Locking it down

Screen Shot 2014-11-27 at 14.24.17A much needed new JSR to improve security in the Java EE platform (JSR 375), with a particular focus on cloudy and PaaS environments, has now been pushed for review.

As David Delabasse writes in the GlassFish blog, due to the inherent need to interact with different components (for example, when a Java EE Application Server needs to communicate with a LDAP server), maintaining and evolving security features for the platform is no small feat. The JSR stipulates that the intention is to promote the use of modern programming language (eg. expression language and contexts and dependency injection), and to support self-contained application portability across all Java EE servers.

Earlier this year, Oracle carried out extensive surveying to gauge developer’s top must-haves for Java EE 8. In the final poll, security simplification came second only to the Java API for JSON binding in terms of what the community would most like to see included in the next big EE outing, (11.05% and 13.69% respectively). As a result, JSR 375 will also strive to “simplify, standardize, and modernize the Security API across the platform”  in line with community demand and submitted JIRA issues.

Additionally, JSR 375 proposes enhancements in the following areas: adaptations to standardize user management, syntax for indicating passwords stored in secure repositories with updated password aliasing, and definition and standardization of a ‘role service’ API with the role mapping feature. Finally, a spanking new CDI interceptor annotation that would allow devs to perform application-domain rules at the method level and enhancements to authentication processes are also in the blueprints.

Delabasse comments that for now, this JSR can be considered an overview of the initial scope. The Experts group will also have to ponder on how to leverage Java EE orthogonal technologies like CDI events and Expression Language to simplify the use of the new security APIs.

The full Java EE 8 specification (JSR 366), which went live this September, aims to build on the (slightly muted) release of Java EE 7 with the inclusion of certain key features that didn’t make it into the current version of the platform, in addition to some brand new additions. This includes support for the latest web standards, a focus on infrastructure for cloud support (which includes JSR 375), and of course making sure it all aligns with Java SE 8.

Image by Andrew Lee

A Look at the Proposed Java EE 8 Security API

About The Author
- Editor of Voxxed.com, focusing on all things Java, JVM, cloud-y, methodical, future-fantastic, and everything in between. Got a piece of news, article or tutorial you'd like to share with your fellow Voxxians? Drop us a line at info@voxxed.com

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>