Rudy De Busscher, profile picture
Uploaded byRudy De Busscher
PPTX, PDF3,812 views

Java ee 8 + security overview

The document outlines the advancements and features in Java EE 8, with a focus on the new Java EE Security API (JSR 375) aimed at modernizing security for cloud applications. It discusses various enhancements such as alignment with web standards, cloud capabilities, improved CDI, and comprehensive security mechanisms that cater to user authentication and role assignment. Overall, it emphasizes a more user-friendly and standardized approach to security without vendor-specific configurations.

Embed presentation

Downloaded 64 times
What can we expect in Java EE 8 and in particular for Java EE Security?
Who Am I Rudy De Busscher C4J: Senior Java Web Developer, Java Coach JSR375: Java EE Security API Expert group member Java EE believer @rdebusscher http://jsfcorner.blogspot.be http://javaeesquad.blogspot.be
Agenda ▪ Java EE ▪ How We Got Here ▪ Where We Are Going ▪ Servlet 4 ▪ JSON-B ▪ Server sent Events ▪ MVC ▪ CDI ▪ Java EE Security API ▪ Why ▪ Terminology ▪ API for Authentication Mechanism ▪ API for Identity Store ▪ API for Role/Permission Assignment ▪ API for Security Context ▪ API for Authorization Interceptors
J2EE 1.3 CMP, JCA J2EE 1.4 Web Services, Mgmt, Deplymnt Java EE 5 Ease of Use, EJB 3, JPA, JSF, JAXB, JAX-WS Java EE 6 Pruning, Ease of Use, JAX-RS, CDI, Bean- Validation Web Profile Servlet 3, EJB 3.1 Lite Java EE 7 JMS 2, Batch, TX, Concurr, Web- Sockets, JSON Web Profile JAX-RS 2 J2EE 1.2 Servlet, JSP, EJB, JMS, RMI Java EE Past, Present, & Future
J2EE 1.3 CMP, JCA J2EE 1.4 Web Services, Mgmt, Deplymnt Java EE 5 Ease of Use, EJB 3, JPA, JSF, JAXB, JAX-WS Java EE 6 Pruning, Ease of Use, JAX-RS, CDI, Bean- Validation Web Profile Servlet 3, EJB 3.1 Lite Java EE 7 JMS 2, Batch, TX, Concurr, Web- Sockets, JSON Web Profile JAX-RS 2 J2EE 1.2 Servlet, JSP, EJB, JMS, RMI Java EE Past, Present, & Future
J2EE 1.3 CMP, JCA J2EE 1.4 Web Services, Mgmt, Deplymnt Java EE 5 Ease of Use, EJB 3, JPA, JSF, JAXB, JAX-WS Java EE 6 Pruning, Ease of Use, JAX-RS, CDI, Bean- Validation Web Profile Servlet 3, EJB 3.1 Lite Java EE 7 JMS 2, Batch, TX, Concurr, Web- Sockets, JSON Web Profile JAX-RS 2 J2EE 1.2 Servlet, JSP, EJB, JMS, RMI Java EE Past, Present, & Future
J2EE 1.3 CMP, JCA J2EE 1.4 Web Services, Mgmt, Deplymnt Java EE 5 Ease of Use, EJB 3, JPA, JSF, JAXB, JAX-WS Java EE 6 Pruning, Ease of Use, JAX-RS, CDI, Bean- Validation Web Profile Servlet 3, EJB 3.1 Lite Java EE 7 JMS 2, Batch, TX, Concurr, Web- Sockets, JSON Web Profile JAX-RS 2 J2EE 1.2 Servlet, JSP, EJB, JMS, RMI Java EE Past, Present, & Future
J2EE 1.3 CMP, JCA J2EE 1.4 Web Services, Mgmt, Deplymnt Java EE 5 Ease of Use, EJB 3, JPA, JSF, JAXB, JAX-WS Java EE 6 Pruning, Ease of Use, JAX-RS, CDI, Bean- Validation Web Profile Servlet 3, EJB 3.1 Lite Java EE 7 JMS 2, Batch, TX, Concurr, Web- Sockets, JSON Web Profile JAX-RS 2 J2EE 1.2 Servlet, JSP, EJB, JMS, RMI Java EE Past, Present, & Future
Connector 1.7 Managed Beans 1.0 EJB 3.2 Servlet 3.1 Eco- system JSF 2.2 JAX-RS 2 JMS 2JPA 2.1 EL 3 JTA 1.2 JSP 2.3 Interceptors 1.2 CDI 1.1 Common Annotations 1.2 UpdatedMajor Release New Concurrency Utilities Batch Applications Java API for JSON Java API for WebSocket Bean Validati on 1.1 Java EE 7
https://java.net/downloads/javaee-spec/JavaEE8_Community_Survey_Results.pdf https://blogs.oracle.com/ldemichiel/entry/results_from_the_java_ee Java EE 8 Community Survey
Java EE 8 Possibilities ▪ Web Standards/HTML5 Alignment • HTTP2, SSE, JSON-B, JSON-P, action-oriented web framework, hypermedia ▪ Cloud • Simple security providers, REST management/monitoring ▪ CDI Alignment • CDI 2, EJB services outside EJB, security interceptors, EJB pruning ▪ Enterprise • JCache, Configuration, JMS ▪ Java SE 8 alignment
▪ Java EE 8 (JSR 366) ▪ CDI 2 (JSR 365) ▪ JSON-B (JSR 367) ▪ JMS 2.1 (JSR 368) ▪ Servlet 4 (JSR 369) ▪ JAX-RS 2.1 (JSR 370) Current JSR ▪ MVC (JSR 371) ▪ JSF 2.3 (JSR 372) ▪ Java EE Management (JSR 373) ▪ JSON-P 1.1 (JSR 374) ▪ Java EE Security (JSR 375)
▪ Principal goal to support HTTP/2 • Request/response multiplexing over single connection • Multiple streams • Stream Prioritisation • Server Push • Binary Framing • Header Compression Servlet 4
Servlet 4 resoures • Edward Burns - Devnexus 2015 presentation - http://www.slideshare.net/edburns/http2-comes-to-java-what- servlet-40-means-to-you-devnexus-2015 • Mark Nottingham - Http/2 presentation - http://www.slideshare.net/mnot/what-http20-will-do-for-you
Java API for JSON Binding JSON-B ▪ API to marshal/unmarshal POJOs to/from JSON • Very similar to JAXB in the XML world ▪ Default mapping of classes to JSON • Annotations to customise the default mappings • @JsonProperty, @JsonTransient, @JsonValue ▪ Draw from best of breed ideas in existing JSON binding solutions • MOXy, Jackson, GSON, Genson, Xstream, … • Allow switching providers ▪ Provide JAX-RS a standard way to support “application/json” for POJOs • JAX-RS currently supports JSON-P
Server-Sent Events (SSE) ▪ Lesser known part of HTML 5 • Standard JavaScript API on the browser ▪ Server-to-client streaming • “Stock tickers”, monitoring applications ▪ Just plain long-lived HTTP • Between the extremes of vanilla request/response and WebSocket • Content-type ‘text/event-stream’ ▪ Support via JAX-RS.next() • Already supported in Jersey JAX-RS reference implementation
MVC ▪ Standard action-based web framework for Java EE • JSF to continue on it’s evolution path, but not restricted too. ▪ Model • CDI, Bean Validation, JPA ▪ View • (Standard) Facelets, JSP (Other) Freemarker, … ▪ Controller • Majority of work here • Based on JAX-RS
• Component-based MVC • like JSF, Wicket, … • Action-based MVC • like Struts 2, Spring MVC MVC types
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Component based MVC
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Action Based MVC
@Path("/") @View("my-index.xhtml") public class Bookstore { ... @GET public List<Item> getItems() { ... return items; } } MVC Possibilities
CDI 2 ▪ Java SE Bootstrap ▪ XML configuration ▪ Asynchronous events ▪ @Startup for CDI beans ▪ Portable Extension SPI simplification ▪ Small features and enhancements
Adopting Java SE 8 ▪ Most of Java SE 8 can already be used with Java EE • GlassFish, WildFly and WebLogic support JDK 8 ▪ Some APIs could adopt features • Repeatable Annotations • Date-Time API/JDBC 4.2 • Completable Future • Lambda expressions, streams • Default methods
• Expert Group nominations: EE API veterans: many JSRs, many years struggling with Security API 3rd party security framework creators/developers EE platform security implementers • March 2015: Expert Group started discussions Java EE Security API JSR-375
What’s wrong with Java EE Security? • Java EE Security viewed as not portable, abstract/confusing, antiquated • Doesn’t fit cloud app developer paradigm: requires app server configuration • "The ultimate goal is to have basic security working without the need of any kind of vendor specific configuration, deployment descriptors, or whatever. ” – Arjan Tijms
What to do? • Plug the portability holes • Modernize Context Dependency Injection (CDI) • Intercept at Access Enforcement Points: POJO methods Expression Language (EL) • Enable Access Enforcement Points with complex rules • App Developer Friendly • Common security configurations not requiring server changes • Annotation defaults not requiring XML
Ideas • Terminology • API for Authentication Mechanism • API for Identity Store • API for Password Aliasing • API for Role/Permission Assignment • API for Security Context • API for Authorization Interceptors To modernize, standardise, simplify
Ideas - Terminology • EG discussions revealed inconsistency in security API terms • Different EE containers have different names for the same concepts • When “something” gets authenticated, is that something a... A User? (e.g. HttpServletRequest.getUserPrincipal) A Caller? (e.g. EJBContext.getCallerPrincipal) • What is a group? A group of users? A permission Vs Role?
Ideas - Terminology • What is that “something” where identities are stored? security provider (WebLogic) realm (Tomcat, some hints in Servlet spec) (auth) repository (auth) store login module (JAAS) identity manager (Undertow) authenticator (Resin, OmniSecurity, Seam Security) authentication provider (Spring Security) identity provider
API for Authentication Mechanism • Application manages its own users and groups • Application needs to authenticate users in order to assign Roles • Application authenticates based on application-domain models • Application needs to use an authentication method not supported on the server, like OpenID Connect or OAuth2 • Developer wants to use portable EE Authentication standard
• Java Authentication Service Provider Interface for Containers • JSR 196, Maintenance Release 1.1, in 2013 • Standardised, portable, thin, low- level authentication framework • JAAS (LoginModule) is Java SE and thus not standard within Java EE JASPIC
Authentication Events • Throw standardised CDI events at important moments PreAuthenticate Event PostAuthenticate Event PreLogout Event PostLogout Event • Possible uses: Tracking number of logged-in users Tracking failed login attempts per account Side effects, like creating a new local user after initial successful authentication via a remote authentication provider Loading application-specific user preferences
• Where is the “user” info stored? API for Identity Store • Custom stores by annotated POJO’s
API for Role/Permission Assignment • After user/Caller is authenticated: • Need to retrieve the roles/permissions/grants • API to manage these assignments • Dynamic role/permission assignment
Why role to group? • Application; similar users are grouped in a Role • Identity store Used for more then 1 application Probably has already some kind of grouping of users (department, …) • Map application Role to Identity store Group • Today supported Support in Deployment Descriptors, e.g. web.xml
Role vs Permission • Role Grouping of users When “allowed actions” for a Role changes Application needs to be changed an redeployed • Permission • “Key” to unlock some functionality. Permission is linked in code. • User/Caller or even role has some permissions • Changes -> only external where permissions are linked to users.
API for Security Context • Application needs to access the security API To get the authenticated user To check roles To invoke runAs. • Application needs the same API to access security context, regardless of container
API for Authorisation Interceptors • Application needs to restrict specific methods to authorised users • Application-model rules are used to make access decisions • Annotation based • My requirements Screen parts (like on JSF Component) needs certain permission URL’s are protected based on permissions/roles/…
EL Authorization Rules • To be used in security annotations • Refer to any object, system or application defined • Security rules tailored to the application. • @EvaluateSecured("security.hasRoles('MANAGER') && schedule.nowIsOfficeHrs") void transferFunds() {..};
Complex rules • AccessDecisionVoter • Concept from DeltaSpike / Octopus • Complex logic written out in Java code (CDI bean) • @Secured(AccountAccessDecisionVoter.class) void transferFunds() {..}; • public void checkPermission (AccessDecisionVoterContext ctx, Set<SecurityViolation> violations) {
Get Involved • Project Page: The starting point to all resources https://java.net/projects/javaee-security-spec • Users List: Subscribe and contribute users@javaee- security-spec.java.net • Github Playground: Fork and Play! https://github.com/javaee-security-spec/javaee- security-proposals
• What’s Coming in Java EE 8? - Reza Rahman • http://www.slideshare.net/reza_rahman/javaee8 • Finally, EE Security API JSR 375 - Alex Kosowski • http://www.slideshare.net/a_kosowski/devoxx-fr-ee8jsr375securityapiv1 • MVC in JavaEE 8 - Manfred Riem • https://java.net/projects/ozark/downloads/download/Presentations/2014-javaone- mvc-in-javaee8.pptx Acknowledgements
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Public The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. Safe Harbor statement
Q&A

More Related Content

PDF
State of the art authentication mit Java EE 8
byOPEN KNOWLEDGE GmbH
 
PDF
Using Axe to Add Accessibility Checks to Your Existing Selenium Tests
bySauce Labs
 
PPTX
Complete Notes on Angular 2 and TypeScript
byEPAM Systems
 
PDF
Node js (runtime environment + js library) platform
bySreenivas Kappala
 
PPTX
Authenticating Angular Apps with JWT
byJennifer Estrada
 
PDF
Burp Suite 2.0触ってみた
byYu Iwama
 
PPTX
Spring boot Introduction
byJeevesh Pandey
 
PDF
.NET最先端技術によるハイパフォーマンスウェブアプリケーション
byYoshifumi Kawai
 
State of the art authentication mit Java EE 8
byOPEN KNOWLEDGE GmbH
 
Using Axe to Add Accessibility Checks to Your Existing Selenium Tests
bySauce Labs
 
Complete Notes on Angular 2 and TypeScript
byEPAM Systems
 
Node js (runtime environment + js library) platform
bySreenivas Kappala
 
Authenticating Angular Apps with JWT
byJennifer Estrada
 
Burp Suite 2.0触ってみた
byYu Iwama
 
Spring boot Introduction
byJeevesh Pandey
 
.NET最先端技術によるハイパフォーマンスウェブアプリケーション
byYoshifumi Kawai
 

What's hot

PDF
CI/CD pipelines for CloudHub 2.0 - Wroclaw MuleSoft Meetup #2
bywromeetup
 
PDF
Iterator Pattern
bymelbournepatterns
 
PDF
An Introduction to JUnit 5 and how to use it with Spring boot tests and Mockito
byshaunthomas999
 
PPTX
Jenkins tutorial for beginners
byBugRaptors
 
PDF
Automation testing interview pdf org
byTestbytes
 
PPTX
Iecachedata 20130427
by彰 村地
 
PDF
Chaos Engineering 시작하기 - 윤석찬 (AWS 테크에반젤리스트) :: 한국 카오스엔지니어링 밋업
byChanny Yun
 
PDF
Jakarta EE 最前線 - Jakarta EEの現在、ロードマップなど
byオラクルエンジニア通信
 
PDF
Spring boot jpa
byHamid Ghorbani
 
PPTX
[OKKY 세미나] 정진욱 - 테스트하기 쉬운 코드로 개발하기
byOKKY
 
PDF
Finally, easy integration testing with Testcontainers
byRudy De Busscher
 
PDF
Java 8 Date and Time API
byGanesh Samarthyam
 
PDF
[AWS Builders] AWS 네트워크 서비스 소개 및 사용 방법 - 김기현, AWS 솔루션즈 아키텍트
byAmazon Web Services Korea
 
PPTX
MuleSoft JWT Demystified
byPatryk Bandurski
 
PDF
Test Automation Strategy
byMartin Ruddy
 
PPTX
React state
byDucat
 
CI/CD pipelines for CloudHub 2.0 - Wroclaw MuleSoft Meetup #2
bywromeetup
 
Iterator Pattern
bymelbournepatterns
 
An Introduction to JUnit 5 and how to use it with Spring boot tests and Mockito
byshaunthomas999
 
Jenkins tutorial for beginners
byBugRaptors
 
Automation testing interview pdf org
byTestbytes
 
Iecachedata 20130427
by彰 村地
 
Chaos Engineering 시작하기 - 윤석찬 (AWS 테크에반젤리스트) :: 한국 카오스엔지니어링 밋업
byChanny Yun
 
Jakarta EE 最前線 - Jakarta EEの現在、ロードマップなど
byオラクルエンジニア通信
 
Spring boot jpa
byHamid Ghorbani
 
[OKKY 세미나] 정진욱 - 테스트하기 쉬운 코드로 개발하기
byOKKY
 
Finally, easy integration testing with Testcontainers
byRudy De Busscher
 
Java 8 Date and Time API
byGanesh Samarthyam
 
[AWS Builders] AWS 네트워크 서비스 소개 및 사용 방법 - 김기현, AWS 솔루션즈 아키텍트
byAmazon Web Services Korea
 
MuleSoft JWT Demystified
byPatryk Bandurski
 
Test Automation Strategy
byMartin Ruddy
 
React state
byDucat
 

Viewers also liked

PDF
Finally, EE Security API JSR 375
byAlex Kosowski
 
PDF
What is tackled in the Java EE Security API (Java EE 8)
byRudy De Busscher
 
PDF
Java EE 8 - February 2017 update
byDavid Delabassee
 
PDF
Java EE Next
byDavid Delabassee
 
PDF
Javaでのバリデーション 〜Bean Validation篇〜
byeiryu
 
PDF
HTTP/2 Comes to Java - What Servlet 4.0 Means to You
byDavid Delabassee
 
PPTX
Java EE 8: What Servlet 4.0 and HTTP/2 mean to you
byAlex Theedom
 
PDF
Spring Security
bySumit Gole
 
PDF
20161020 GeeCON Continuous delivery
byKim van Wilgen
 
PPTX
Extending Arquillian graphene
byRudy De Busscher
 
PPTX
10 Tips for Java EE 7 with PrimeFaces - JavaOne 2013
byMartin Fousek
 
PPTX
Octopus framework; Permission based security framework for Java EE
byRudy De Busscher
 
PDF
What’s new in JSR 367 Java API for JSON Binding
byDmitry Kornilov
 
PPTX
WS - Security
byPrabath Siriwardena
 
PDF
Java EE 8 - An instant snapshot
byDavid Delabassee
 
PPTX
2015 UJUG, Servlet 4.0 portion
bymnriem
 
PPTX
Federated RBAC: Fortress, OAuth2 (Oltu), JWT, Java EE, and JASPIC
byJohnSmithto
 
PPTX
Servlet 4.0 Adopt-a-JSR 10 Minute Infodeck
byEdward Burns
 
PDF
http2 最速実装 v2
byYoshihiro Iwanaga
 
PPTX
Java EE for the Cloud
byDmitry Kornilov
 
Finally, EE Security API JSR 375
byAlex Kosowski
 
What is tackled in the Java EE Security API (Java EE 8)
byRudy De Busscher
 
Java EE 8 - February 2017 update
byDavid Delabassee
 
Java EE Next
byDavid Delabassee
 
Javaでのバリデーション 〜Bean Validation篇〜
byeiryu
 
HTTP/2 Comes to Java - What Servlet 4.0 Means to You
byDavid Delabassee
 
Java EE 8: What Servlet 4.0 and HTTP/2 mean to you
byAlex Theedom
 
Spring Security
bySumit Gole
 
20161020 GeeCON Continuous delivery
byKim van Wilgen
 
Extending Arquillian graphene
byRudy De Busscher
 
10 Tips for Java EE 7 with PrimeFaces - JavaOne 2013
byMartin Fousek
 
Octopus framework; Permission based security framework for Java EE
byRudy De Busscher
 
What’s new in JSR 367 Java API for JSON Binding
byDmitry Kornilov
 
WS - Security
byPrabath Siriwardena
 
Java EE 8 - An instant snapshot
byDavid Delabassee
 
2015 UJUG, Servlet 4.0 portion
bymnriem
 
Federated RBAC: Fortress, OAuth2 (Oltu), JWT, Java EE, and JASPIC
byJohnSmithto
 
Servlet 4.0 Adopt-a-JSR 10 Minute Infodeck
byEdward Burns
 
http2 最速実装 v2
byYoshihiro Iwanaga
 
Java EE for the Cloud
byDmitry Kornilov
 

Similar to Java ee 8 + security overview

PDF
JavaOne 2014 Java EE 8 Booth Slides
byEdward Burns
 
PPTX
Java EE vs Spring Framework
byRohit Kelapure
 
PPTX
Java EE 8
byRyan Cuprak
 
PPT
Have You Seen Java EE Lately?
byReza Rahman
 
PPTX
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015
byWerner Keil
 
PPT
Java EE7 in action
byAnkara JUG
 
PDF
First8 java one review 2016
byGetting value from IoT, Integration and Data Analytics
 
ODP
OTN Developer Days - Java EE 6
byglassfish
 
PPTX
Java EE 8 Update
byRyan Cuprak
 
PDF
Java EE Security API - JSR375: Getting Started
byRudy De Busscher
 
PDF
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
byMarkus Eisele
 
PPTX
Java EE8 - by Kito Mann
byKile Niklawski
 
PDF
ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS
byelliando dias
 
PDF
LJC 2018 - PEAT UK - Java EE - Ah, ah, ah! Staying Alive!
byPeter Pilgrim
 
PDF
Contextual Dependency Injection for Apachecon 2010
byRohit Kelapure
 
PDF
What’s new in Java SE, EE, ME, Embedded world & new Strategy
byMohamed Taman
 
PPT
J2 Ee Vs. .Net Workshop
bydanglvh
 
PDF
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
byAlex Senkevitch
 
PDF
Deep Dive Hands-on in Java EE 6 - Oredev 2010
byArun Gupta
 
PDF
Enterprise java unit-1_chapter-1
bysandeep54552
 
JavaOne 2014 Java EE 8 Booth Slides
byEdward Burns
 
Java EE vs Spring Framework
byRohit Kelapure
 
Java EE 8
byRyan Cuprak
 
Have You Seen Java EE Lately?
byReza Rahman
 
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015
byWerner Keil
 
Java EE7 in action
byAnkara JUG
 
First8 java one review 2016
byGetting value from IoT, Integration and Data Analytics
 
OTN Developer Days - Java EE 6
byglassfish
 
Java EE 8 Update
byRyan Cuprak
 
Java EE Security API - JSR375: Getting Started
byRudy De Busscher
 
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
byMarkus Eisele
 
Java EE8 - by Kito Mann
byKile Niklawski
 
ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS
byelliando dias
 
LJC 2018 - PEAT UK - Java EE - Ah, ah, ah! Staying Alive!
byPeter Pilgrim
 
Contextual Dependency Injection for Apachecon 2010
byRohit Kelapure
 
What’s new in Java SE, EE, ME, Embedded world & new Strategy
byMohamed Taman
 
J2 Ee Vs. .Net Workshop
bydanglvh
 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
byAlex Senkevitch
 
Deep Dive Hands-on in Java EE 6 - Oredev 2010
byArun Gupta
 
Enterprise java unit-1_chapter-1
bysandeep54552
 

More from Rudy De Busscher

PDF
jakarta-integration-testing.pdf
byRudy De Busscher
 
PDF
core-profile_jakartaOne2022.pdf
byRudy De Busscher
 
PDF
MicroStream-WithoutDatabase.pdf
byRudy De Busscher
 
PDF
Jakarta EE 8 on JDK17
byRudy De Busscher
 
PDF
How Class Data Sharing Can Speed up Your Jakarta EE Application Startup
byRudy De Busscher
 
PDF
Creating a Kubernetes Operator in Java
byRudy De Busscher
 
PDF
Control and monitor_microservices_with_microprofile
byRudy De Busscher
 
PDF
Transactions in micro-services (fall 2019)
byRudy De Busscher
 
PDF
Transactions in micro-services (summer 2019)
byRudy De Busscher
 
PDF
Monitor Micro-service with MicroProfile metrics
byRudy De Busscher
 
PDF
Gradual migration to MicroProfile
byRudy De Busscher
 
PDF
Secure JAX-RS
byRudy De Busscher
 
PDF
From Monolith to micro-services and back : The Self Contained Systems
byRudy De Busscher
 
jakarta-integration-testing.pdf
byRudy De Busscher
 
core-profile_jakartaOne2022.pdf
byRudy De Busscher
 
MicroStream-WithoutDatabase.pdf
byRudy De Busscher
 
Jakarta EE 8 on JDK17
byRudy De Busscher
 
How Class Data Sharing Can Speed up Your Jakarta EE Application Startup
byRudy De Busscher
 
Creating a Kubernetes Operator in Java
byRudy De Busscher
 
Control and monitor_microservices_with_microprofile
byRudy De Busscher
 
Transactions in micro-services (fall 2019)
byRudy De Busscher
 
Transactions in micro-services (summer 2019)
byRudy De Busscher
 
Monitor Micro-service with MicroProfile metrics
byRudy De Busscher
 
Gradual migration to MicroProfile
byRudy De Busscher
 
Secure JAX-RS
byRudy De Busscher
 
From Monolith to micro-services and back : The Self Contained Systems
byRudy De Busscher
 

Recently uploaded

PDF
HuemanAI Platform Overview.pptx (1) (2).pdf
byAnkur Handoo
 
PDF
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
PDF
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
PDF
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
PDF
Langchain4J – An Introduction for Impatient Developers
byJuarez Junior
 
PDF
Build Modern Applications with Amazon Aurora DSQL- AWS User Group Bonn 2026
byVadym Kazulkin
 
PDF
Versnel innovatie met GitHub Enterprise - Rick Smit GitHub
byDelta-N
 
PDF
JFokus 2026 - Please pass the salt- Serve up passwords with a side of entropy...
byOrtus Solutions, Corp
 
PDF
SAP ERP to SAP S_4HANA Cloud Private Edition Delta Scope
bychuck78
 
PDF
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
PDF
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
PDF
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
PDF
Complete iOS Delivery App Features & Admin Tools
byShiv Technolabs Pvt. Ltd.
 
PDF
Clean Architecture with Vertical Slice Architecture in .NET 8
byVineet Sharma
 
PDF
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
PDF
Odoo ERP Implementation Setup: Step-by-Step Process
byShiv Technolabs Pvt. Ltd.
 
PPTX
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
PDF
Massage Booking App Development Company
byV3CUBE TECHNOLABS
 
PPTX
Best Digital Marketing Company in Lucknow
bydigitallearning9277
 
PDF
Metrics, Logs, Traces, and Mayhem_ Introducing an observability adventure gam...
byImma Valls Bernaus
 
HuemanAI Platform Overview.pptx (1) (2).pdf
byAnkur Handoo
 
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
Langchain4J – An Introduction for Impatient Developers
byJuarez Junior
 
Build Modern Applications with Amazon Aurora DSQL- AWS User Group Bonn 2026
byVadym Kazulkin
 
Versnel innovatie met GitHub Enterprise - Rick Smit GitHub
byDelta-N
 
JFokus 2026 - Please pass the salt- Serve up passwords with a side of entropy...
byOrtus Solutions, Corp
 
SAP ERP to SAP S_4HANA Cloud Private Edition Delta Scope
bychuck78
 
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
Complete iOS Delivery App Features & Admin Tools
byShiv Technolabs Pvt. Ltd.
 
Clean Architecture with Vertical Slice Architecture in .NET 8
byVineet Sharma
 
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
Odoo ERP Implementation Setup: Step-by-Step Process
byShiv Technolabs Pvt. Ltd.
 
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
Massage Booking App Development Company
byV3CUBE TECHNOLABS
 
Best Digital Marketing Company in Lucknow
bydigitallearning9277
 
Metrics, Logs, Traces, and Mayhem_ Introducing an observability adventure gam...
byImma Valls Bernaus
 

Java ee 8 + security overview

  • 1.
    What can weexpect in Java EE 8 and in particular for Java EE Security?
  • 2.
    Who Am I RudyDe Busscher C4J: Senior Java Web Developer, Java Coach JSR375: Java EE Security API Expert group member Java EE believer @rdebusscher http://jsfcorner.blogspot.be http://javaeesquad.blogspot.be
  • 3.
    Agenda ▪ Java EE ▪How We Got Here ▪ Where We Are Going ▪ Servlet 4 ▪ JSON-B ▪ Server sent Events ▪ MVC ▪ CDI ▪ Java EE Security API ▪ Why ▪ Terminology ▪ API for Authentication Mechanism ▪ API for Identity Store ▪ API for Role/Permission Assignment ▪ API for Security Context ▪ API for Authorization Interceptors
  • 4.
    J2EE 1.3 CMP, JCA J2EE 1.4 Web Services, Mgmt, Deplymnt JavaEE 5 Ease of Use, EJB 3, JPA, JSF, JAXB, JAX-WS Java EE 6 Pruning, Ease of Use, JAX-RS, CDI, Bean- Validation Web Profile Servlet 3, EJB 3.1 Lite Java EE 7 JMS 2, Batch, TX, Concurr, Web- Sockets, JSON Web Profile JAX-RS 2 J2EE 1.2 Servlet, JSP, EJB, JMS, RMI Java EE Past, Present, & Future
  • 5.
    J2EE 1.3 CMP, JCA J2EE 1.4 Web Services, Mgmt, Deplymnt JavaEE 5 Ease of Use, EJB 3, JPA, JSF, JAXB, JAX-WS Java EE 6 Pruning, Ease of Use, JAX-RS, CDI, Bean- Validation Web Profile Servlet 3, EJB 3.1 Lite Java EE 7 JMS 2, Batch, TX, Concurr, Web- Sockets, JSON Web Profile JAX-RS 2 J2EE 1.2 Servlet, JSP, EJB, JMS, RMI Java EE Past, Present, & Future
  • 6.
    J2EE 1.3 CMP, JCA J2EE 1.4 Web Services, Mgmt, Deplymnt JavaEE 5 Ease of Use, EJB 3, JPA, JSF, JAXB, JAX-WS Java EE 6 Pruning, Ease of Use, JAX-RS, CDI, Bean- Validation Web Profile Servlet 3, EJB 3.1 Lite Java EE 7 JMS 2, Batch, TX, Concurr, Web- Sockets, JSON Web Profile JAX-RS 2 J2EE 1.2 Servlet, JSP, EJB, JMS, RMI Java EE Past, Present, & Future
  • 7.
    J2EE 1.3 CMP, JCA J2EE 1.4 Web Services, Mgmt, Deplymnt JavaEE 5 Ease of Use, EJB 3, JPA, JSF, JAXB, JAX-WS Java EE 6 Pruning, Ease of Use, JAX-RS, CDI, Bean- Validation Web Profile Servlet 3, EJB 3.1 Lite Java EE 7 JMS 2, Batch, TX, Concurr, Web- Sockets, JSON Web Profile JAX-RS 2 J2EE 1.2 Servlet, JSP, EJB, JMS, RMI Java EE Past, Present, & Future
  • 8.
    J2EE 1.3 CMP, JCA J2EE 1.4 Web Services, Mgmt, Deplymnt JavaEE 5 Ease of Use, EJB 3, JPA, JSF, JAXB, JAX-WS Java EE 6 Pruning, Ease of Use, JAX-RS, CDI, Bean- Validation Web Profile Servlet 3, EJB 3.1 Lite Java EE 7 JMS 2, Batch, TX, Concurr, Web- Sockets, JSON Web Profile JAX-RS 2 J2EE 1.2 Servlet, JSP, EJB, JMS, RMI Java EE Past, Present, & Future
  • 9.
    Connector 1.7 Managed Beans 1.0EJB 3.2 Servlet 3.1 Eco- system JSF 2.2 JAX-RS 2 JMS 2JPA 2.1 EL 3 JTA 1.2 JSP 2.3 Interceptors 1.2 CDI 1.1 Common Annotations 1.2 UpdatedMajor Release New Concurrency Utilities Batch Applications Java API for JSON Java API for WebSocket Bean Validati on 1.1 Java EE 7
  • 10.
  • 11.
    Java EE 8Possibilities ▪ Web Standards/HTML5 Alignment • HTTP2, SSE, JSON-B, JSON-P, action-oriented web framework, hypermedia ▪ Cloud • Simple security providers, REST management/monitoring ▪ CDI Alignment • CDI 2, EJB services outside EJB, security interceptors, EJB pruning ▪ Enterprise • JCache, Configuration, JMS ▪ Java SE 8 alignment
  • 12.
    ▪ Java EE8 (JSR 366) ▪ CDI 2 (JSR 365) ▪ JSON-B (JSR 367) ▪ JMS 2.1 (JSR 368) ▪ Servlet 4 (JSR 369) ▪ JAX-RS 2.1 (JSR 370) Current JSR ▪ MVC (JSR 371) ▪ JSF 2.3 (JSR 372) ▪ Java EE Management (JSR 373) ▪ JSON-P 1.1 (JSR 374) ▪ Java EE Security (JSR 375)
  • 13.
    ▪ Principal goalto support HTTP/2 • Request/response multiplexing over single connection • Multiple streams • Stream Prioritisation • Server Push • Binary Framing • Header Compression Servlet 4
  • 14.
    Servlet 4 resoures •Edward Burns - Devnexus 2015 presentation - http://www.slideshare.net/edburns/http2-comes-to-java-what- servlet-40-means-to-you-devnexus-2015 • Mark Nottingham - Http/2 presentation - http://www.slideshare.net/mnot/what-http20-will-do-for-you
  • 15.
    Java API forJSON Binding JSON-B ▪ API to marshal/unmarshal POJOs to/from JSON • Very similar to JAXB in the XML world ▪ Default mapping of classes to JSON • Annotations to customise the default mappings • @JsonProperty, @JsonTransient, @JsonValue ▪ Draw from best of breed ideas in existing JSON binding solutions • MOXy, Jackson, GSON, Genson, Xstream, … • Allow switching providers ▪ Provide JAX-RS a standard way to support “application/json” for POJOs • JAX-RS currently supports JSON-P
  • 16.
    Server-Sent Events (SSE) ▪ Lesserknown part of HTML 5 • Standard JavaScript API on the browser ▪ Server-to-client streaming • “Stock tickers”, monitoring applications ▪ Just plain long-lived HTTP • Between the extremes of vanilla request/response and WebSocket • Content-type ‘text/event-stream’ ▪ Support via JAX-RS.next() • Already supported in Jersey JAX-RS reference implementation
  • 17.
    MVC ▪ Standard action-basedweb framework for Java EE • JSF to continue on it’s evolution path, but not restricted too. ▪ Model • CDI, Bean Validation, JPA ▪ View • (Standard) Facelets, JSP (Other) Freemarker, … ▪ Controller • Majority of work here • Based on JAX-RS
  • 18.
    • Component-based MVC •like JSF, Wicket, … • Action-based MVC • like Struts 2, Spring MVC MVC types
  • 19.
    Copyright © 2014,Oracle and/or its affiliates. All rights reserved. Component based MVC
  • 20.
    Copyright © 2014,Oracle and/or its affiliates. All rights reserved. Action Based MVC
  • 21.
    @Path("/") @View("my-index.xhtml") public class Bookstore{ ... @GET public List<Item> getItems() { ... return items; } } MVC Possibilities
  • 22.
    CDI 2 ▪ JavaSE Bootstrap ▪ XML configuration ▪ Asynchronous events ▪ @Startup for CDI beans ▪ Portable Extension SPI simplification ▪ Small features and enhancements
  • 23.
    Adopting Java SE8 ▪ Most of Java SE 8 can already be used with Java EE • GlassFish, WildFly and WebLogic support JDK 8 ▪ Some APIs could adopt features • Repeatable Annotations • Date-Time API/JDBC 4.2 • Completable Future • Lambda expressions, streams • Default methods
  • 24.
    • Expert Groupnominations: EE API veterans: many JSRs, many years struggling with Security API 3rd party security framework creators/developers EE platform security implementers • March 2015: Expert Group started discussions Java EE Security API JSR-375
  • 25.
    What’s wrong withJava EE Security? • Java EE Security viewed as not portable, abstract/confusing, antiquated • Doesn’t fit cloud app developer paradigm: requires app server configuration • "The ultimate goal is to have basic security working without the need of any kind of vendor specific configuration, deployment descriptors, or whatever. ” – Arjan Tijms
  • 27.
    What to do? •Plug the portability holes • Modernize Context Dependency Injection (CDI) • Intercept at Access Enforcement Points: POJO methods Expression Language (EL) • Enable Access Enforcement Points with complex rules • App Developer Friendly • Common security configurations not requiring server changes • Annotation defaults not requiring XML
  • 28.
    Ideas • Terminology • APIfor Authentication Mechanism • API for Identity Store • API for Password Aliasing • API for Role/Permission Assignment • API for Security Context • API for Authorization Interceptors To modernize, standardise, simplify
  • 29.
    Ideas - Terminology •EG discussions revealed inconsistency in security API terms • Different EE containers have different names for the same concepts • When “something” gets authenticated, is that something a... A User? (e.g. HttpServletRequest.getUserPrincipal) A Caller? (e.g. EJBContext.getCallerPrincipal) • What is a group? A group of users? A permission Vs Role?
  • 30.
    Ideas - Terminology •What is that “something” where identities are stored? security provider (WebLogic) realm (Tomcat, some hints in Servlet spec) (auth) repository (auth) store login module (JAAS) identity manager (Undertow) authenticator (Resin, OmniSecurity, Seam Security) authentication provider (Spring Security) identity provider
  • 31.
    API for Authentication Mechanism •Application manages its own users and groups • Application needs to authenticate users in order to assign Roles • Application authenticates based on application-domain models • Application needs to use an authentication method not supported on the server, like OpenID Connect or OAuth2 • Developer wants to use portable EE Authentication standard
  • 32.
    • Java AuthenticationService Provider Interface for Containers • JSR 196, Maintenance Release 1.1, in 2013 • Standardised, portable, thin, low- level authentication framework • JAAS (LoginModule) is Java SE and thus not standard within Java EE JASPIC
  • 33.
    Authentication Events • Throwstandardised CDI events at important moments PreAuthenticate Event PostAuthenticate Event PreLogout Event PostLogout Event • Possible uses: Tracking number of logged-in users Tracking failed login attempts per account Side effects, like creating a new local user after initial successful authentication via a remote authentication provider Loading application-specific user preferences
  • 34.
    • Where isthe “user” info stored? API for Identity Store • Custom stores by annotated POJO’s
  • 35.
    API for Role/Permission Assignment •After user/Caller is authenticated: • Need to retrieve the roles/permissions/grants • API to manage these assignments • Dynamic role/permission assignment
  • 36.
    Why role togroup? • Application; similar users are grouped in a Role • Identity store Used for more then 1 application Probably has already some kind of grouping of users (department, …) • Map application Role to Identity store Group • Today supported Support in Deployment Descriptors, e.g. web.xml
  • 37.
    Role vs Permission •Role Grouping of users When “allowed actions” for a Role changes Application needs to be changed an redeployed • Permission • “Key” to unlock some functionality. Permission is linked in code. • User/Caller or even role has some permissions • Changes -> only external where permissions are linked to users.
  • 38.
    API for SecurityContext • Application needs to access the security API To get the authenticated user To check roles To invoke runAs. • Application needs the same API to access security context, regardless of container
  • 39.
    API for Authorisation Interceptors •Application needs to restrict specific methods to authorised users • Application-model rules are used to make access decisions • Annotation based • My requirements Screen parts (like on JSF Component) needs certain permission URL’s are protected based on permissions/roles/…
  • 40.
    EL Authorization Rules •To be used in security annotations • Refer to any object, system or application defined • Security rules tailored to the application. • @EvaluateSecured("security.hasRoles('MANAGER') && schedule.nowIsOfficeHrs") void transferFunds() {..};
  • 41.
    Complex rules • AccessDecisionVoter •Concept from DeltaSpike / Octopus • Complex logic written out in Java code (CDI bean) • @Secured(AccountAccessDecisionVoter.class) void transferFunds() {..}; • public void checkPermission (AccessDecisionVoterContext ctx, Set<SecurityViolation> violations) {
  • 42.
    Get Involved • ProjectPage: The starting point to all resources https://java.net/projects/javaee-security-spec • Users List: Subscribe and contribute users@javaee- security-spec.java.net • Github Playground: Fork and Play! https://github.com/javaee-security-spec/javaee- security-proposals
  • 43.
    • What’s Comingin Java EE 8? - Reza Rahman • http://www.slideshare.net/reza_rahman/javaee8 • Finally, EE Security API JSR 375 - Alex Kosowski • http://www.slideshare.net/a_kosowski/devoxx-fr-ee8jsr375securityapiv1 • MVC in JavaEE 8 - Manfred Riem • https://java.net/projects/ozark/downloads/download/Presentations/2014-javaone- mvc-in-javaee8.pptx Acknowledgements
  • 44.
    Copyright © 2012,Oracle and/or its affiliates. All rights reserved. Public The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. Safe Harbor statement
  • 45.

Editor's Notes

  • #5 For many folks that have not kept up-to-date with the evolution of Java EE, historical context is very important.
  • #6 The J2EE period (prior to Java EE 5) is marked with a successful effort to establish the server-side Java standards based ecosystem. Though widely criticized for complexity J2EE remains one of the most influential and groundbreaking technologies in the enterprise. The Java community stepped in to meet the programming model challenges in J2EE with projects like Spring and Hibernate.
  • #7 Java EE 5 absorbed many of the programming model changes from the community and included it’s own set of key innovations. The key changes in Java EE 5 were POJO programming, annotations over XML, intelligent defaults and zero-configuration systems. As a result of the changes in Java EE 5, Java EE remains one of the easiest to use platforms available today.
  • #8 The key change in Java EE 6 was to introduce first-class generic dependency injection as a built-in part of the platform through CDI. The industry reception of Java EE 6 has been great resulting in the growing adoption of Java EE. Java EE 6 also introduced the Web Profile and a pruning process to make the platform as lightweight as possible.
  • #9 Java EE 7 is an opportunity to build upon the success of Java EE 6 to make sure enterprise developers are ready for emerging challenges.
  • #10 Some new APIs were added in Java EE 7, some have gone through major changes and others are point releases. Almost every Java EE API has gone through a change. The point releases have important changes and taken together outweigh the new APIs and major updates. The Java API for JSON, the Java API for WebSocket, JAX-RS 2, JSF 2.2, Servlet 3.1, Bean Validation 1.1, etc all contribute towards the HTML 5 theme. JMS 2, CDI 1.1, JPA 2.1 and JTA 1.2 are examples of a laser focus on productivity while Java Batch and Java EE Concurrency Utilities are clearly geared towards meeting enterprise needs. It is always important to remember Java EE forms the stable core of a vibrant ecosystem. Things like Arquillian, DeltaSpike, Forge, PrimeFaces continually move the ecosystem forward by building on the standard.
  • #11 Java EE 7 has seen significantly increased community involvement as compared with previous releases like Java EE 6 and Java EE 5. We want to significantly improve upon that towards making Java EE 8 one of the most community driven technologies ever developed. Towards this goal we started off Java EE 8 with a series of public surveys asking developers for feedback into what should go into the next revision of the platform. The first two parts asked about specific features we thought were important. We also allowed for any open ended feedback anyone may have. The last part of the survey asked the community to prioritize features. The survey was run for about three months and we received about 4,500 inputs. The data represented all sorts of folks from around the globe and many kinds of organizations. The results of the survey are available for anyone to see. They have important insights into what the community thinks. The graphic depicts the final prioritization of features for Java EE 8.
  • #12 Based largely on the survey we have drawn some possible themes for Java EE 8 – further web standards alignment, cloud features, CDI alignment, enterprise features as well as Java SE 8 alignment. In the next part of the presentation we will take a high level look at these features. The web standards/HTML 5 alignment will consist of support for HTTP 2 via Servlet 4, JSON binding, updates to the lower level JSON processing API added in Java EE 7, a new action-oriented framework for Java EE and building upon the hypermedia support in JAX-RS 2 added in Java EE 7. A number of possible Java EE 8 features are geared towards making it easier for applications to be deployed to the cloud. These include simplifications to the way Java EE application security is handled as well as being able to administer Java EE containers using a standard RESTful API. We have been gradually aligning as many Java EE APIs as possible with CDI in Java EE 6 and Java EE 7. The eventual goal as desired by the community is to make CDI the central programming model in Java EE. One of the most important goals in Java EE 8 is to have a significant release of the CDI specification itself. Other possibilities include making more EJB services available to all Java EE managed components through CDI as well as pruning older EJB features such as CORBA interoperability. There are a smaller number of important features on the enterprise front. JCache 1.0, the Java Caching standard, was originally planned to be included in Java EE 7 but was delayed. JCache is now finalized and could be used on top of Java EE 7 applications. The goal in Java EE 8 is to include JCache 1.1 into the platform. JCache 1.1 could make it a lot easier to use the API in Java EE applications. One of the goals the community thought was important was to make it easier to configure Java EE applications so this is something we will take a closer look at. JMS 2.1 will explore how to make messaging even easier in Java EE applications by utilizing CDI. Finally we always try to make sure that Java EE is aligned with Java SE. Java SE 8 brings a number of useful features and we want to make sure Java EE developers can take maximum advantage of those features.
  • #13  Java EE 8 is already in full swing. Many key JSRs including the Java EE 8 platform JSR were launched in the JavaOne 2014 time frame. Those expert groups are now fully active. A second smaller batch of key JSRs including Java EE Security, Java EE Management and JSON-P 1.1 were launched more recently and are now solidifying their progress. Many other JSRs like minor releases of WebSocket, Java EE Concurrency Utilities and JPA are yet to come. There is still plenty of opportunities to participate and help shape Java EE 8.
  • #14 Servlet 4 is easily one of the most important changes in Java EE 8. The principal goal of Servlet 4 is to bring HTTP 2 support to Java EE developers. HTTP 2 is a very fundamental modernization of the protocol that keeps the internet together. HTTP was designed with a very simple web in mind – a request is expected to produce just one artifact, likely a plain HTML page with some hyperlinks. The web today is a far more complex beast. A single page contains many possible dependent resources – images, style-sheets, scripts, videos and so on. As a result we currently lose a lot of performance as each dependent resource is retrieved through a separate HTTP request. HTTP 2 is aimed to boost web performance manifolds by fixing this impedance mismatch. HTTP 2 accomplishes this by allowing the transfer of a number of resources from the server in a given request over a single initial TCP connection. Given a request from the client the server can send down as many related resources as needed by multiplexing the connection into streams. These streams can be assigned priorities such that the client browser can first retrieve what is absolutely needed for rendering such as the main page and some images while retrieving less important resources in the background. In addition HTTP 2 uses binary framing for significantly improved bandwidth usage as well as header sharing/compression across related resources. We hope that a majority of these changes can be completely transparent to developers and simply be handled by Servlet runtime. However some of these changes will inevitably result in changes to the Servlet API. A majority of these changes can definitely be handled very transparently by higher level APIs such as JSF and JAX-RS.
  • #16 Java EE 7 includes a low-level JSON parsing API akin to JAXP in the XML world. On of the most popular features the community has asked for in Java EE 8 is a higher level binding API similar to JAXB in the XML world. The API should be highly transparent and mostly just work with POJOs as is. There will likely be a small number of annotations to override default mappings such as renaming fields or marking fields transient. The API will draw from existing non-standard JSON binding solutions like MOXy, Jackson, GSON and Genson as well as allow switching providers at runtime. For the most part, developers do not even need to be aware of the actual API as it will be seamlessly integrated into higher level Java EE APIs such as JAX-RS. The idea is that the binding will simply take effect on POJOs when the runtime encounters the ‘application/json’ content-type. JSON-P is currently integrated with JAX-RS in a similar fashion. Note that JSON binding has long been supported in GlassFish and WebLogic through the non-standard MOXy project.
  • #17 Java EE has had strong support for REST as of Java EE 6. In Java EE 7, we added support for WebSocket. REST is intended for traditional HTTP based stateless request-response style communication. In this model the client initiates a single request, the server furnishes a response and the connection is closed. The vast majority of communication on the web is based on this model. WebSocket is almost the opposite of plain HTTP and REST. It is a stateful, fully bi-directional, asynchronous communication model. Once a connection is established, either the client or the server can send messages whenever they need to. The connection is kept open as long as necessary. WebSocket is ideal for situations like chat, real-time online collaboration, online multiplayer games and the like. SSE or Server-Sent Events are something between the extremes of plain HTTP and WebSocket. Using SSE once the client connects to the server, the server can send messages down over a period of time, in theory for as long as needed. SSE is good for use cases like stock tickers, monitoring applications, live maps and the like. Like WebSocket, SSE was introduced as part of HTML 5. It is really just a very long lived HTTP connection with a specialized content-type – ‘text/event-stream’. Just like WebSocket, there is a standard JavaScript API for it on the browser. SSE was one of the items that there was very strong support for in the Java EE 8 survey. SSE will be supported in Java EE 8 through JAX-RS 2.1. Note that the Jersey JAX-RS reference implementation included in both GlassFish and WebLogic has long had non-standard support for SSE.
  • #18 The oldest web framework in the Java space – Struts – was action based. Struts creator Craig McClanahan helped create JSF and supported the more abstract component based approach closer to the original Smalltalk MVC pattern. While JSF clearly continues to have a very strong following, action based frameworks continue to move forward even after Craig’s recommendation to move to JSF. More recently some developers feel that the action based approach is particularly well suited to the HTML 5 ecosystem, among other benefits long touted by proponents. We wanted to utilize the Java EE 8 survey as an opportunity to gage developer sentiment on the debate. What we found is that there is fairly strong developer interest in having a standard action-based web framework in Java EE. To meet these community desires Java EE 8 will include an action-based alternative alongside JSF. JSF will still continue it’s evolutionary path with JSF 2.3. The model portion of this framework will be centered around CDI, JPA and Bean Validation. The view portion will have built-in support for Facelets and JSP. The majority of the work in this new specification is in defining the controller portion. The expert group has decided to base this work on JAX-RS.
  • #22 The code illustrates the basics of how the controller portion may look like and should be fairly familiar to action based web framework developers as well as experienced Java EE/JAX-RS developers. While the @Path and @GET annotations would come from JAX-RS, @View annotation would be defined in the new specification. If omitted the view could default to something like bookstore.jsp. The idea is that the view would be populated from the model generated by the GET method handler – in this case a list of bookstore items.
  • #23 After Java EE 6 there has been two minor point releases of CDI – CDI 1.1 and CDI 1.2. The goal in Java EE 8 is to include a major CDI 2 revision. The goals for CDI 2 are quite ambitious. Thus far CDI has been a Java EE centric technology. Major CDI implementations also support Java SE runtimes, but such support is currently non-standard. The goal in CDI 2 is to support a feature subset in Java SE environments including a standard bootstrap API. Much like newer Java EE APIs such as JAX-RS and WebSocket, CDI so far does not provide any support for XML based configuration. However some in the community have long felt that there are important use cases in CDI that cannot be met without XML configuration support such as incorporating CDI into non-Java EE products like enterprise integration frameworks and ESBs. CDI 2 will explore adding XML configuration support alongside annotations. CDI has a very elegant and type-safe event mechanism. While CDI events are synchronous today CDI 2 will explore making them asynchronous. CDI will also likely be the primary vehicle for making EJB annotations like @Startup, @Asynchronous and @Schedule available to all managed beans. The portable extension SPI is an extremely important part of CDI. It is intended to create a plug-in ecosystem for CDI. CDI 2 will look for ways to simplify the SPI as much as possible.
  • #24 Java SE 8 brings about a very useful set of changes that has been extremely well received by the community. We have ensured that developers can take maximal advantage of Java SE 8 by certifying both GlassFish 4.1 and WebLogic 12.1.3 against it. Similarly WildFly 8 is also certified against Java SE 8. The vast majority of Java SE 8 features like the new Date-Time API, lambdas, streams and CompletableFuture should be readily usable with Java EE 7, Java EE 6 and Java EE 5 APIs. In Java EE 8 we will make sure all APIs align with Java SE 8 as much as possible. Some features that such alignment could utilize include repeatable annotations, the Date-Time API, JDBC 4.2, CompletableFuture, the fork/join common pool, lambdas, streams and default methods.
  • #45 Standard corporate legal disclaimer essentially stating that any forward looking features may change in the future ☺.