Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Java ee 8 + security overview

3,098 views

Published on

Java EE 8 Overview (Sept 2015). A lot of work is already done by the Expert Groups so lets have a brief look for what we can expect in the some areas.
- Servlet 4 will embrace the new HTTP/2 protocol.
- JSON-B will bring the same high level features of JAXB to the JSON data format.
- Server-Sent Events(SSE) is the WebSocket variant where you only send data from the server to the client.
- MVC will be the Action based MVC complement of the Component based MVC of JSF.
- Some major restructuring of CDI so that we can use it standardised in Java SE to mention one thing.
The Java EE security API will be covered in more detail. Security related things became old and dusty and needs to move away from proprietary configuration to be able to make the transition to the cloud. An introduction to JSR 375 is given, which promotes self-contained application portability across Java EE servers, and promotes the use of modern programming concepts such as Expression Language, and CDI. It will holistically attempt to simplify, standardize, and modernize the Security API across the platform in areas identified by the community.

Published in: Software
  • Dating direct: ❶❶❶ http://bit.ly/369VOVb ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Dating for everyone is here: ♥♥♥ http://bit.ly/369VOVb ♥♥♥
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Java ee 8 + security overview

  1. 1. What can we expect in Java EE 8 and in particular for Java EE Security?
  2. 2. Who Am I Rudy De Busscher C4J: Senior Java Web Developer, Java Coach JSR375: Java EE Security API Expert group member Java EE believer @rdebusscher http://jsfcorner.blogspot.be http://javaeesquad.blogspot.be
  3. 3. Agenda ▪ Java EE ▪ How We Got Here ▪ Where We Are Going ▪ Servlet 4 ▪ JSON-B ▪ Server sent Events ▪ MVC ▪ CDI ▪ Java EE Security API ▪ Why ▪ Terminology ▪ API for Authentication Mechanism ▪ API for Identity Store ▪ API for Role/Permission Assignment ▪ API for Security Context ▪ API for Authorization Interceptors
  4. 4. J2EE 1.3 CMP, JCA J2EE 1.4 Web Services, Mgmt, Deplymnt Java EE 5 Ease of Use, EJB 3, JPA, JSF, JAXB, JAX-WS Java EE 6 Pruning, Ease of Use, JAX-RS, CDI, Bean- Validation Web Profile Servlet 3, EJB 3.1 Lite Java EE 7 JMS 2, Batch, TX, Concurr, Web- Sockets, JSON Web Profile JAX-RS 2 J2EE 1.2 Servlet, JSP, EJB, JMS, RMI Java EE Past, Present, & Future
  5. 5. J2EE 1.3 CMP, JCA J2EE 1.4 Web Services, Mgmt, Deplymnt Java EE 5 Ease of Use, EJB 3, JPA, JSF, JAXB, JAX-WS Java EE 6 Pruning, Ease of Use, JAX-RS, CDI, Bean- Validation Web Profile Servlet 3, EJB 3.1 Lite Java EE 7 JMS 2, Batch, TX, Concurr, Web- Sockets, JSON Web Profile JAX-RS 2 J2EE 1.2 Servlet, JSP, EJB, JMS, RMI Java EE Past, Present, & Future
  6. 6. J2EE 1.3 CMP, JCA J2EE 1.4 Web Services, Mgmt, Deplymnt Java EE 5 Ease of Use, EJB 3, JPA, JSF, JAXB, JAX-WS Java EE 6 Pruning, Ease of Use, JAX-RS, CDI, Bean- Validation Web Profile Servlet 3, EJB 3.1 Lite Java EE 7 JMS 2, Batch, TX, Concurr, Web- Sockets, JSON Web Profile JAX-RS 2 J2EE 1.2 Servlet, JSP, EJB, JMS, RMI Java EE Past, Present, & Future
  7. 7. J2EE 1.3 CMP, JCA J2EE 1.4 Web Services, Mgmt, Deplymnt Java EE 5 Ease of Use, EJB 3, JPA, JSF, JAXB, JAX-WS Java EE 6 Pruning, Ease of Use, JAX-RS, CDI, Bean- Validation Web Profile Servlet 3, EJB 3.1 Lite Java EE 7 JMS 2, Batch, TX, Concurr, Web- Sockets, JSON Web Profile JAX-RS 2 J2EE 1.2 Servlet, JSP, EJB, JMS, RMI Java EE Past, Present, & Future
  8. 8. J2EE 1.3 CMP, JCA J2EE 1.4 Web Services, Mgmt, Deplymnt Java EE 5 Ease of Use, EJB 3, JPA, JSF, JAXB, JAX-WS Java EE 6 Pruning, Ease of Use, JAX-RS, CDI, Bean- Validation Web Profile Servlet 3, EJB 3.1 Lite Java EE 7 JMS 2, Batch, TX, Concurr, Web- Sockets, JSON Web Profile JAX-RS 2 J2EE 1.2 Servlet, JSP, EJB, JMS, RMI Java EE Past, Present, & Future
  9. 9. Connector 1.7 Managed Beans 1.0 EJB 3.2 Servlet 3.1 Eco- system JSF 2.2 JAX-RS 2 JMS 2JPA 2.1 EL 3 JTA 1.2 JSP 2.3 Interceptors 1.2 CDI 1.1 Common Annotations 1.2 UpdatedMajor Release New Concurrency Utilities Batch Applications Java API for JSON Java API for WebSocket Bean Validati on 1.1 Java EE 7
  10. 10. https://java.net/downloads/javaee-spec/JavaEE8_Community_Survey_Results.pdf https://blogs.oracle.com/ldemichiel/entry/results_from_the_java_ee Java EE 8 Community Survey
  11. 11. Java EE 8 Possibilities ▪ Web Standards/HTML5 Alignment • HTTP2, SSE, JSON-B, JSON-P, action-oriented web framework, hypermedia ▪ Cloud • Simple security providers, REST management/monitoring ▪ CDI Alignment • CDI 2, EJB services outside EJB, security interceptors, EJB pruning ▪ Enterprise • JCache, Configuration, JMS ▪ Java SE 8 alignment
  12. 12. ▪ Java EE 8 (JSR 366) ▪ CDI 2 (JSR 365) ▪ JSON-B (JSR 367) ▪ JMS 2.1 (JSR 368) ▪ Servlet 4 (JSR 369) ▪ JAX-RS 2.1 (JSR 370) Current JSR ▪ MVC (JSR 371) ▪ JSF 2.3 (JSR 372) ▪ Java EE Management (JSR 373) ▪ JSON-P 1.1 (JSR 374) ▪ Java EE Security (JSR 375)
  13. 13. ▪ Principal goal to support HTTP/2 • Request/response multiplexing over single connection • Multiple streams • Stream Prioritisation • Server Push • Binary Framing • Header Compression Servlet 4
  14. 14. Servlet 4 resoures • Edward Burns - Devnexus 2015 presentation - http://www.slideshare.net/edburns/http2-comes-to-java-what- servlet-40-means-to-you-devnexus-2015 • Mark Nottingham - Http/2 presentation - http://www.slideshare.net/mnot/what-http20-will-do-for-you
  15. 15. Java API for JSON Binding JSON-B ▪ API to marshal/unmarshal POJOs to/from JSON • Very similar to JAXB in the XML world ▪ Default mapping of classes to JSON • Annotations to customise the default mappings • @JsonProperty, @JsonTransient, @JsonValue ▪ Draw from best of breed ideas in existing JSON binding solutions • MOXy, Jackson, GSON, Genson, Xstream, … • Allow switching providers ▪ Provide JAX-RS a standard way to support “application/json” for POJOs • JAX-RS currently supports JSON-P
  16. 16. Server-Sent Events (SSE) ▪ Lesser known part of HTML 5 • Standard JavaScript API on the browser ▪ Server-to-client streaming • “Stock tickers”, monitoring applications ▪ Just plain long-lived HTTP • Between the extremes of vanilla request/response and WebSocket • Content-type ‘text/event-stream’ ▪ Support via JAX-RS.next() • Already supported in Jersey JAX-RS reference implementation
  17. 17. MVC ▪ Standard action-based web framework for Java EE • JSF to continue on it’s evolution path, but not restricted too. ▪ Model • CDI, Bean Validation, JPA ▪ View • (Standard) Facelets, JSP (Other) Freemarker, … ▪ Controller • Majority of work here • Based on JAX-RS
  18. 18. • Component-based MVC • like JSF, Wicket, … • Action-based MVC • like Struts 2, Spring MVC MVC types
  19. 19. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Component based MVC
  20. 20. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Action Based MVC
  21. 21. @Path("/") @View("my-index.xhtml") public class Bookstore { ... @GET public List<Item> getItems() { ... return items; } } MVC Possibilities
  22. 22. CDI 2 ▪ Java SE Bootstrap ▪ XML configuration ▪ Asynchronous events ▪ @Startup for CDI beans ▪ Portable Extension SPI simplification ▪ Small features and enhancements
  23. 23. Adopting Java SE 8 ▪ Most of Java SE 8 can already be used with Java EE • GlassFish, WildFly and WebLogic support JDK 8 ▪ Some APIs could adopt features • Repeatable Annotations • Date-Time API/JDBC 4.2 • Completable Future • Lambda expressions, streams • Default methods
  24. 24. • Expert Group nominations: EE API veterans: many JSRs, many years struggling with Security API 3rd party security framework creators/developers EE platform security implementers • March 2015: Expert Group started discussions Java EE Security API JSR-375
  25. 25. What’s wrong with Java EE Security? • Java EE Security viewed as not portable, abstract/confusing, antiquated • Doesn’t fit cloud app developer paradigm: requires app server configuration • "The ultimate goal is to have basic security working without the need of any kind of vendor specific configuration, deployment descriptors, or whatever. ” – Arjan Tijms
  26. 26. What to do? • Plug the portability holes • Modernize Context Dependency Injection (CDI) • Intercept at Access Enforcement Points: POJO methods Expression Language (EL) • Enable Access Enforcement Points with complex rules • App Developer Friendly • Common security configurations not requiring server changes • Annotation defaults not requiring XML
  27. 27. Ideas • Terminology • API for Authentication Mechanism • API for Identity Store • API for Password Aliasing • API for Role/Permission Assignment • API for Security Context • API for Authorization Interceptors To modernize, standardise, simplify
  28. 28. Ideas - Terminology • EG discussions revealed inconsistency in security API terms • Different EE containers have different names for the same concepts • When “something” gets authenticated, is that something a... A User? (e.g. HttpServletRequest.getUserPrincipal) A Caller? (e.g. EJBContext.getCallerPrincipal) • What is a group? A group of users? A permission Vs Role?
  29. 29. Ideas - Terminology • What is that “something” where identities are stored? security provider (WebLogic) realm (Tomcat, some hints in Servlet spec) (auth) repository (auth) store login module (JAAS) identity manager (Undertow) authenticator (Resin, OmniSecurity, Seam Security) authentication provider (Spring Security) identity provider
  30. 30. API for Authentication Mechanism • Application manages its own users and groups • Application needs to authenticate users in order to assign Roles • Application authenticates based on application-domain models • Application needs to use an authentication method not supported on the server, like OpenID Connect or OAuth2 • Developer wants to use portable EE Authentication standard
  31. 31. • Java Authentication Service Provider Interface for Containers • JSR 196, Maintenance Release 1.1, in 2013 • Standardised, portable, thin, low- level authentication framework • JAAS (LoginModule) is Java SE and thus not standard within Java EE JASPIC
  32. 32. Authentication Events • Throw standardised CDI events at important moments PreAuthenticate Event PostAuthenticate Event PreLogout Event PostLogout Event • Possible uses: Tracking number of logged-in users Tracking failed login attempts per account Side effects, like creating a new local user after initial successful authentication via a remote authentication provider Loading application-specific user preferences
  33. 33. • Where is the “user” info stored? API for Identity Store • Custom stores by annotated POJO’s
  34. 34. API for Role/Permission Assignment • After user/Caller is authenticated: • Need to retrieve the roles/permissions/grants • API to manage these assignments • Dynamic role/permission assignment
  35. 35. Why role to group? • Application; similar users are grouped in a Role • Identity store Used for more then 1 application Probably has already some kind of grouping of users (department, …) • Map application Role to Identity store Group • Today supported Support in Deployment Descriptors, e.g. web.xml
  36. 36. Role vs Permission • Role Grouping of users When “allowed actions” for a Role changes Application needs to be changed an redeployed • Permission • “Key” to unlock some functionality. Permission is linked in code. • User/Caller or even role has some permissions • Changes -> only external where permissions are linked to users.
  37. 37. API for Security Context • Application needs to access the security API To get the authenticated user To check roles To invoke runAs. • Application needs the same API to access security context, regardless of container
  38. 38. API for Authorisation Interceptors • Application needs to restrict specific methods to authorised users • Application-model rules are used to make access decisions • Annotation based • My requirements Screen parts (like on JSF Component) needs certain permission URL’s are protected based on permissions/roles/…
  39. 39. EL Authorization Rules • To be used in security annotations • Refer to any object, system or application defined • Security rules tailored to the application. • @EvaluateSecured("security.hasRoles('MANAGER') && schedule.nowIsOfficeHrs") void transferFunds() {..};
  40. 40. Complex rules • AccessDecisionVoter • Concept from DeltaSpike / Octopus • Complex logic written out in Java code (CDI bean) • @Secured(AccountAccessDecisionVoter.class) void transferFunds() {..}; • public void checkPermission (AccessDecisionVoterContext ctx, Set<SecurityViolation> violations) {
  41. 41. Get Involved • Project Page: The starting point to all resources https://java.net/projects/javaee-security-spec • Users List: Subscribe and contribute users@javaee- security-spec.java.net • Github Playground: Fork and Play! https://github.com/javaee-security-spec/javaee- security-proposals
  42. 42. • What’s Coming in Java EE 8? - Reza Rahman • http://www.slideshare.net/reza_rahman/javaee8 • Finally, EE Security API JSR 375 - Alex Kosowski • http://www.slideshare.net/a_kosowski/devoxx-fr-ee8jsr375securityapiv1 • MVC in JavaEE 8 - Manfred Riem • https://java.net/projects/ozark/downloads/download/Presentations/2014-javaone- mvc-in-javaee8.pptx Acknowledgements
  43. 43. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Public The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. Safe Harbor statement
  44. 44. Q&A

×