Successfully reported this slideshow.

Finally, EE Security API JSR 375

17

Share

Apr. 13, 2015
17 likes 13,358 views
Upcoming SlideShare
JMS.Next(): JMS 2.0 and Beyond
JMS.Next(): JMS 2.0 and Beyond
Loading in …3
×
1 of 80
1 of 80

Finally, EE Security API JSR 375

Apr. 13, 2015
17 likes 13,358 views

17

Share

Download to read offline

Software

This presentation introduces the new Java EE 8 Security API JSR 375. Originally presented at Devoxx France 2015, the slides present the motivation behind the new JSR, some history, the expert group, and a summary of ideas.

The slides were created after the expert group had been meeting for about a month, so the ideas are raw and undeveloped. However, the ideas in the slides do indicate the general direction the JSR is headed, with respect to modernizing, simplifying, and standardizing the Java EE Security API.

This presentation introduces the new Java EE 8 Security API JSR 375. Originally presented at Devoxx France 2015, the slides present the motivation behind the new JSR, some history, the expert group, and a summary of ideas.

The slides were created after the expert group had been meeting for about a month, so the ideas are raw and undeveloped. However, the ideas in the slides do indicate the general direction the JSR is headed, with respect to modernizing, simplifying, and standardizing the Java EE Security API.

Software

Recommended

More Related Content

Viewers also liked

MVC 1.0 / JSR 371
David Delabassee
Testing Java EE Applications Using Arquillian
Reza Rahman
EJB and CDI - Alignment and Strategy
David Delabassee
JavaEE.Next(): Java EE 7, 8, and Beyond
Reza Rahman
Have You Seen Java EE Lately?
Reza Rahman
HTTP/2 comes to Java. What Servlet 4.0 means to you. DevNexus 2015
Edward Burns
Java EE 8 - An instant snapshot
David Delabassee
Java EE Revisits GoF Design Patterns
Murat Yener
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015
Werner Keil
What's New in WebLogic 12.1.3 and Beyond
Oracle
Java EE 6 Adoption in One of the World’s Largest Online Financial Systems
Arshal Ameen
Move from J2EE to Java EE
Hirofumi Iwasaki
Best Way to Write SQL in Java
Gerger
Modern web application development with java ee 7
Shekhar Gulati
Java EE 8 Adopt a JSR : JSON-P 1.1 & MVC 1.0
David Delabassee
Java on Azure
Philly JUG
Adopt-a-JSR for JSON Processing 1.1, JSR 374
Heather VanCura
JavaScript Frameworks and Java EE – A Great Match
Reza Rahman
Servlet 4.0 at GeekOut 2015
Edward Burns

Similar to Finally, EE Security API JSR 375

Java2Days - Security for JavaEE and the Cloud
Werner Keil
Servlet 3.1
Arun Gupta
Java EE 6 & GlassFish = Less Code + More Power @ DevIgnition
Arun Gupta
The Java EE 7 Platform: Developing for the Cloud (FISL 12)
Arun Gupta
CON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EE
Masoud Kalali
Spring Security 5
Jesus Perez Franco
Microsoft identity platform community call-May 2020
Microsoft 365 Developer
TYPO3 Flow 2.0 (International PHP Conference 2013)
Robert Lemke
Code Generation in Magento 2
Sergii Shymko
Java EE Application Security With PicketLink
pigorcraveiro
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti
OAuth in the Real World featuring Webshell
CA API Management
Building Next-Gen Web Applications with the Spring 3 Web Stack
Jeremy Grelle
Advanced modular development
Srinivasan Raghavan
Spring 3.1 in a Nutshell
Sam Brannen
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CloudIDSummit
GIDS 2012: Java Message Service 2.0
Arun Gupta
What the Heck is OAuth and Open ID Connect? - UberConf 2017
Matt Raible
Overview of Java EE 6 by Roberto Chinnici at SFJUG
Marakana Inc.
MySQL Connector/Node.js and the X DevAPI
Rui Quelhas

Featured

What to Upload to SlideShare
SlideShare
Be A Great Product Leader (Amplify, Oct 2019)
Adam Nash
Trillion Dollar Coach Book (Bill Campbell)
Eric Schmidt
APIdays Paris 2019 - Innovation @ scale, APIs as Digital Factories' New Machi...
apidays
A few thoughts on work life-balance
Wim Vanderbauwhede
Is vc still a thing final
Mark Suster
The GaryVee Content Model
Gary Vaynerchuk
Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer

Related Books

Free with a 14 day trial from Scribd

See all
Tubes: A Journey to the Center of the Internet Andrew Blum
(4/5)
Free
Emergence: The Connected Lives of Ants, Brains, Cities, and Software Steven Johnson
(4.5/5)
Free
The Impulse Economy: Understanding Mobile Shoppers and What Makes Them Buy Gary Schwartz
(4.5/5)
Free
An Army of Davids: How Markets and Technology Empower Ordinary People to Beat Big Media, Big Government, and Other Goliaths Glenn Reynolds
(4/5)
Free
World Wide Mind: The Coming Integration of Humanity, Machines, and the Internet Michael Chorost
(4/5)
Free
In the Plex: How Google Thinks, Works, and Shapes Our Lives Steven Levy
(4.5/5)
Free
Hamlet's BlackBerry: A Practical Philosophy for Building a Good Life in the Digital Age William Powers
(4/5)
Free
Talking Back to Facebook: The Common Sense Guide to Raising Kids in the Digital Age James P. Steyer
(4.5/5)
Free
The Thank You Economy Gary Vaynerchuk
(4/5)
Free
Socialnomics: How Social Media Transforms the Way We Live and Do Business Erik Qualman
(4/5)
Free
The Nature of the Future: Dispatches from the Socialstructed World Marina Gorbis
(4/5)
Free
Public Parts: How Sharing in the Digital Age Improves the Way We Work and Live Jeff Jarvis
(3.5/5)
Free
Blog Schmog: The Truth About What Blogs Can (and Can't) Do for Your Business Robert W. Bly
(4/5)
Free
The End of Business As Usual: Rewire the Way You Work to Succeed in the Consumer Revolution Brian Solis
(5/5)
Free
101 Awesome Builds: Minecraft®™ Secrets from the World's Greatest Crafters Triumph Books
(4.5/5)
Free
How to Be Invisible: Protect Your Home, Your Children, Your Assets, and Your Life J. J. Luna
(4/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
Cognitive Surplus: Creativity and Generosity in a Connected Age Clay Shirky
(4/5)
Free
The New New Thing: A Silicon Valley Story Michael Lewis
(4.5/5)
Free
The History of the Future: Oculus, Facebook, and the Revolution That Swept Virtual Reality Blake J. Harris
(4.5/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4.5/5)
Free
Ten Arguments for Deleting Your Social Media Accounts Right Now Jaron Lanier
(4/5)
Free
The Social Life of Information: Updated, with a New Preface-Revised John Seely Brown
(0/5)
Free
An Introduction to Information Theory: Symbols, Signals and Noise John R. Pierce
(4.5/5)
Free
Who Owns the Future? Jaron Lanier
(4/5)
Free
The Dark Net: Inside the Digital Underworld Jamie Bartlett
(4/5)
Free
Alone Together: Why We Expect More from Technology and Less from Each Other Sherry Turkle
(4.5/5)
Free
The Death of Expertise: The Campaign Against Established Knowledge and Why it Matters Tom Nichols
(4.5/5)
Free
Algorithms to Live By: The Computer Science of Human Decisions Brian Christian
(4.5/5)
Free
New Dark Age: Technology and the End of the Future James Bridle
(4.5/5)
Free
The Emperor's New Mind: Concerning Computers, Minds, and the Laws of Physics Roger Penrose
(3.5/5)
Free
Blockchain Revolution: How the Technology Behind Bitcoin Is Changing Money, Business, and the World Don Tapscott
(4/5)
Free
Data and Goliath: The Hidden Battles to Capture Your Data and Control Your World Bruce Schneier
(4.5/5)
Free

Finally, EE Security API JSR 375

  1. 1. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.1
  2. 2. Finally, EE Security API JSR 375 Alex Kosowski JSR 375 Specification Lead WebLogic Server Security
  3. 3. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.3 Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
  4. 4. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.4 Agenda §  Motivations §  A New JSR §  Ideas §  Get Involved §  Q & A
  5. 5. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.5 Agenda §  Motivations §  A New JSR §  Ideas §  Get Involved §  Q & A
  6. 6. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.6 Why a Java EE Security API JSR? §  EE 8 survey results §  4500 total responses §  Priorities Pie Chart
  7. 7. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.7 What’s wrong with Java EE Security? "The ultimate goal is to have basic security working without the need of any kind of vendor specific configuration, deployment descriptors, or whatever. ” – Arjan Tijms “[The EE security] model is problematic in cloud/PaaS environments where developers do not necessarily have easy access to non-standard vendor runtime features and a self-contained application is much easier to manage.” – Reza Rahman The community says…
  8. 8. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.8 What’s wrong with Java EE Security? §  Java EE Security viewed as not portable, abstract/confusing, antiquated §  Doesn’t fit cloud app developer paradigm: requires app server configuration §  Losing value to non-standard 3rd Party Frameworks…less likely to move back to Java EE when requirements increase
  9. 9. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.9 What to do? §  Plug the portability holes §  Modernize –  Context Dependency Injection (CDI) §  Intercept at Access Enforcement Points: POJO methods –  Expression Language (EL) §  Enable Access Enforcement Points with complex rules §  App Developer Friendly –  Common security configurations not requiring server changes –  Annotation defaults not requiring XML
  10. 10. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.10 Agenda §  Motivations §  A New JSR §  Ideas §  Get Involved §  Q & A
  11. 11. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.11 JSR 375 History §  August 2014: First proposed to Oracle Java EE Architects §  December 2014: Approved by JCP §  Expert Group nominations: –  EE API veterans: many JSRs, many years struggling with Security API –  3rd party security framework creators/developers –  EE platform security implementers §  March 2015: Expert Group started discussions
  12. 12. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.12 JSR 375 – Expert Group Name Representing Adam Bien Individual David Blevins Tomitribe Rudy De Busscher Individual Ivar Grimstad Individual Les Hazlewood Stormpath, Inc. Will Hopkins Oracle Werner Keil Individual
  13. 13. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.13 JSR 375 – Expert Group Name Representing Matt Konda Jemurai Alex Kosowski Oracle Darran Lofthouse RedHat Jean-Louis Monteiro Tomitribe Ajay Reddy IBM Pedro Igor Silva RedHat Arjan Tijms ZEEF
  14. 14. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.14 JSR 375 History §  In first month, expert group had an EXPLOSION of activity –  Lot of Brainstorming! –  237 messages on EG mailing list –  81 commits in Github playgrounds for examples and proposals –  24 JIRA issues
  15. 15. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.15 Agenda §  Motivations §  A New JSR §  Ideas §  Get Involved §  Q & A
  16. 16. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.16 Ideas §  Terminology §  API for Authentication Mechanism §  API for Identity Store §  API for Password Aliasing §  API for Role/Permission Assignment §  API for Security Context §  API for Authorization Interceptors To modernize, standardize, simplify
  17. 17. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.17 Ideas To modernize, standardize, simplify Identity Store Authentication Mechanism Security Context Authorization Interceptors Role/Permission Assignment Password Aliasing
  18. 18. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.18 Ideas §  Terminology §  API for Authentication Mechanism §  API for Identity Store §  API for Password Aliasing §  API for Role/Permission Assignment §  API for Security Context §  API for Authorization Interceptors To modernize, standardize, simplify
  19. 19. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.19 Ideas - Terminology §  EG discussions revealed inconsistency in security API terms §  Different EE containers have different names for the same concepts §  When “something” gets authenticated, is that something a… –  A User? (e.g. HttpServletRequest.getUserPrincipal) –  A Caller? (e.g. EJBContext.getCallerPrincipal) §  What is a group? –  A group of users? –  A permission –  Vs Role?
  20. 20. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.20 Ideas - Terminology §  What is that “something” where identities are stored? –  security provider (WebLogic) –  realm (Tomcat, some hints in Servlet spec) –  (auth) repository –  (auth) store –  login module (JAAS) –  identity manager (Undertow) –  authenticator (Resin, OmniSecurity, Seam Security) –  authentication provider (Spring Security) –  identity provider
  21. 21. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.21 Ideas §  Terminology §  API for Authentication Mechanism §  API for Identity Store §  API for Password Aliasing §  API for Role/Permission Assignment §  API for Security Context §  API for Authorization Interceptors To modernize, standardize, simplify
  22. 22. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.22 Use Case §  Application manages its own users and groups §  Application needs to authenticate users in order to assign Roles §  Application authenticates based on application-domain models §  Application needs to use an authentication method not supported on the server, like OpenID Connect §  Developer wants to use portable EE Authentication standard API for Authentication Mechanism
  23. 23. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.23 Current Solutions §  Proprietary server support §  3rd party security frameworks provide authentication §  JASPIC: Java Authentication Service Provider Interface for Containers API for Authentication Mechanism
  24. 24. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.24 JASPIC §  Java Authentication Service Provider Interface for Containers §  JSR 196, Maintenance Release 1.1, in 2013 §  Standardized, portable, thin, low-level authentication framework §  Extensible from within an application §  Integrates with the container to build an authenticated Subject §  Implement any authentication method
  25. 25. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.25 JASPIC Server Auth Module public interface ServerAuthModule { public void initialize(MessagePolicy requestPolicy, MessagePolicy responsePolicy, CallbackHandler handler, Map options) throws AuthException; public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject); public Class<?>[] getSupportedMessageTypes(); public AuthStatus secureResponse(MessageInfo messageInfo, Subject serviceSubject); public void cleanSubject(MessageInfo messageInfo, Subject subject); }
  26. 26. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.26 JASPIC Per-Application Installation ServletContextListener AuthConfigFactory AuthConfigProvider ServerAuthConfig ServerAuthContext ServerAuthModule
  27. 27. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.27 Ideas – Simple ServerAuthModule Installation ServletContextListener AuthConfigFactory AuthConfigProvider ServerAuthConfig ServerAuthContext ServerAuthModule ServletContextListener
  28. 28. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.28 Ideas – Simple ServerAuthModule Installation @WebListener public class SamRegistrationListener implements ServletContextListener { @Override public void contextInitialized(ServletContextEvent sce) { Jaspic.registerServerAuthModule(new TokenAuthModule(), sce.getServletContext()); } @Override public void contextDestroyed(ServletContextEvent sce) { } }
  29. 29. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.29 Ideas – Simple ServerAuthModule Installation @Authenticator("org.acme.TokenAuthModule") @WebServlet("/SimpleServlet") @ServletSecurity(@HttpConstraint(rolesAllowed = {"manager"})) public class SimpleServlet extends HttpServlet { @Override protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.getWriter().print("my GET"); } }
  30. 30. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.30 Ideas – Profile Specific Helper Classes public class BasicServerAuthModule implements ServerAuthModule { public void initialize(…) throws AuthException { … } public Class<?>[] getSupportedMessageTypes() { … } public AuthStatus secureResponse(MessageInfo messageInfo, Subject serviceSubject) throws AuthException { … } public void cleanSubject(MessageInfo messageInfo, Subject subject) throws AuthException { … } public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException { final HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage(); … }
  31. 31. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.31 Ideas – Profile Specific Helper Classes public class BasicServerAuthModule extends HttpServerAuthModule { public AuthStatus validateHttpRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) throws AuthException { … } }
  32. 32. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.32 Ideas – Profile Specific Helper Classes public class BasicServerAuthModule extends HttpServerAuthModule { public AuthStatus validateHttpRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) throws AuthException { final String header = request.getHeader("Authorization"); final String[] credentials = parseCredentials(header); final String username = credentials[0]; final String password = credentials[1]; if (!"snoopy".equals(username) || !"woodst0ck".equals(password)) { return FAILURE; } // No callbacks required!!! return httpMessageContext.notifyContainerAboutLogin( "snoopy", // the groups/roles of the authenticated user Arrays.asList("RedBaron", "JoeCool", "MansBestFriend")); }
  33. 33. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.33 Ideas – Standardized Authenticators @Authenticator("javax.security.authenticator.OpenIDConnect") @WebServlet("/SimpleServlet") @ServletSecurity(@HttpConstraint(rolesAllowed = {"manager"})) public class SimpleServlet extends HttpServlet { @Override protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.getWriter().print("my GET"); } } §  OpenID Connect ServerAuthModule
  34. 34. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.34 Ideas – Authentication Events §  Throw standardized CDI events at important moments –  PreAuthenticate Event –  PostAuthenticate Event –  PreLogout Event –  PostLogout Event §  Possible uses: –  Tracking number of logged-in users –  Tracking failed login attempts per account –  Side effects, like creating a new local user after initial successful authentication via a remote authentication provider –  Loading application-specific user preferences
  35. 35. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.35 Ideas §  Terminology §  API for Authentication Mechanism §  API for Identity Store §  API for Password Aliasing §  API for Role/Permission Assignment §  API for Security Context §  API for Authorization Interceptors To modernize, standardize, simplify
  36. 36. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.36 Use Case §  Application manages its own users and groups §  Need to access a repository of identities, like users §  Users may be stored in app-specified repository (e.g. LDAP) §  Users are managed without access to server configuration API for Identity Store
  37. 37. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.37 Survey Results API for Identity Store ' Should we simplify authorization by introducing an EL-enabled authorization annotation? ' Should we standardize on requirements for simple security providers and their configuration? ' ' Approximately'58%'thought'we'should'add'support'for'password'aliases,'including'the' ability'to'provision'credentials'along'with'the'application.' ' 70%'thought'that'we'should'standardize'group`to`role'mapping.' ' 53%'thought'we'should'simplify'JASPIC'authentication.' ' 67%'thought'that'we'should'simplify'authorization'and'make'it'more'flexible'by' introducing'EL`based'authorization'annotations,'introducing'a'capability'more'general' than'use'of'@RolesAllowed'and'simpler'than'use'of'interceptors'to'do'programmatic' authorization.' ' 65%'thought'we'should'standardize'on'requirements'for'simple'security'providers'and' their'configuration.'
  38. 38. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.38 Current Solutions §  No Java EE support §  Only proprietary server support §  3rd party security frameworks provide user/group APIs API for Identity Store
  39. 39. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.39 Ideas – Identity Store public interface Identity { String getUsername(); char[] getPassword(); boolean isAccountExpired(); boolean isAccountLocked(); boolean isPasswordExpired(); boolean isEnabled(); IdentityAttributeValue getAttribute(String name); } public interface IdentityAttributeValue { String getValue(); String getMetaInfo(String name); }
  40. 40. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.40 Ideas – Identity Store public interface IdentityStore{ Identity loadIdentityByName(String name); void changePassword(char[] oldPassword, char[] newPassword); void createIdentity(Identity user); void deleteIdentity(String name); void updateIdentity(Identity identity); boolean identityExists(String name); void createGroup(String group); void deleteGroup(String group); void addIdentityToGroup(String name, String group); void removeIdentityFromGroup(String name, String group); boolean isIdentityInGroup(String name, String group); List<String> getIdentityGroups(String name); }
  41. 41. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.41 Ideas – Identity Store IdentityStore LDAP Server Identity DBFile
  42. 42. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.42 Ideas – Identity Store @LdapIdentityStore(name=“java:app/prodIdentityStore”, ldapUrl=“ldap://blah”, ldapUser=“ElDap”,ldapPassword=“welcome”) public class MyAuthenticator { @Resource(lookup=“java:app/prodIdentityStore”) private IdentityStore identityStore; private boolean isAccountEnabled(String username) { return identityStore.loadUserByUsername(username).isEnabled(); } … }
  43. 43. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.43 Ideas – Identity Store @EmbeddedIdentityStore(name=“java:app/devIdentityStore”, {@Identity(username="ray", password="secret", groups="admin"), @Identity(username="jo", password="secret", groups="user"), @Identity(username="sam", password="secret", groups="user")}) @DatabaseIdentityStore(name=“java:app/testIdentityStore”, lookup="somedatabase", userQuery="SELECT password FROM principals WHERE username=?", groupQuery="SELECT group FROM groups where username=?", ...)
  44. 44. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.44 Ideas §  Terminology §  API for Authentication Mechanism §  API for Identity Store §  API for Password Aliasing §  API for Role/Permission Assignment §  API for Security Context §  API for Authorization Interceptors To modernize, standardize, simplify
  45. 45. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.45 Use Case §  Application uses passwords to access resources like LDAP and DB §  Passwords stored in annotations, deployment descriptors §  Best practices dictate that passwords are never stored in clear text §  Need a portable way to protect stored passwords API for Password Aliasing
  46. 46. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.46 Survey Results §  Deferred from Java EE 7 API for Password Aliasing Of'the'small'fraction'of'participants'who'added'comments,'most'of'these'strongly'urged' for'improvements'in'logging'–'either'by'the'revision'of'java.util.logging,'or'replacement' of'its'use'by'either'slf4j,''slf4j'with'LogBack,'or'log4j.' ' ' ' Security' ' Most'of'the'suggested'improvements'in'the'security'area'received'strong'support.' ' Should we add support for password aliases (including the ability to provision credentials along with the application)? ' Should we standardize group-to-role mapping?
  47. 47. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.47 Current Solutions §  No Java EE support §  Proprietary server support, e.g. GlassFish §  3rd party security framework support for embedded password encryption, not aliasing API for Password Aliasing
  48. 48. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.48 Ideas – Password Aliasing §  For annotations @DataSourceDefinition( name="java:app/jdbc/test", user="root", password="${ALIAS=password}",…) §  For deployment descriptors <data-source> <name>java:app/env/testDS</name> <user>APP</user> <password>${ALIAS=password}</password> … </data-source>
  49. 49. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.49 Ideas – Password Aliasing ${ALIAS=token} "mysecret" Resolved when used Cleared when done
  50. 50. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.50 Ideas – Password Aliasing Password Alias Archive
  51. 51. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.51 Ideas – Password Aliasing §  For configuration: Annotations, Deployment Descriptors §  Secure credentials archive for bundling the alias and actual password values with applications §  Platform consumes the credentials archive upon deployment §  Standard tooling for CRUD operations on the credential archive, e.g. keytool
  52. 52. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.52 Ideas §  Terminology §  API for Authentication Mechanism §  API for Identity Store §  API for Password Aliasing §  API for Role/Permission Assignment §  API for Security Context §  API for Authorization Interceptors To modernize, standardize, simplify
  53. 53. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.53 Use Case §  Application manages its own users and groups §  Application needs to assign roles (i.e., authorities, permissions) to users and groups, based on application-specific model §  Users may be stored in app-specified repository (e.g. LDAP) §  Users are managed without access to server configuration API for Role/Permission Assignment
  54. 54. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.54 Survey Results API for Role/Permission Assignment Security' ' Most'of'the'suggested'improvements'in'the'security'area'received'strong'support.' ' Should we add support for password aliases (including the ability to provision credentials along with the application)? ' Should we standardize group-to-role mapping?
  55. 55. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.55 Current Solutions §  No Java EE support §  Only proprietary server support §  3rd party security frameworks provide role/authority/permission APIs API for Role/Permission Assignment
  56. 56. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.56 Ideas – Standardized Role Mapping §  Support in Deployment Descriptors, e.g. web.xml <security-role-map> <!-- Role name as set/returned by Authentication Module --> <group>MANAGER</group> <!-- Role name for mapping --> <role-name>EDIT_ACCOUNTS</role-name> </security-role-map> <!– One-to-one group to role mapping --> <security-role-map groupToRoleMapping="false" />
  57. 57. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.57 Ideas – Role Mapping Annotation @EmbeddedRoleMapper( users={ @RoleMap(user=“foo”,roles=“admin”), @RoleMap(group=“admin”,roles={“admin”,”manager”}) } ) public class MyServlet { }
  58. 58. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.58 Ideas – Dynamic Role Mapping public interface RoleMapper { void grantRoleToUser(String username, String role); void revokeRoleFromUser(String username, String role); boolean hasRoleForUser( String username, String role, boolean includeGroups); List<String> getRolesForUser( String username, boolean includeGroups); List<String> getUsersWithRole( String role, boolean includeGroups); void grantRoleToGroup(String group, String role); void revokeRoleFromGroup(String group, String role); boolean hasRoleForGroup(String group, String role); List<String> getRolesForGroup(String group); List<String> getGroupsWithRole(String role); }
  59. 59. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.59 Ideas – Dynamic Role Mapping @Inject RoleMapper roleMapper; roleMapper.grantRoleToGroup("Manager", "EDIT_ACCOUNTS"); boolean has = roleMapper.hasRoleForGroup("Manager", "CLOSE_ACCT"); List<String> roles = roleMapper.getRolesForGroup("Manager"); List<String> groups = roleMapper.getGroupsWithRole("VIEW_ACCOUNTS");
  60. 60. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.60 Ideas §  Terminology §  API for Authentication Mechanism §  API for Identity Store §  API for Password Aliasing §  API for Role/Permission Assignment §  API for Security Context §  API for Authorization Interceptors To modernize, standardize, simplify
  61. 61. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.61 Use Case §  Application needs to access the security API –  To get the authenticated user –  To check roles –  To invoke runAs. §  Application needs the same API to access security context, regardless of container API for Security Context
  62. 62. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.62 Current Solutions §  No Java EE support §  3rd party security frameworks provide a security context API for Security Context
  63. 63. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.63 Current Solutions @Singleton public class MyEjb { @Resource private SessionContext sessionContext; public String sayHello() { if (sessionContext.isCallerInRole("admin")) { return "Hello World!"; } throw new SecurityException("User is unauthorized."); } }
  64. 64. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.64 Current Solutions public class MyServlet extends HttpServlet { @Override protected void doGet(HttpServletRequest request, HttpServletResponse resp) throws ServletException, IOException { if (request.isUserInRole("admin")) { // do something } throw new ServletException("User is unauthorized."); } }
  65. 65. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.65 Current Solutions @RequestScoped public class MyCdiBean { // Oh snap! No SecurityContext class for CDI }
  66. 66. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.66 Current Solutions public class MyJaxRsService { @GET @Produces("text/plain;charset=UTF-8") @Path("/hello") public String sayHello(@Context SecurityContext sc) { if (sc.isUserInRole("admin")) { return "Hello World!"; } throw new SecurityException("User is unauthorized."); } }
  67. 67. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.67 Ideas – Security Context public interface SecurityContext { String getUserPrincipal(); boolean isUserInRole(String role); List<String> getAllUsersRoles(); boolean isAuthenticated(); boolean isUserInAnyRole(List<String> roles); boolean isUserInAllRoles(List<String> roles); void login(Object request, Object response); void login(Map map); void logout(); void runAs(String role); boolean hasAccessToResource(); boolean hasAccessToBeanMethod(); }
  68. 68. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.68 Ideas – Security Context §  For all managed beans: CDI, Servlet, EJB, JAX-RS, etc public class MyFutureCdiBean { @Inject private SecurityContext securityContext; public String sayHello() { if (securityContext.isUserInRole("admin")) { return "Hello World!"; } throw new SecurityException("User is unauthorized."); } }
  69. 69. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.69 Ideas §  Terminology §  API for Authentication Mechanism §  API for Identity Store §  API for Password Aliasing §  API for Role/Permission Assignment §  API for Security Context §  API for Authorization Interceptors To modernize, standardize, simplify
  70. 70. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.70 Use Case §  Application needs to restrict specific methods to authorized users §  Application-model rules are used to make access decisions §  Role is insufficient API for Authorization Interceptors
  71. 71. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.71 Survey Results API for Authorization Interceptors this'last'question.''Thymeleaf,'Freemarker,'and'Velocity'were'the'most'frequently' mentioned'here.' ' ' ' ' CDI' ' The'next'four'questions'focused'on'continued'CDI'alignment.''This'was'one'of'the'focus' areas'of'Java'EE'7.' ' Should we consider adding Security Interceptors in Java EE 8? Should we simplify JASPIC? ' Should we simplify authorization by introducing an EL-enabled authorization annotation? ' Should we standardize on requirements for simple security providers and their configuration?
  72. 72. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.72 Current Solutions §  EE authorization has no rule based authorization, only role based §  3rd party security frameworks provide rule, role and permission based APIs API for Authorization Interceptors
  73. 73. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.73 Ideas – EL Authorization Rules §  Expression Language rule would have access to managed beans for SecurityContext and InvocationContext @ EvaluateSecured("security.hasRoles('MANAGER') && schedule.nowIsOfficeHrs") void transferFunds() {..};
  74. 74. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.74 Ideas – EL Authorization Rules §  EL Authorization rules centrally managed in a repository @LdapAuthorizationRules ( name="java:app/accountAuthRules", ldapUrl="ldap://blah", ldapUser="ElDap", ldapPassword=“mysecret” ) public class MyBean { @ EvaluateSecured( ruleSourceName="java:app/accountAuthRules", rule="transferFunds") void transferFunds() {..}; … }
  75. 75. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.75 Ideas – AccessDecisionVoter §  A user-defined class for making access decisions @Secured(AccountAccessDecisionVoter.class) void transferFunds() {..};
  76. 76. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.76 Ideas – AccessDecisionVoter public class AccountAccessDecisionVoter implements AccessDecisionVoter { @Override public void checkPermission(AccessDecisionVoterContext ctx, Set<SecurityViolation> violations) { // Check for violations Method method = ctx.<InvocationContext>getSource().getMethod(); … violations.add(new SecurityViolation("Sorry, not allowed")); } }
  77. 77. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.77 Agenda §  Motivations §  A New JSR §  Ideas §  Get Involved §  Q & A
  78. 78. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.78 Get Involved §  Project Page: The starting point to all resources https://java.net/projects/javaee-security-spec §  Users List: Subscribe and contribute users@javaee-security-spec.java.net §  Github Playground: Fork and Play! https://github.com/javaee-security-spec/javaee-security-proposals
  79. 79. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.79 Q/A
  80. 80. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.80

×