JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015

Tel Aviv 16-17 December 2015

Have you seen Java EESecurity API lately?

[email protected]

Werner Keil

Twitter: @wernerkeil

Tel Aviv 16-17 December 2015 – Werner Keil

12/17/2015 2

Agenda

• Motivations• A New JSR• Ideas• Examples and Demos• Get Involved• Q & A


12/17/2015 3

Who am I?

• Consultant – Coach• Creative Cosmopolitan• Open Source Evangelist• Software Architect• Apache/Eclipse Committer• JCP EC Member• JSR 363 Co Spec LeadTwitter @wernerkeilEmail [email protected]


12/17/2015 4

Why a Java EE Security JSR?

• Java EE 8survey results

• 4500 total responses

• Priorities Pie Chart


12/17/2015 5

Survey Results


12/17/2015 6

Survey Results – Password Aliasing

• Deferred from Java EE 7


12/17/2015 7

What’s wrong with Java EE Security?

"The ultimate goal is to have basic security working without the need of any kind of vendor specific configuration, deployment descriptors, or whatever. ” – Arjan Tijms

“[The EE security] model is problematic in cloud/PaaS environments where developers do not necessarily have easy access to non-standard vendor runtime features and a self-contained application is much easierto manage.” – Reza Rahman

The community says…


12/17/2015 8

What’s wrong with Java EE Security?

• Java EE Security viewed as not portable, abstract/confusing, antiquated

• Doesn’t fit cloud app developer paradigm: requires app server configuration

• Losing value to non-standard 3rd Party Frameworks…less likely to move back to Java EE when requirements increase


12/17/2015 9

What to do?

• Plug the portability holes• Modernize

- Context Dependency Injection (CDI)• Intercept at Access Enforcement Points: POJO methods

- Expression Language (EL)• Enable Access Enforcement Points with complex rules

• App Developer Friendly- Common security configurations not requiring server

changes- Annotation defaults not requiring XML


12/17/2015 10

JSR 375 History

• August 2014: First proposed to Oracle Java EE Architects

• December 2014: Approved by JCP EC• Expert Group nominations:

- EE API veterans: many JSRs, many years struggling with Security API

- 3rd party security framework creators/developers- EE platform security implementers

• March 2015: Expert Group started discussions• November 2015: JSR 375 passed Renewal Ballot


12/17/2015 11

JSR 375 – Expert GroupName RepresentingAdam Bien Individual

David Blevins Tomitribe

Rudy De Busscher Individual

Ivar Grimstad Individual

Les Hazlewood Stormpath, Inc.

Will Hopkins Oracle

Werner Keil Individual

Matt Konda Jemurai


12/17/2015 12

JSR 375 – Expert GroupName RepresentingAlex Kosowski Oracle

Darren Lofthouse Red Hat

Jean-Louis Monteiro Tomitribe

Ajay Reddy IBM

Pedro Igor Silva Red Hat

Les Hazlewood Stormpath, Inc.

Arjan Tijms ZEEF


12/17/2015 13

JSR 375 History

• In first month, expert group had an EXPLOSION of activity- Lot of Brainstorming!- 237 messages on EG mailing list- 81 commits in GitHub playgrounds for examples and

proposals- 24 JIRA issues


12/17/2015 14

IdeasTo modernize, standardize, simplify

• Terminology• API for Authentication Mechanism• API for Identity Store• API for Password Aliasing• API for Role/Permission Assignment• API for Security Context• API for Authorization


12/17/2015 15

IdeasTo modernize, standardize, simplify


12/17/2015 16

Ideas – Terminology

• EG discussions revealed inconsistency in security API terms

• Different EE containers have different names for the same concepts

• When “something” gets authenticated, is that something

- A User? (e.g. HttpServletRequest.getUserPrincipal)

- A Caller? (e.g. EJBContext.getCallerPrincipal)• What is a group?

- A group of users?- A permission- Vs Role?


12/17/2015 17

Ideas – Terminology

• What is that “something” where identities are stored?- security provider (WebLogic)- realm (Tomcat, some hints in Servlet spec)- (auth) repository- (auth) store- login module (JAAS)- identity manager (Undertow)- authenticator (Resin, OmniSecurity, Seam Security)- authentication provider (Spring Security)- identity provider


12/17/2015 18

IdeasAPI for Authentication Mechanism

• Application manages its own users and groups• Application needs to authenticate users in order to

assign Roles• Application authenticates based on application-domain

models• Application needs to use an authentication method not

supported on the server, like OpenID Connect• Developers want to use portable EE Authentication

standard


12/17/2015 19

Current SolutionsAPI for Authentication Mechanism

• Proprietary server support

• 3rd Party security frameworks provide authentication

• JASPIC: Java Authentication Service Provider Interface

for Containers


12/17/2015 20

JASPIC

• Java Authentication Service Provider Interface for Containers

• JSR 196, Maintenance Release 1.1, in 2013• Standardized, portable, thin, low-level authentication

framework• Extensible from within an application• Integrates with the container to build an authenticated

Subject• Implement any authentication method


12/17/2015 21

JASPIC Server Auth Module

public interface ServerAuthModule {public void initialize(MessagePolicy requestPolicy, MessagePolicy responsePolicy, CallbackHandler

handler, Map options) throws AuthException;

public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject);

public Class<?>[] getSupportedMessageTypes();public AuthStatus secureResponse(MessageInfo

messageInfo,Subject serviceSubject);

public void cleanSubject(MessageInfo messageInfo, Subject subject);}


12/17/2015 22

JASPIC Per-Application Installation


12/17/2015 23

Ideas – Simple ServerAuthModule Installation


12/17/2015 24

Ideas – Simple ServerAuthModule Installation@WebListenerpublic class SamRegistrationListener implements ServletContextListener {

@Overridepublic void contextInitialized(ServletContextEvent

sce) {

Jaspic.registerServerAuthModule(new TokenAuthModule(),

sce.getServletContext());

}

@Overridepublic void contextDestroyed(ServletContextEvent sce)

{

}}


12/17/2015 25

Ideas – Simple ServerAuthModule Installation@Authenticator("org.acme.TokenAuthModule")@WebServlet("/SimpleServlet")@ServletSecurity(@HttpConstraint(rolesAllowed = {"manager"}))public class SimpleServlet extends HttpServlet {

@Overrideprotected void doGet(HttpServletRequest request,

HttpServletResponse response)throws ServletException, IOException {

response.getWriter().print("my GET");

}

}


12/17/2015 26

Ideas – Profile Specific Helper Classes

public class BasicServerAuthModule implements ServerAuthModule {

public void initialize(…) throws AuthException { … }

public Class<?>[] getSupportedMessageTypes() { … }public AuthStatus secureResponse(MessageInfo

messageInfo,Subject serviceSubject) throws AuthException

{ … }public void cleanSubject(MessageInfo messageInfo,

Subject subject)throws AuthException { … }

public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject

serviceSubject) throws AuthException {final HttpServletRequest request =

(HttpServletRequest) messageInfo.getRequestMessage();… }


12/17/2015 27

Ideas – Profile Specific Helper Classes

public class BasicServerAuthModule extends HttpServerAuthModule {

public AuthStatus validateHttpRequest(HttpServletRequest request, HttpServletResponse response,

HttpMessageContext httpMessageContext)throws AuthException {…

}}


12/17/2015 28

Ideas – Standardized AuthenticatorsOpenID Connect ServerAuthModule

@Authenticator("javax.security.authenticator.OpenIDConnect")@WebServlet("/SimpleServlet")@ServletSecurity(@HttpConstraint(rolesAllowed = {"manager"}))public class SimpleServlet extends HttpServlet { @Override

protected void doGet(HttpServletRequest request, HttpServletResponse response)

throws ServletException, IOException {response.getWriter().print("my GET");}}


12/17/2015 29

Ideas – Authentication Events

• Throw standardized CDI events at important moments

- PreAuthenticate Event

- PostAuthenticate Event

- PreLogout Event

- PostLogout Event


12/17/2015 30

Ideas – Authentication Events

• Possible use cases

- Tracking number of logged-in users

- Tracking failed login attempts per account

- Side effects, like creating a new local user after initial

successful authentication via a remote authentication

provider

- Loading application-specific user preferences


12/17/2015 31

Current SolutionsAPI for Identity Store

• No Java EE standard support

• Only proprietary server support

• 3rd Party security frameworks provide user/group APIs


12/17/2015 32

Ideas – Identity Store

/** * <code>Credential</code> represents the credential the caller will use to authenticate. */public interface Credential {

public boolean isCleared();public void clear();

public String getCaller();public boolean isValid();

}


12/17/2015 33


public interface IdentityStore {

/** * Validates the given credential. * * @param credential * The credential * @return The validation result, including associated

* caller roles and groups. */ public CredentialValidationResult validate(Credential credential);}


12/17/2015 34



12/17/2015 35

Use CasesAPI for Role/Permission Assignment

• Application manages its own users and groups

• Application needs to assign roles (i.e., authorities,

permissions) to users and groups, based on application-

specific model

• Users may be stored in app-specified repository (e.g.

LDAP)

• Users managed without access to server configuration


12/17/2015 36

Current SolutionsAPI for Role/Permission Assignment


• Only proprietary server support

• 3rd Party security frameworks provide

role/authority/permission APIs


12/17/2015 37

Use CasesAPI for Security Context

• Application needs to access the security API

- To get the authenticated user

- To check roles

- To invoke runAs

• Application needs the same API to access security

context, regardless of container


12/17/2015 38

Current SolutionsAPI for Security Context


• 3rd Party security frameworks provide a security context


12/17/2015 39

Demo


12/17/2015 40

Use CasesAPI for Authorization Interceptors

• Application needs to restrict specific methods to

authorized users

• Application-model rules are used to make access

decisions

• Role is insufficient


12/17/2015 41

Current SolutionsAPI for Authorization Interceptors

• EE authorization has no rule based authorization, only

role based

• 3rd Party security frameworks provide rule, role and

permission based APIs


12/17/2015 42

Use CasesAPI for Password Aliasing

• Application uses passwords to access resources like

LDAP and DB

• Passwords stored in annotations, deployment

descriptors

• Best practices dictate that passwords are never stored in

clear text

• Need a portable way to protect stored passwords


12/17/2015 43

Current SolutionsAPI for Password Aliasing

• No Java EE support

• Proprietary server support, e.g. GlassFish

• 3rd Party security framework support for embedded

password

• encryption, not aliasing


12/17/2015 44

Ideas – Password Aliasing

• For annotations @DataSourceDefinition(name="java:app/jdbc/test",user="root",password="${ALIAS=password}",…)

• For deployment descriptors<data-source><name>java:app/env/testDS</name><user>APP</user><password>${ALIAS=password}</password>…</data-source>


12/17/2015 45

Ideas – Password Aliasing


12/17/2015 46

Ideas – EL Authorization Rules

• Expression Language rule would have access to managed beans for SecurityContext and InvocationContext

@EvaluateSecured("security.hasRoles('MANAGER') &&schedule.nowIsOfficeHrs")void transferFunds() {..};


12/17/2015 47

Ideas – AccessDecisionVoter

• A user-defined class for making access decisions

@Secured(AccountAccessDecisionVoter.class)void transferFunds() {..};


12/17/2015 48

Get Involved

• JSR Page:https://jcp.org/en/jsr/detail?id=375

• Java.net Project Page:https://java.net/projects/javaee-security-spec

• Users Mailing List:[email protected]

• GitHub Organization:https://github.com/javaee-security-spec


12/17/2015 49

Q & A

JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015

Technology

Transcript of JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015