JSRs: Java Specification Requests
JSR 375: JavaTM EE Security API
JCP version in use: 2.10
Java Specification Participation Agreement version in use: 2.0
The goal of this JSR is to improve the Java EE platform by ensuring the Security API aspect is useful in the modern cloud/PaaS application paradigm.
Expert Group Transparency:
Public Project Page
Specification Lead: Will Hopkins
E-Mail Address: will.hopkins
Telephone Number: +1 781 442 0310
Fax Number: -2015.07.14:
The schedule has been updated:
Q4 2015 Early Draft
Q1 2016 Public Review
Q3 2016 Proposed Final Draft
H1 2017 Final Release
Section 1. Identification
Submitting Member: Oracle
Name of Contact Person: Alex Kosowski
E-Mail Address: alex.kosowski
Telephone Number: +1 856 359 2921
Fax Number: +1 856 359 2921NOTE that this information has been updated from this original proposal.
Specification Lead Member: Oracle Corporation
Specification Lead: Alex Kosowski
E-Mail Address: alex.kosowski
Telephone Number: +1 856 359 2921
Fax Number: +1 856 359 2921
Initial Expert Group Membership:
Supporting this JSR:
Section 2: Request
2.1 Please describe the proposed Specification:
The goal of this JSR is to improve the Java EE platform by ensuring the Security API aspect is useful in the modern cloud/PaaS application paradigm. This promotes self-contained application portability across all Java EE servers, and promotes use of modern programming concepts such as expression language, and contexts and dependency injection. This JSR will holistically attempt to simplify, standardize, and modernize the Security API across the platform in areas identified by the community via survey results and submitted JIRA issues.
The Security API JSR will enhance the following areas:
- User Management -
Currently, there is no standardized support for user management in Java EE. Applications have no portable way of creating, deleting, updating, and grouping users within the Java EE platform. Typical workarounds include using third-party libraries or developing in-house solutions, the results of which may be vulnerable and unsecure.
We are proposing a standardized user service, which would enable an application to perform user management operations, such as create, delete, update, and group users. The user service would manipulate users from a user source. We are considering user sources originating from resources such as LDAP, data source, files, embedded, and the server platform. The user source would be changeable per deployment environment, enabling a different user source for development, test, and production. The user source would typically be scoped to the application, however may be shared across applications by means currently used to share resources (e.g., JNDI lookup). We expect that some user sources would not support all user service operations, so the user service API would support a means to determine the capabilities of the configured user source.
- Password Aliasing -
Currently, there is no standardized support for secure password reference and storage in Java EE. Applications may be required to supply passwords in various locations, such as annotations, deployment descriptors, URLs, and files. Typical workarounds include password encryption by third party libraries or plain-text password storage, which may result in vulnerable, unsecure solutions.
We are proposing a standardized syntax for indicating password alias, and a means for resolving the alias to a password value. The password repository would be a secure credentials archive, to be self-contained and deployed with the application. We are considering having the secure credentials archive include other credentials, such as key stores and trust stores.
- Role Mapping -
Currently, there is no standardized support for role mapping in Java EE. Applications have no portable way of mapping authority roles to users and user groups within the Java EE platform. Typical workarounds include using third-party libraries or developing in-house solutions, the results of which may be vulnerable and unsecure.
We are proposing a standardized role service, which would enable an application to perform role mapping operations, such as granting, revoking, and querying user and group roles. The role service would manipulate mappings from a role mapper. We are considering role mappers which have mappings originating from resources such as LDAP, data source, files, embedded, and the server platform. Also, we are considering a one-to-one group-to-role mapper, which maps groups directly to roles. The role mapper would be changeable per deployment environment, enabling different mappings for development, test, and production. The role mapper would typically be scoped to the application, however may be shared across applications by means currently used to share resources (e.g., JNDI lookup). We expect some role mappers would not support all role service operations, so the role service API would support a means to determine the capabilities of the configured role mapper.
- Authentication -
We propose the following three enhancements regarding authentication.
We propose a means to enable an application to inform the platform runtime which user service and role service to use, if any. This would be an application-scoped configuration that would bind an application-defined user service reference and an application-defined role service reference, for use by the platform runtime whenever authentication is performed within the application. The configuration would be changeable per deployment environment, enabling different bindings for development, test, and production.
We propose a means to enable each servlet to be configured with different authentication methods within a single web application. Currently, Java EE web applications only support one selected authentication method per application. This proposal would enable different servlet-based modules (e.g. JSF and REST) to be configured with different authentication methods within the same application deployment.
We are considering adding an API to enable HttpServletRequest.authenticate to operate asynchronously, providing a non-blocking overloaded version with a callback.
- Authorization -
Currently, Java EE only supports method access decisions by checking the assigned role of the authenticated user. There is no standardized support for incorporating application-domain rules into the authorization decision. Typical workarounds include using third-party libraries or developing in-house solutions, the results of which may be vulnerable and unsecure.
We are proposing a new standardized method interceptor annotation, capable of incorporating application-based rules into the method access decision. This interceptor annotation would be invoked like a CDI Interceptor using @AroundInvoke. The rules would have access to the current invocation context, including attributes of the authenticated user. We are considering the rules to be text-based as Java Expression Language (EL), which would include access to managed beans. These EL rules could be embedded as inline text, or referenced from an external resource. We are considering supporting external rule sources, such as LDAP, data source, and file.
Additionally, we are considering supporting standardized CDI Events as part of the access decision. This would enable selected classes declared as invocation observers to make access decisions based on the invocation context.
2.2 What is the target Java platform? (i.e., desktop, server, personal, embedded, card, etc.)
This specification is targeted for Java EE 8 or higher platforms.
2.3 The Executive Committees would like to ensure JSR submitters think about how their proposed technology relates to all of the Java platform editions. Please provide details here for which platform editions are being targeted by this JSR, and how this JSR has considered the relationship with the other platform editions.
This specification targets the Java EE 8 Platform. It will be based on the corresponding release of the Java SE 8 platform.
2.4 What need of the Java community will be addressed by the proposed specification?
See 2.1 above.
2.5 Why isn't this need met by existing specifications?
See 2.1 above.
2.6 Please give a short description of the underlying technology or technologies:
Java EE Security is cross-cutting across all of the Java EE stack. A detailed description of Java EE functionality can be found in the Java EE Specification, see http://jcp.org/en/jsr/detail?id=342.
2.7 Is there a proposed package name for the API Specification? (i.e., javapi.something, org.something, etc.)
2.8 Does the proposed specification have any dependencies on specific operating systems, CPUs, or I/O devices that you know of?
2.9 Are there any security issues that cannot be addressed by the current security model?
See 2.1 above.
2.10 Are there any internationalization or localization issues?
This JSR will use the I18N support in Java SE.
2.11 Are there any existing specifications that might be rendered obsolete, deprecated, or in need of revision as a result of this work?
Java Servlet 4.0 Specification may need revision to reflect per-servlet login configuration proposed in this JSR.
2.12 Please describe the anticipated schedule for the development of this specification.
Q3 2014 Expert Group formed
2.13 Please describe the anticipated working model for the Expert Group working on developing this specification.
The primary means of communication will be email, with conference calls and face-to-face meetings scheduled as needed. We will solicit feedback from the community and leverage the open source development model.
2.14 Provide detailed answers to the transparency checklist, making sure to include URLs as appropriate:
The http://java.net/projects/javaee-security-spec project site will be used to track all issues and disseminate information on the progress of the JSR.
2.15 Please describe how the RI and TCK will de delivered, i.e. as part of a profile or platform edition, or stand-alone, or both. Include version information for the profile or platform in your answer.
The RI and TCK for Security API JSR will be delivered in the same way as Java EE 8 platform.
2.16 Please state the rationale if previous versions are available stand-alone and you are now proposing in 2.13 to only deliver RI and TCK as part of a profile or platform edition (See sections 1.1.5 and 1.1.6 of the JCP 2 document).
2.17 Please provide a description of the business terms for the Specification, RI and TCK that will apply when this JSR is final.
This specification is planned to be licensed similarly to existing Java EE JSRs, such as JAX-RS 2.0 (JSR-339).
2.18 Please describe the communications channel you have established for the public to observe Expert Group deliberations, provide feedback, and view archives of all Expert Group communications.
The Expert Group will conduct business on a publicly readable alias. The public will have an alias on which to provide feedback and discuss issues related to the JSR. There will also be a publicly accessible JIRA and document archive. (See also 2.19 and 2.20 below.)
2.19 What is the URL of the Issue Tracker that the public can read, and how does the public log issues in the Issue Tracker?
2.20 Please provide the location of the publicly accessible document archive you have created for the Expert Group.
Section 3: Contributions
3.1 Please list any existing documents, specifications, or implementations that describe the technology. Please include links to the documents if they are publicly available.
Existing documents that describe the technology are Java Platform, Enterprise Edition Specification Version 7 and Java Platform, Enterprise Edition Web Profile Specification, Version 7: http://jcp.org/en/jsr/detail?id=342.
3.2 Explanation of how these items might be used as a starting point for the work.
The existing Java EE 7 specification will be the starting point for this work.