Java EE 8 Security JSR will have Cloud Improvements
The Java Community Process published details of JSR 375, a redesigned Java EE Security API that includes improvements for implementing security in a cloud environment.
The improvements specifically target the following areas:
- User Management: A standardized user service, that allows an application to perform user management operations, such as creating, deleting, updating, and grouping users. The user service can manipulate users from a user source (e.g. LDAP, data source, files, embedded) that is changeable per deployment environment, enabling the utilization of different user sources for development, QA, and production.
- Password Aliasing: Standardized support for secure password reference and storage. The password repository would be a secure credentials archive, to be self-contained and deployed with the application.
- Role Mapping: A standardized role service, that allows an application to perform role mapping operations, such as granting, revoking, and querying user and group roles. The role service can manipulate mappings from a role mapper. Role mappers can have mappings originating from resources such as LDAP, data sources, and files. As with user management, the source can be varied per environment.
- Authentication: There are three proposed improvements to authentication:
- Allowing an application to specify the user and role service.
- Allowing each servlet to be configured with different authentication methods within a single web application.
HttpServletRequest.authenticate()so it can be invoked asynchronously.
- Authorization: A new standardized method interceptor annotation, capable of leveraging application-based rules into the method access decision.
The JSR notes that the Servlet 4.0 Specification (JSR 369) may need revisions to reflect per-servlet login configuration.
Alex Kosowski, Senior Member Technical Staff at Oracle, is currently listed as the lead and sole expert on the JSR, but expert nominations are open.
In Oracle's Aquarium blog, GlassFish and Java EE Product Manager David Delabasse, wrote that JSR 375 originated from feedback of the Java EE 8 Community Survey. Security simplification vote count was second only to JSR 367 JSONB - the Java API for JSON binding.
JSR 375 is currently in a review period during which feedback can be posted to the Java EE Security API mailing list. According to JCP procedures comments will be reviewed by the expert group before they vote on approving the JSR.