Java EE 8 - An instant snapshot
-
Upload
david-delabassee -
Category
Software
-
view
7.060 -
download
0
Transcript of Java EE 8 - An instant snapshot
David Delabassee (@delabassee) Oracle
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Java EE 8 -‐ An instant snapshotJDK.IO 2015
1
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. 2
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Program Agenda
How did we get here?
What do we want to do?
How can you get involved?
1
2
3
Preview of Java EE 8
3
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Feedback from the Community
• Many sources – Users lists of java.net projects – JIRAs – JavaOne 2013 Java EE BOF and Java EE EG meeting –Outreach by evangelists
• Consolidated into Community Survey
4
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Java EE 8 Community Survey
• 3 parts over 3½ months – 47 questions – 15 fill-‐ins – 1000’s of comments
• 4500+ respondents • Prioritization of most-‐popular features
5
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Community-‐Prioritized Features
6
http://glassfish.org/survey
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
You asked for it, you got it!
7
Java EE 8Driven by Community Feedback
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Java EE 8 Themes
• HTML5 / Web Tier Enhancements • Ease of Development / CDI alignment • Infrastructure for running in the Cloud
• Enterprise • Java SE 8 alignment
8
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Java EE 8 Themes
• HTML5 / Web Tier Enhancements • Ease of Development / CDI alignment • Infrastructure for running in the Cloud
9
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
HTML5 Support / Web Tier Enhancements
• JSON Binding • JSON Processing enhancements • Server-‐sent Events • Action-‐based MVC • HTTP/2 support
10
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
JSON-‐B
Which of these APIs do you think is important to be included in Java EE 8?
Java API for JSON Binding
11
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
JSON-‐B
• API to marshal/unmarshal Java objects to/from JSON – Similar to JAXB runtime API in XML world
• Default mapping of classes to JSON – Annotations to customize the default mappings – JsonProperty, JsonTransient, JsonNillable, JsonValue, …
Java API for JSON Binding
12
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
JSON-‐B
• Draw from best practices of existing JSON binding implementations – Jackson, Genson, Gson, EclipseLink MOXy, Fleece, JSON-‐lib, Flexjson, Json-‐io, JSONiJ, Xstream, etc.
• Switch JSON binding providers • Implementations compete on common ground
Standard API
13
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
JSON-‐B@Entity public class Person { @Id String name; String gender; @ElementCollection Map<String,String> phones; ... // getters and setters }
Person duke = new Person(); duke.setName("Duke"); duke.setGender("M"); phones = new HashMap<String,String>(); phones.put("home", "650-‐123-‐4567"); phones.put("mobile", "650-‐234-‐5678"); duke.setPhones(phones);
Marshaller marshaller = new JsonContext().createMarshaller().setPrettyPrinting(true); marshaller.marshal(duke, System.out);
{ "name":"Duke", "gender":"M", "phones":{ "home":"650-‐123-‐4567", "mobile":"650-‐234-‐5678"} }
14
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
• All the way from client to database – JSON-‐B will provide JAX-‐RS a standard way to support “application/json” media type
JSON-‐B
JPA JSON-‐BData Source
JSONJAX-‐RSJava Objects
15
JSR 367
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
JSON-‐P 1.1Java API for JSON Processing
16
• Keep JSON-‐P spec up-‐to-‐date • Track new standards • Add editing operations to JsonObject and JsonArray • Java SE 8 • JSON Big Data
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
JSON-‐P: Java API for JSON Processing 1.1
• JSON-‐Pointer – IETF RFC 6901 – String syntax for referencing a JSON value "/0/phone/mobile"
Tracking new standards
17
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
JSON-‐PJsonArray contacts = … JsonPointer p = Json.createPointer("/0/phones/mobile"); JsonValue v = p.getValue(contacts);
…
JsonArray result = p.replace(contacts, "123-‐4567");
[ { "name":"Duke", "gender":"M", "phones":{ "home":"650-‐123-‐4567", "mobile":"650-‐234-‐5678"}}, { "name":"Jane", "gender":"F", "phones":{ "mobile":"707-‐555-‐9999"}} ]
18
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
JSON-‐P: Java API for JSON Processing 1.1
• JSON-‐Patch – IETF RFC 6902 • Patch is a JSON document
– Array of objects / operations for modifying a JSON document –Must have "op" field and "path" field – add, replace, remove, move, copy, test [ {"op":"replace","path":"/0/phones/mobile","value":"650-‐111-‐222"}, {"op":"remove","path":"/1"} ]
Tracking new standards
19
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
JSON-‐P[ { "op":"replace", "path":"/0/phones/mobile", "value":"650-‐111-‐2222"}, { "op":"remove", "path":"/1"} ]
[ { "name":"Duke", "gender":"M", "phones":{ "home":"650-‐123-‐4567", "mobile":"650-‐234-‐5678"}}, { "name":"Jane", "gender":"F", "phones":{ "mobile":"707-‐555-‐9999"}} ]
20
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
JSON-‐P[ { "op":"replace", "path":"/0/phones/mobile", "value":"650-‐111-‐2222"}, { "op":"remove", "path":"/1"} ]
[ { "name":"Duke", "gender":"M", "phones":{ "home":"650-‐123-‐4567", "mobile":"650-‐111-‐2222"}}, { "name":"Jane", "gender":"F", "phones":{ "mobile":"707-‐555-‐9999"}} ]
21
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
JSON-‐P[ { "op":"replace", "path":"/0/phones/mobile", "value":"650-‐111-‐2222"}, { "op":"remove", "path":"/1"} ]
[ { "name":"Duke", "gender":"M", "phones":{ "home":"650-‐123-‐4567", "mobile":"650-‐111-‐2222"}} ]
22
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
JSON-‐P 1.1JSON Query using Lambda Operations
JsonArray contacts = ...; List<String> femaleNames = contacts.getValuesAs(JsonObject.class).stream() .filter(x-‐>"F".equals(x.getString("gender"))) .map(x-‐>(x.getString("name")) .collect(Collectors.toList());
23
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
JSON-‐P 1.1JSON Query collecting results in JsonArray
JsonArray contacts = ...; JsonArray femaleNames = contacts.getValuesAs(JsonObject.class).stream() .filter(x-‐>"F".equals(x.getString("gender"))) .map(x-‐>(x.getString("name")) .collect(JsonCollectors.toJsonArray());
24
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
JSR 374
• Keep JSON-‐P spec up-‐to-‐date • Track new standards • Add editing operations to JsonObject and JsonArray • Java SE 8 • JSON Big Data
25
JSON-‐P 1.1
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Server-‐sent Events
Should we also standardize a Java API for server-‐sent events?
26
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Server-‐sent Events
• Part of HTML5 standardization • Server-‐to-‐client streaming of text data • Media type: “text/event-‐stream” • Long-‐lived HTTP connection
– Client establishes connection – Server pushes update notifications to client
27
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Server-‐sent Events
• Several possibilities: Servlet; WebSocket; JAX-‐RS; standalone • JAX-‐RS deemed most natural fit
– Streaming HTTP resources already supported – Small extension
• Server API: new media type; EventOutput • Client API: new handler for server side events
– Convenience of mixing with other HTTP operations; new media type – Jersey (JAX-‐RS RI) already supports SSE
28
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Server-‐sent Events
@Path("tickers") public class StockTicker { @Get @Produces("text/event-‐stream") public EventOutput getQuotes() { EventOutput eo = new EventOutput(); new StockThread(eo).start() return eo; } }
JAX-‐RS resource class
29
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
JAX-‐RS StockThread class
class StockThread extends Thread {
private EventOutput eo;
private AtomicBoolean ab =
new AtomicBoolean(true);
public StockThread(EventOutput eo) {
this.eo = eo;
}
public void terminate() {
ab.set(false);
}
@Override
public void run() {
while (ab.get()) {
try {
// ...
eo.send(new StockQuote("..."));
// ...
} catch (IOException e) {
// ...
}
} }
}
30
Server-‐sent Events
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
WebTarget target = client.target("http://example.com/tickers");
EventSource eventSource = new EventSource(target) {
@Override
public void onEvent(InboundEvent inboundEvent) {
StockQuote sq = inboundEvent.readData(StockQuote.class);
// ...
}
};
eventSource.open();
JAX-‐RS Client
31
Server-‐sent Events
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Model View Controller 1.0 (MVC)
Should Java EE provide support for MVC alongside JSF?
Is there any one de-‐facto standard technology in this space to which we should look for inspiration?
32
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Model View Controller
• Pattern used to implement a user interface –Model – View
– Controller
• Styles – Component-‐based – Action-‐based – etc.
33
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Component-‐based MVC
• A specific style of MVC made popular by component frameworks • Controller provided by the framework • Examples
– JavaServer Faces –Wicket – Tapestry – Seam (discontinued) – Apache Click (retired)
34
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Action-‐based MVC
• Controller(s) defined by the application • Examples
– Struts 2 – Spring MVC
35
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Compare & Contrast
• Manual request parameter processing
• No view kept around
• Limited support for re-‐usable behavior
• Developer responsible for all HTML / JavaScript
• No automatic input conversion
• No automatic input validation
• Request centric
36
• Automatic request parameter procession
• View kept around
• Component libraries that implement re-‐usable behavior
• Components render HTML / JavaScript
• Automatic input conversion
• Automatic input validation
• Page centric
Action-‐based MVC Component-‐based MVC
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
MVC 1.0
• Glues together key Java EE technologies –Model
• CDI, Bean Validation, JPA
– View • Facelets, JSP, SPI?
– Controller • Invent new technology Vs Leverage existing technologies (e.g. JAX-‐RS)
• Misc. – Programmatic API so you can change the runtime behaviour – Type conversion of form inputs, etc.
37
Action-‐based Model-‐View-‐Controller architecture
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
MVC 1.0
38
Example<!DOCTYPE html PUBLIC "-‐//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-‐transitional.dtd"> <html> <head><title>Rough example</title></head> <body> <form action="/rough-‐example/form1a"> <input id="input1" value="#{roughExampleBean.value}"/> <input id="submit" type="submit" value="Submit"/> </form> </body> </html>
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
MVC 1.0
39
Example @Named("roughExampleBean”) @RequestScoped public class RoughExampleBean implements Serializable {
private String value;
@Path(value = "/form1a") public String form1(@Inject HttpServletRequest request) { String input1 = request.getParameter("inputText1"); setValue("We set input1 manually to -‐ " + input1); return "/form1b"; } //… omitted getter/setter methods … }
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Servlet APIA real life example
40
index.html
style1.css. . .
script1.js pic1.jpg photo1.png
styleX.css scriptX.js picX.jpg photoX.png
.
.
.
.
.
.
.
.
.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
HTTP 1.1Head-‐of-‐Line blocking
41
Client Server
index.htmlindex.html
style1.css style2.css script1.js
...
style1.css style2.css script1.js
...
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
HTTP 1.1
42
• Open multiple TCPs sockets – Browser limit themselves to 6 sockets – = 6 sockets per client X # connections
• Inefficient use of sockets • Doesn’t solve the issue!
Workaround -‐ ‘HoLB’
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
HTTP 1.1Issue
43
• Modern web page now consists of more than 90 resources fetched from 15 distinct hosts – http://httparchive.org
• Shoving more than one logical file into one physical file – TCP Efficiency Improves with Larger Files
• File Concatenation and Image Sprites
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
HTTP 1.1Workaround -‐ Image Sprites
44
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
HTTP 1.1Workaround -‐ Asset inlining
45
… <img src="data:image/gif;base64,R0lGODlhEAAOexs3eeALMAAOazToeHh0tLS/7LZv0jvb29tf3Ubge8WSLrhf3kdbW1mxsjkhfkjfhGHhcjGDSHJUYgJvhgtyrHgfGfHyt56HGfGH56ge8WSLf6GGHhfkjfhhfkjfhpBREzxvt6QAA4lsjkhfkjfhdxwqBnuIoYtyGhBKoOjJj6GGHvvhdsbxus38GV3pBREzxvt6QAA4lsjkhfkjfhdxwqBnuIoYtyGhBKoOjJj6GGHvvhdsbxus38GV3vvhdsbxusbasbPmfyH5BAAAjAAAALAAfhGHhcjAAAAQAA4lsjkhfkjfhGHhcjGDSHJUYgJvhgtyrHgfhfkjfhpBREzxvt6QAA4lsjkhfkjfhdxwqBnuIoYtyGhBKoOjJj6GGHvvhdsbxus38GV3GfHyt56HGfGH56ge8WsjkhfkjfhGHhcjGDSHJUYgJvhgtyrHgfGfHyt56HGfGH56gebxus38G8WSLf6GGHvvhdsbxusbaSLf6GGHvvhdsbxusbaOiQA4lsjkhfkjf4lsjkhfkjf4lsjbxus38GkhfkjfhfkjfhpBREzxvt6QAA4lsjkhfkjfhdxwqBnuIoYtyGhBKoOjJj6GGHvvhdsbxus38GV3DcPjjBceXsplojj…” /> …
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
HTTP 1.1Workaround -‐ Domain Sharding
46
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
HTTP 1.1 circa 1999
47
• HTTP uses TCP poorly - HTTP flows are short and bursty
- TCP was built for long-‐lived flows
• Solutions – Sprites – Domain sharding – Assets Inlining – File concatenations –…
Problems Vs Solutions
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
HTTP/2
HTTP/2 submitted to IETF RFC Editor • Reduce latency
• Address the HOL blocking problem
• Support parallelism (without requiring multiple connections)
• Retain semantics of HTTP 1.1
• Define interaction with HTTP 1.x
Address the Limitations of HTTP 1.x
48
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
HTTP/2
• Request/Response multiplexing over single connection – Fully bidirectional –Multiple streams
• Binary Framing • Upgrade from HTTP 1.1 • Header Compression • Stream Prioritization • Server Push
49
POST /upload HTTP/1.1 Host: www.test.com Content-‐Type: application/json Content-‐Length: 15
{“name”:“duke”}
HTTP 1.1 HTTP/2
HEADERS frame
DATA frame
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
HTTP/2Header Compression
50
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
HTTP/2Server Push
/index.html : stream 1 /style.css : stream 2 /script.js : stream 4
Client Server
stream 1 HEADERS
stream 1 FRAME x
stream 2 PROMISE
stream 4 PROMISE
51
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Servlet 4.0
• Request/response multiplexing – Servlet Request as HTTP/2 message
• Stream prioritization – Add stream priority to HttpServletRequest
• Server push • Binary framing • Upgrade from HTTP 1.1
HTTP/2 Features in Servlet API
52
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
JSF 2.3
• CDI Alignment –@Inject FacesContext, ExternalContext, etc. – Rely on CDI for EL resolving – CDI managed versions of Validator and Converter – Invoking CDI managed bean methods directly from Ajax, etc.
• “Adjustments” for MVC – Facelets, JSF scopes, etc.
• Misc. –Multi-‐field validation, etc.
53
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Java EE 8 Themes
• HTML5 / Web Tier Enhancements • Ease of Development / CDI alignment • Infrastructure for running in the Cloud
54
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Ease of Development / CDI Alignment
• Simplified messaging through CDI-‐based “MDBs” • JAX-‐RS injection alignment • WebSocket scopes • Pruning of EJB 2.x client view and IIOP interoperability • Security interceptors • …
55
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Security Simplifications / CDI Alignment
Should we consider adding Security Interceptors in Java EE 8?
Should we simplify authorization by introducing an EL-‐enabled authorization annotation?
56
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Java EE Security 1.0
@IsAuthorized("hasRoles('Manager') && schedule.officeHrs")
void transferFunds()
@IsAuthorized("hasRoles('Manager') && hasAttribute('directReports', employee.id)")
double getSalary(long employeeId);
@IsAuthorized(ruleSourceName="java:app/payrollAuthRules", rule="report")
void displayReport();
Authorization via CDI Interceptors
57
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
JMS 2.1
• Alternative to EJB message-‐driven beans • Simpler JMS-‐specific annotations • Usable by any CDI bean • No need for MessageListener implementation
New API to receive messages asynchronously
58
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
JMS
@MessageDriven(activationConfig = {
@ActivationConfigProperty(propertyName="connectionFactoryLookup", propertyValue="jms/myCF"), @ActivationConfigProperty(propertyName="destinationLookup", propertyValue="jms/myQueue"), @ActivationConfigProperty(propertyName="destinationType", propertyValue="javax.jms.queue")})
public class MyMDB implements MessageListener { public void onMessage(Message message) { // extract message body String body = message.getBody(String.class)); // process message body } }
JMS MDBs Today
59
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
JMS 2.1
@RequestScoped
public class MyListenerBean {
@JMSListener(destinationLookup="jms/myQueue")
@Transactional
public void myCallback(Message message) {
...
}
}
Allow any Java EE bean to be a listener
60
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
• Modularity • Java SE support • Enhanced Events • Misc.
– AOP – SPI – Interceptors and Decorators enhancements – Cleaning
61
CDI 2.0
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
CDI 2.0
• Add new features to CDI without bloating the specification • “Sub specification”(aka “parts”) that can be used independently • Will help CDI adoption • 3 parts
– CDI Light, DI only & events – Full CDI – Full CDI, with Java EE integration
62
Modularity
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
CDI 2.0
• Boost CDI adoption • Provide a mean of building new stack out of Java EE • Add SPI for integration with standard services
– JPA – JAX-‐RS – etc.
63
Java SE Support
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
CDI 2.0
• Asynchronous Events • Event Ordering • Event Range
64
Enhanced Events
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. 65
public class ProducerClass {
@Inject Event<SomeEvent> someEvent;
public void someMethod(...) { ... someEvent.fire(myEvent); }
}
CDI 2.0Asynchronous Events
public class AnotherClass {
public void someObserver(@Observes SomeEvent someEvent) { ...
}
}
public class AsynchProducerClass {
@Inject Event<Payload> someEvent;
public void anotherMethod() {
someEvent.fireAsync(new Payload(), callBack -‐> System.out.println("Done!));
}
}
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. 66
CDI 2.0Events Ordering
public void importantObserver(@Observes @Priority(1) Payload pld) { ... }
public void anotherObserver(@Observes @Priority(2) Payload pld) { ... }
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Pruning
Should we prune EJB 2.x remote and local client view (EJBObject, EJBLocalObject, EJBHome, and EJBLocalHome interfaces)?
Should we prune CORBA, including support for interoperability by means of IIOP?
Candidates for Proposed Optional status
67
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Java EE 8 Themes
• HTML5 / Web Tier Enhancements • Ease of Development / CDI alignment • Infrastructure for running in the Cloud
68
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Modernize the Infrastructure
• Java EE Management 2.0 – REST-‐based APIs for Management and Deployment
• Java EE Security 1.0 – Authorization – Password Aliasing – User Management – Role Mapping – Authentication – REST Authentication
For On-‐Premise and for in the Cloud
69
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Management and Deployment APIs
Should we define new APIs to deploy and manage applications?
Should such new Deployment and Management APIs be REST APIs or JMX APIs?
70
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Java EE Management 2.0
• Update to JSR 77 (“J2EE Management”) • REST-‐based interfaces to augment (or replace) current Management EJB APIs – Currently used OBJECT_NAME to become URL – Define CRUD operations over individual managed objects – Server-‐sent events used for event support
• Simple deployment interfaces also to be considered as part of management API
71
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Java EE Security 1.0Candidate Areas to Enhance Portability, Flexibility, Ease-‐of-‐Use
• Password Aliasing • User Management • Role Mapping • Authentication • REST Authentication • Authorization
72
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Java EE Security 1.0Enhance Portability, Flexibility, Ease-‐of-‐Use
Should we add support for password aliases (including the ability to provision credentials along with the application)?
73
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Java EE Security 1.0Password Aliasing
• Standardized syntax for password aliases – Avoids storing passwords in clear text in code, deployment descriptors, files
@DataSourceDefinition( name="java:app/MyDataSource", className="com.example.MyDataSource", ... user="duke", password="${ALIAS=dukePassword}")
• Standardized secure credentials archive for bundling alias and password with App – Used by platform as credential store for resolving alias
74
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Java EE Security 1.0Enhance Portability, Flexibility, Ease-‐of-‐Use
Should we standardize on requirements for simple security providers and their configuration?
75
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Java EE Security 1.0User Management
• Allow application to manage its own users and groups –Without need to access server configuration
• Users stored in application-‐specified repository (e.g. LDAP) • User service manipulates users from user source
App LDAP
UserInfo UserService LDAP UserSource
76
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Java EE Security 1.0User Management
• UserSourceDefinition • UserService
– Create/delete users, create/delete groups, add user to group, load UserInfo by user name; etc…
• UserInfo – get user name, password, get user’s roles, get user’s attributes, …
77
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Java EE Security 1.0User Management
@LdapUserSourceDefinition( name="java:app/ldapUserSource", ldapUrl="ldap://someURL", ldapUser="ElDap", ldapPassword="${ALIAS=LdapPW}", ... ) public class MyAuthenticator { @Resource(lookup="java:app/ldapUserSource") private UserService userService; private boolean isAccountEnabled(String username) { return userService.loadUserByUsername(username).isEnabled(); } ... }
78
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Java EE Security 1.0Enhance Portability, Flexibility, Ease-‐of-‐Use
Should we standardize group-‐to-‐role-‐mapping?
79
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Java EE Security 1.0Role Mapping
• Standardize role service – Role mappings can be stored in app-‐specified repository (e.g. LDAP) – Application can assign roles to users and groups, based on application-‐specific model –Without need to access server configuration
App LDAP
RoleService LDAP RoleMapper
80
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Java EE Security 1.0Role Mapping
• RoleMapperDefinition – DataSource, Ldap, Memory/File, Custom, predefined
• RoleService – grant/revoke roles for user/group, get roles for user/group, ...
@Resource(lookup="java:app/devRoleMapper") RoleService roleService; List<String> getRoles(String username) { return roleService.getRolesForUser(username); } ...
81
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Java EE 8 Themes
• HTML5 / Web Tier Enhancements • Ease of Development / CDI alignment • Infrastructure for running in the Cloud
• Enterprise • Java SE 8 alignment
82
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Java EE 8 JSRs
• Java EE 8 Platform (JSR 366) • CDI 2.0 (JSR 365) • JSON Binding 1.0 (JSR 367) • JMS 2.1 (JSR 368) • Java Servlet 4.0 (JSR 369) • JAX-‐RS 2.1 (JSR 370)
• MVC 1.0 (JSR 371) • JSF 2.3 (JSR 372) • Java EE Management 2.0 (JSR 373) • JSON-‐P 1.1 (JSR 374) • Java EE Security 1.0 (JSR 375)
So far…..
83
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
And More to Follow…
• Bean Validation • EL • Concurrency Utilities • Connector Architecture • WebSocket • Interceptors • JPA
• EJB • JTA • JCache • Batch • JavaMail • …
84
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Roadmap• Tentative Delivery Schedule
–Q3 2014: JSR 369 Expert Group formed –Q1 2015: early draft –Q3 2015: public review –Q4 2015: proposed final draft –Q3 2016: final release
• TBC! • Contribute!
85
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Transparency
• Our Java EE 8 JSRs run in the open on java.net – http://javaee-‐spec.java.net –One project per JSR – jax-‐rs-‐spec, mvc-‐spec, servlet-‐spec,…
• Publicly viewable Expert Group mail archive – Users observer lists gets all copies
• Publicly accessible issue tracker / JIRA • Publicly accessible download area • …
Commitment to JCP transparent processes
86
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Adopt A JSR for Java EE 8
• Make Java EE 8 the most community driven platform to date! - Share ideas and feedback (e.g. fill issues)
- Follow EG discussions, chime in
- Read early versions of specifications, Javadocs
- Write apps using early RI builds
- Write, speak about the technology
- Encourage others to participate, etc.
• http://glassfish.org/adoptajsr
87
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
GlassFish
http://glassfish.org
Java EE Reference Implementation
88
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
How to Get Involved
• Join an Expert Group – http://javaee-‐spec.java.net
• Adopt a JSR – http://glassfish.org/adoptajsr
• The Aquarium – http://blogs.oracle.com/theaquarium
• Java EE Reference Implementation – http://glassfish.org
89
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Tak!
90
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. 91