Bio Rob Winch is currently a Senior Software Engineer at VMware and is the project lead of Spring Security framework. In the past he has worked as a Software Architect at Cerner, the largest provider of electronic medical systems in the US, securing health care applications. Throughout his career he has developed hands on experience integrating Spring Security with an array of security standards.
Software is changing the world; QCon aims to empower software development by facilitating the spread of knowledge and innovation in the enterprise software development community; to achieve this, QCon is organized as a practitioner-driven conference designed for people influencing innovation in their teams: team leads, architects, project managers, engineering directors.
As you mentioned, I am Rob Winch and I’m part of the Spring Security team; I’m the new Spring Security lead and I just accepted that position within the last couple of weeks.
Srini : Congratulations on the new position.
Sure; it started because I use Spring Security in my everyday life quite frequently and one of the things that’s really easy to get involved is some of the lower ticket items; so you can start answering questions on the Forums and that’s very helpful because it allows the developers to focus more on the code; and then as you grow, as you get more popularity, better understanding of what’s going on, you can start taking on small JIRAs, you know fixing small bugs, documentation and basically if you gradually grow, you’ll become recognized and hopefully become part of the team if you’re submitting good contributions; just make sure that you look over the code and review it very well before you submit it.
3. Yes, because of the peer review model, it can be challenging. You spoke about the multi-tenant cloud applications in your talk earlier today, so basically how are these multi-tenant applications different from traditional web applications in terms of functionality as well as application security?
Well in terms of functionality, one of the main goals of the multi-tenancy is to be able to deploy once and support multiple tenants so that will reduce your cost by quite a bit; however the complexity can be quite involved; we only talked about some of the aspects of security in terms of application; there’s a lot of other concerns that you need to address but in terms of application security, you want to make sure that your data store is separated similar to how we talked about so that you know where, which data belongs to which user and you also need to make sure that your application is aware of which data is being requested; and providing a way of mapping each of those in a clean abstraction is very important so that you can swap them out later if necessary.
In terms of security by separating your data, that is a form of security because it’s isolating the data; so if one tenant gets broken into, then another one is not broken into; but you also want to make sure that you scope all of your permissions and access control to you particular tenant and the user; so don’t just pay attention to the user but make sure that you’re paying attention to the tenants as well and that is one of the other things that we focused on towards the end of the presentation.
Srini : So the difference between user and the tenant I guess?
As you mentioned, the multi-tenancy is becoming quite popular now-a-days and I’m probably only able to answer the question in terms of application; like I said there’s a lot more aspects to it than just the application though; but Hibernate and some of the other ORM tools are quite mature in this respect because they’ve had the support out there for quite some time; but in terms of some of the platform layer multi-tenancy, I’m probably not the best person to talk to on that.
6. As you mentioned, some of these products already have partitioning and other mechanisms to support the multi-tenancy. From an Architecture standpoint, what do you think are the design strategies or best practices developers should take into consideration when they’re either updating an existing application to be a multi-tenant application or they’re creating a new multi-tenant application?
Well I think one of the main points of the presentation kind of emphasizes this but we can kind of hit it hard here and it really amounts to making sure that the rest of your application is coded in a way that is not aware of the multi-tenancy; because that complication you don’t want to spread it throughout the rest of your application; so you want to try to isolate and centralize that logic as much as possible; and we are able to utilize things like Aspect Oriented Programming in order to help control that and dependency injection as well really helps.
Srini : Which are the core components of spring framework?
7. So let’s talk a little bit about Spring Security framework. What are the new features in Spring Security; you mentioned about the Spring Security Config feature. Can you talk about that as well as any other new features?
Sure; Spring Security 3.1 has been out for a little bit now but some of the new features are multiple HTTP blocks and what that allows the developer to do is isolate what is happening for a particular set of URLS; so for example you might have one type of authentication for a certain set of URLs and another for another; this comes in handy when you have an application that’s supporting something like OAuth, you could basically use a Request Matcher which is part of the APIs to say that anything that matches a JSON request is going to use OAuth and anything else is going to use a Form based login and this is nice because if the user is not authenticated, you’re going to need to present them with some way of handling the fact that they’re not authenticated; one way is the username password would be displaying is a login form but you handle it totally different if you’re using something like OAuth you would send that HTTP status code back to the client.
So right now OAuth and the Spring Security OAuth extension is fairly solidified; it’s kind of waiting for the OAuth specification to be released but the spec seems to be kind of just fine tuning things at the moment. So it’s fairly mature but at the moment it’s kind of holding off until things are solidified; but one thing I should emphasize is I’m not the lead of the OAuth extension so probably not the overall authority on that response.
9. Switching gears a little bit, Java EE 7 Edition, when it’s released, will support Platform as a Service (PaaS) Cloud Computing model providing API for the Java developers to develop and deploy multi-tenant Java applications on the cloud. How does this particular roadmap of Java EE 7 influence the Spring Security framework in supporting the multi-tenant applications?
Well to be honest, I’m not all the familiar with what support they’re planning on adding, but one of the things that Spring kind of tends to do is it will integrate. As we show in the presentation, we are able to support something that was not directly supported with Spring Security; we added these extensions ourselves and so what that shows is that Spring Security is rather flexible and powerful and even if there is a standard that is developed that it kind of overlaps with some of that functionality it will play, it will most likely play nicely with that new standard and complement it because larger standard bodies tend to move a lot slower than something like the Spring Framework and that’s one of the things that’s nice about it is it kind of stays ahead of the curve.
Well in terms of multi-tenancy, I don’t know that there’s any trends going on in there; I think it’s just going to continue to grow; one of the things that will probably be beneficial is supporting more types of ORMs (ORM tools) in terms of the NoSQL but I’m not really an expert in some of the NoSQL databases so they may already have support for it.
Srini : And also there’s a Spring Framework for that as well.
Yes, Spring data.
11. It looks like NoSQL is definitely going to be part of the Cloud Computing space. What is the future roadmap of Spring Security framework in terms of new features or enhancements to existing features. What’s coming up in terms of mainly cloud, cloud single sign-on or enterprise security?
Well some of the things that are planned for the near future are probably more bug enhancements, but after that we’re going to look to try to – the current plan is to look to get more in line with some of the standard Spring stuff; so for example we hope to come up with a Java Config that complements the Java Config of standard Spring; that’s one of our more requested features and we struggle with that because the configuration of Spring Security is a lot more vast than some of the other configurations. There’s been approach using Scala beforehand by Luke, the former lead of Spring Security but some people are not able to adapt Scala so we hope to be able to add some support for Java config there.
Another thing that would be nice to add is some support for multi-factor authentication and mutual authentication so instead of just authenticating the user when the user types a username and they might enter one factor of authentication like a security question and then after the security question is answered then it presents an image and some phrase to the users so that they know that it’s safe to enter their password itself and then things like integrating with something like Google Authenticator would also be nice; so those are some of the things that we hope to support. Another thing hopefully is Servlet Async support which was recently added to the Spring MVC project. So those are some of the things that I have planned for the future; how soon that is is yet to be determined.
Srini : Right. The asynchronous nature for the servlets will definitely bring a lot of new challenges in the security space.
12. Also speaking of multi-factor authentication, that’s going to be critical as well with the new mobile devices, folks logging in from their mobile devices, so definitely the extra security will help them authenticate securely. Thanks Rob for your time. One final question, what are your favorite IT and non-IT books?
Well I read quite a bit of books but the most recent one that I’ve been reading is kind of non-security related. I really like the Signature Series by Rod Johnson and I’m reading the Continuous Delivery book and it’s really interesting in some of the insights that it provides; so I really like that aspect.
Srini : Yes, it’s a good book. I read that too; Jez Humble is one of the authors. It’s from John Wiley Publishers. Thanks for your time.