196, Maintenance Release 1.1, in 2013
• Standardised, portable, thin, low-level authentication framework
• JAAS (LoginModule) is Java SE and thus not standard within Java EE
JASPIC
Authentication Events
• Throw standardised CDI events at important moments PreAuthenticate Event
PostAuthenticate Event
PreLogout Event
PostLogout Event
• Possible uses: Tracking number of logged-in users
Tracking failed login attempts per account
Side effects, like creating a new local user after initial successful authentication via a remote authentication provider
Loading application-specific user preferences
• Where is the “user” info stored?
API for Identity Store
• Custom stores by annotated POJO’s
API for Role/Permission Assignment
• After user/Caller is authenticated:• Need to retrieve the roles/permissions/grants
• API to manage these assignments
• Dynamic role/permission assignment
Why role to group?• Application; similar users are grouped in a
Role
• Identity storeUsed for more then 1 application
Probably has already some kind of grouping of users (department, …)
• Map application Role to Identity store Group• Today supported
Support in Deployment Descriptors, e.g. web.xml
No More Roles
Role vs Permission• Role
Grouping of users
When “allowed actions” for a Role changes
Application needs to be changed an redeployed
• Permission• “Key” to unlock some functionality. Permission is linked in
code.• User/Caller or even role has some permissions• Changes -> only external where permissions are linked to
users.
API for Security Context
• Application needs to access the security APITo get the authenticated user
To check roles
To invoke runAs.
• Application needs the same API to access security context, regardless of container
API for Authorisation Interceptors
• Application needs to restrict specific methods to authorised users
• Application-model rules are used to make access decisions
• Annotation based
• My requirementsScreen parts (like on JSF Component) needs certain permission
URL’s are protected based on permissions/roles/…
EL Authorization Rules
• To be used in security annotations
• Refer to any object, system or application defined
• Security rules tailored to the application.
• @EvaluateSecured("security.hasRoles('MANAGER') && schedule.nowIsOfficeHrs")void transferFunds() {..};
Complex rules• AccessDecisionVoter
• Concept from DeltaSpike / Octopus
• Complex logic written out in Java code (CDI bean)
• @Secured(AccountAccessDecisionVoter.class)void transferFunds() {..};• public void checkPermission
(AccessDecisionVoterContext ctx,Set<SecurityViolation> violations) {
Get Involved • Project Page: The starting point to all
resources https://java.net/projects/javaee-security-spec
• Users List: Subscribe and contribute [email protected]
• Github Playground: Fork and Play! https://github.com/javaee-security-spec/javaee-security-proposals
• What’s Coming in Java EE 8? - Reza Rahman• http://www.slideshare.net/reza_rahman/javaee8
• Finally, EE Security API JSR 375 - Alex Kosowski• http://www.slideshare.net/a_kosowski/devoxx-fr-ee8jsr375securityapiv1
• MVC in JavaEE 8 - Manfred Riem• https://java.net/projects/ozark/downloads/download/Presentations/2014-ja
vaone-mvc-in-javaee8.pptx
Acknowledgements
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Public
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract.It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Safe Harbor statement
Q&A