java ee 8 + security overview
TRANSCRIPT
![Page 1: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/1.jpg)
What can we expect in Java EE 8
and in particular for Java EE Security?
![Page 2: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/2.jpg)
Who Am IRudy De Busscher
C4J: Senior Java Web Developer, Java CoachJSR375: Java EE Security API Expert group member
Java EE believer
@rdebusscher
http://jsfcorner.blogspot.behttp://javaeesquad.blogspot.be
![Page 3: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/3.jpg)
Agenda▪ Java EE
▪ How We Got Here
▪ Where We Are Going
▪ Servlet 4
▪ JSON-B
▪ Server sent Events
▪ MVC
▪ CDI
▪ Java EE Security API
▪ Why
▪ Terminology
▪ API for Authentication Mechanism
▪ API for Identity Store
▪ API for Role/Permission Assignment
▪ API for Security Context
▪ API for Authorization Interceptors
![Page 4: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/4.jpg)
J2EE 1.3
CMP,JCA
J2EE 1.4
Web Services,
Mgmt, Deplymnt
Java EE 5
Ease of Use,EJB 3, JPA, JSF, JAXB,
JAX-WS
Java EE 6
Pruning,Ease of Use,
JAX-RS,CDI,
Bean-Validation
Web Profile
Servlet 3,EJB 3.1 Lite
Java EE 7
JMS 2, Batch, TX, Concurr,
Web-Sockets,
JSON
Web Profile
JAX-RS 2J2EE 1.2
Servlet, JSP, EJB, JMS,
RMI
Java EE Past, Present, & Future
![Page 5: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/5.jpg)
J2EE 1.3
CMP,JCA
J2EE 1.4
Web Services,
Mgmt, Deplymnt
Java EE 5
Ease of Use,EJB 3, JPA, JSF, JAXB,
JAX-WS
Java EE 6
Pruning,Ease of Use,
JAX-RS,CDI,
Bean-Validation
Web Profile
Servlet 3,EJB 3.1 Lite
Java EE 7
JMS 2, Batch, TX, Concurr,
Web-Sockets,
JSON
Web Profile
JAX-RS 2J2EE 1.2
Servlet, JSP, EJB, JMS,
RMI
Java EE Past, Present, & Future
![Page 6: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/6.jpg)
J2EE 1.3
CMP,JCA
J2EE 1.4
Web Services,
Mgmt, Deplymnt
Java EE 5
Ease of Use,EJB 3, JPA, JSF, JAXB,
JAX-WS
Java EE 6
Pruning,Ease of Use,
JAX-RS,CDI,
Bean-Validation
Web Profile
Servlet 3,EJB 3.1 Lite
Java EE 7
JMS 2, Batch, TX, Concurr,
Web-Sockets,
JSON
Web Profile
JAX-RS 2J2EE 1.2
Servlet, JSP, EJB, JMS,
RMI
Java EE Past, Present, & Future
![Page 7: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/7.jpg)
J2EE 1.3
CMP,JCA
J2EE 1.4
Web Services,
Mgmt, Deplymnt
Java EE 5
Ease of Use,EJB 3, JPA, JSF, JAXB,
JAX-WS
Java EE 6
Pruning,Ease of Use,
JAX-RS,CDI,
Bean-Validation
Web Profile
Servlet 3,EJB 3.1 Lite
Java EE 7
JMS 2, Batch, TX, Concurr,
Web-Sockets,
JSON
Web Profile
JAX-RS 2J2EE 1.2
Servlet, JSP, EJB, JMS,
RMI
Java EE Past, Present, & Future
![Page 8: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/8.jpg)
J2EE 1.3
CMP,JCA
J2EE 1.4
Web Services,
Mgmt, Deplymnt
Java EE 5
Ease of Use,EJB 3, JPA, JSF, JAXB,
JAX-WS
Java EE 6
Pruning,Ease of Use,
JAX-RS,CDI,
Bean-Validation
Web Profile
Servlet 3,EJB 3.1 Lite
Java EE 7
JMS 2, Batch, TX, Concurr,
Web-Sockets,
JSON
Web Profile
JAX-RS 2J2EE 1.2
Servlet, JSP, EJB, JMS,
RMI
Java EE Past, Present, & Future
![Page 9: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/9.jpg)
Connector 1.7
Managed Beans 1.0 EJB 3.2
Servlet 3.1
Eco-system
JSF 2.2 JAX-RS 2
JMS 2JPA 2.1
EL 3
JTA 1.2
JSP 2.3
Interceptors 1.2 CDI 1.1Common Annotations 1.2
UpdatedMajorRelease
New
Concurrency Utilities
Batch Applications
Java API for JSON
Java API for WebSocket
Bean Validation 1.1
Java EE 7
![Page 10: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/10.jpg)
https://java.net/downloads/javaee-spec/JavaEE8_Community_Survey_Results.pdf
https://blogs.oracle.com/ldemichiel/entry/results_from_the_java_ee
Java EE 8 Community Survey
![Page 11: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/11.jpg)
Java EE 8 Possibilities▪Web Standards/HTML5 Alignment
• HTTP2, SSE, JSON-B, JSON-P, action-oriented web framework, hypermedia
▪Cloud• Simple security providers, REST management/monitoring
▪CDI Alignment• CDI 2, EJB services outside EJB, security interceptors, EJB pruning
▪Enterprise• JCache, Configuration, JMS
▪ Java SE 8 alignment
![Page 12: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/12.jpg)
▪ Java EE 8 (JSR 366)
▪ CDI 2 (JSR 365)
▪ JSON-B (JSR 367)
▪ JMS 2.1 (JSR 368)▪ Servlet 4 (JSR 369)
▪ JAX-RS 2.1 (JSR 370)
Current JSR▪ MVC (JSR 371)
▪ JSF 2.3 (JSR 372)
▪ Java EE Management (JSR 373)
▪ JSON-P 1.1 (JSR 374)
▪ Java EE Security (JSR 375)
![Page 13: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/13.jpg)
▪ Principal goal to support HTTP/2• Request/response multiplexing over single connection
• Multiple streams
• Stream Prioritisation
• Server Push
• Binary Framing
• Header Compression
Servlet 4
![Page 14: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/14.jpg)
Servlet 4 resoures• Edward Burns - Devnexus 2015 presentation -
http://www.slideshare.net/edburns/http2-comes-to-java-what-servlet-40-means-to-you-devnexus-2015
• Mark Nottingham - Http/2 presentation - http://www.slideshare.net/mnot/what-http20-will-do-for-you
![Page 15: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/15.jpg)
Java API for JSON BindingJSON-B
▪ API to marshal/unmarshal POJOs to/from JSON• Very similar to JAXB in the XML world
▪ Default mapping of classes to JSON• Annotations to customise the default mappings
• @JsonProperty, @JsonTransient, @JsonValue
▪ Draw from best of breed ideas in existing JSON binding solutions• MOXy, Jackson, GSON, Genson, Xstream, …
• Allow switching providers
▪ Provide JAX-RS a standard way to support “application/json” for POJOs• JAX-RS currently supports JSON-P
![Page 16: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/16.jpg)
Server-Sent Events (SSE)
▪ Lesser known part of HTML 5• Standard JavaScript API on the browser
▪ Server-to-client streaming• “Stock tickers”, monitoring applications
▪ Just plain long-lived HTTP• Between the extremes of vanilla request/response and WebSocket
• Content-type ‘text/event-stream’
▪ Support via JAX-RS.next()• Already supported in Jersey JAX-RS reference implementation
![Page 17: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/17.jpg)
MVC▪ Standard action-based web framework for Java EE
• JSF to continue on it’s evolution path, but not restricted too.
▪ Model• CDI, Bean Validation, JPA
▪ View• (Standard) Facelets, JSP (Other) Freemarker, …
▪ Controller• Majority of work here
• Based on JAX-RS
![Page 18: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/18.jpg)
• Component-based MVC• like JSF, Wicket, …
• Action-based MVC• like Struts 2, Spring MVC
MVC types
![Page 19: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/19.jpg)
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Component based MVC
![Page 20: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/20.jpg)
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Action Based MVC
![Page 21: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/21.jpg)
@Path("/")@View("my-index.xhtml")public class Bookstore { ... @GET public List<Item> getItems() { ... return items; }}
MVC Possibilities
![Page 22: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/22.jpg)
CDI 2▪ Java SE Bootstrap
▪ XML configuration
▪ Asynchronous events
▪ @Startup for CDI beans
▪ Portable Extension SPI simplification
▪ Small features and enhancements
![Page 23: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/23.jpg)
Adopting Java SE 8▪ Most of Java SE 8 can already be used with Java
EE• GlassFish, WildFly and WebLogic support JDK 8
▪ Some APIs could adopt features• Repeatable Annotations
• Date-Time API/JDBC 4.2
• Completable Future
• Lambda expressions, streams
• Default methods
![Page 24: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/24.jpg)
• Expert Group nominations: EE API veterans: many JSRs, many years struggling with Security API
3rd party security framework creators/developers
EE platform security implementers
• March 2015: Expert Group started discussions
Java EE Security API JSR-375
![Page 25: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/25.jpg)
What’s wrong with Java EE Security?
• Java EE Security viewed as not portable, abstract/confusing, antiquated
• Doesn’t fit cloud app developer paradigm: requires app server configuration
• "The ultimate goal is to have basic security working without the need of any kind of vendor specific configuration, deployment descriptors, or whatever. ” – Arjan Tijms
![Page 26: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/26.jpg)
![Page 27: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/27.jpg)
What to do? • Plug the portability holes
• ModernizeContext Dependency Injection (CDI) • Intercept at Access Enforcement Points: POJO methods
Expression Language (EL) • Enable Access Enforcement Points with complex rules
• App Developer Friendly • Common security configurations not requiring server changes• Annotation defaults not requiring XML
![Page 28: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/28.jpg)
Ideas • Terminology• API for Authentication Mechanism• API for Identity Store• API for Password Aliasing• API for Role/Permission Assignment• API for Security Context• API for Authorization Interceptors
To modernize, standardise, simplify
![Page 29: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/29.jpg)
Ideas - Terminology • EG discussions revealed inconsistency in security API terms
• Different EE containers have different names for the same concepts
• When “something” gets authenticated, is that something a...
A User? (e.g. HttpServletRequest.getUserPrincipal)
A Caller? (e.g. EJBContext.getCallerPrincipal)
• What is a group?A group of users?
A permission
Vs Role?
![Page 30: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/30.jpg)
Ideas - Terminology • What is that “something” where identities are stored?
security provider (WebLogic)
realm (Tomcat, some hints in Servlet spec)
(auth) repository
(auth) store
login module (JAAS)
identity manager (Undertow)
authenticator (Resin, OmniSecurity, Seam Security)
authentication provider (Spring Security)
identity provider
![Page 31: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/31.jpg)
API for Authentication Mechanism• Application manages its own users and groups
• Application needs to authenticate users in order to assign Roles
• Application authenticates based on application-domain models
• Application needs to use an authentication method not supported on the server, like OpenID Connect or OAuth2
• Developer wants to use portable EE Authentication standard
![Page 32: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/32.jpg)
• Java Authentication Service Provider Interface for Containers
• JSR 196, Maintenance Release 1.1, in 2013
• Standardised, portable, thin, low-level authentication framework
• JAAS (LoginModule) is Java SE and thus not standard within Java EE
JASPIC
![Page 33: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/33.jpg)
Authentication Events
• Throw standardised CDI events at important moments PreAuthenticate Event
PostAuthenticate Event
PreLogout Event
PostLogout Event
• Possible uses: Tracking number of logged-in users
Tracking failed login attempts per account
Side effects, like creating a new local user after initial successful authentication via a remote authentication provider
Loading application-specific user preferences
![Page 34: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/34.jpg)
• Where is the “user” info stored?
API for Identity Store
• Custom stores by annotated POJO’s
![Page 35: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/35.jpg)
API for Role/Permission Assignment
• After user/Caller is authenticated:• Need to retrieve the roles/permissions/grants
• API to manage these assignments
• Dynamic role/permission assignment
![Page 36: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/36.jpg)
Why role to group?• Application; similar users are grouped in a
Role
• Identity storeUsed for more then 1 application
Probably has already some kind of grouping of users (department, …)
• Map application Role to Identity store Group• Today supported
Support in Deployment Descriptors, e.g. web.xml
No More Roles
![Page 37: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/37.jpg)
Role vs Permission• Role
Grouping of users
When “allowed actions” for a Role changes
Application needs to be changed an redeployed
• Permission• “Key” to unlock some functionality. Permission is linked in
code.• User/Caller or even role has some permissions• Changes -> only external where permissions are linked to
users.
![Page 38: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/38.jpg)
API for Security Context
• Application needs to access the security APITo get the authenticated user
To check roles
To invoke runAs.
• Application needs the same API to access security context, regardless of container
![Page 39: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/39.jpg)
API for Authorisation Interceptors
• Application needs to restrict specific methods to authorised users
• Application-model rules are used to make access decisions
• Annotation based
• My requirementsScreen parts (like on JSF Component) needs certain permission
URL’s are protected based on permissions/roles/…
![Page 40: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/40.jpg)
EL Authorization Rules
• To be used in security annotations
• Refer to any object, system or application defined
• Security rules tailored to the application.
• @EvaluateSecured("security.hasRoles('MANAGER') && schedule.nowIsOfficeHrs")void transferFunds() {..};
![Page 41: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/41.jpg)
Complex rules• AccessDecisionVoter
• Concept from DeltaSpike / Octopus
• Complex logic written out in Java code (CDI bean)
• @Secured(AccountAccessDecisionVoter.class)void transferFunds() {..};• public void checkPermission
(AccessDecisionVoterContext ctx,Set<SecurityViolation> violations) {
![Page 42: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/42.jpg)
Get Involved • Project Page: The starting point to all
resources https://java.net/projects/javaee-security-spec
• Users List: Subscribe and contribute [email protected]
• Github Playground: Fork and Play! https://github.com/javaee-security-spec/javaee-security-proposals
![Page 43: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/43.jpg)
• What’s Coming in Java EE 8? - Reza Rahman• http://www.slideshare.net/reza_rahman/javaee8
• Finally, EE Security API JSR 375 - Alex Kosowski• http://www.slideshare.net/a_kosowski/devoxx-fr-ee8jsr375securityapiv1
• MVC in JavaEE 8 - Manfred Riem• https://java.net/projects/ozark/downloads/download/Presentations/2014-ja
vaone-mvc-in-javaee8.pptx
Acknowledgements
![Page 44: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/44.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Public
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract.It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Safe Harbor statement
![Page 45: Java ee 8 + security overview](https://reader036.vdocuments.us/reader036/viewer/2022062401/5872a08e1a28ab07208b5a3f/html5/thumbnails/45.jpg)
Q&A