BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ
News Articles Presentations Podcasts Guides

Topics

Choose your language

InfoQ Dev Summit Boston

Discover transformative insights to level up your software development decisions. Register now with early bird tickets.
InfoQ Dev Summit Munich

Get practical advice from senior developers to navigate your current dev challenges. Register now with early bird tickets.
QCon San Francisco

Level up your software skills by uncovering the emerging trends you should focus on. Register now.
The Software Architects' Newsletter

Your monthly guide to all the topics, technologies and techniques that every professional needs to know about. Subscribe for free.

InfoQ Homepage News Java EE 8 Security JSR will have Cloud Improvements

Java EE 8 Security JSR will have Cloud Improvements

This item in japanese

Bookmarks

Nov 30, 2014 1 min read

InfoQ Article Contest

Share your knowledge Win a ticket to a QCon event
or an InfoQ Dev SummitFind out more

The Java Community Process published details of JSR 375, a redesigned Java EE Security API that includes improvements for implementing security in a cloud environment.

The improvements specifically target the following areas:

  • User Management: A standardized user service, that allows an application to perform user management operations, such as creating, deleting, updating, and grouping users. The user service can manipulate users from a user source (e.g. LDAP, data source, files, embedded) that is changeable per deployment environment, enabling the utilization of different user sources for development, QA, and production.
  • Password Aliasing: Standardized support for secure password reference and storage. The password repository would be a secure credentials archive, to be self-contained and deployed with the application.
  • Role Mapping: A standardized role service, that allows an application to perform role mapping operations, such as granting, revoking, and querying user and group roles. The role service can manipulate mappings from a role mapper. Role mappers can have mappings originating from resources such as LDAP, data sources, and files. As with user management, the source can be varied per environment.
  • Authentication: There are three proposed improvements to authentication:
    1. Allowing an application to specify the user and role service.
    2. Allowing each servlet to be configured with different authentication methods within a single web application.
    3. Improving HttpServletRequest.authenticate() so it can be invoked asynchronously.
  • Authorization: A new standardized method interceptor annotation, capable of leveraging application-based rules into the method access decision.

The JSR notes that the Servlet 4.0 Specification (JSR 369) may need revisions to reflect per-servlet login configuration.

Alex Kosowski, Senior Member Technical Staff at Oracle, is currently listed as the lead and sole expert on the JSR, but expert nominations are open.

In Oracle's Aquarium blog, GlassFish and Java EE Product Manager David Delabasse, wrote that JSR 375 originated from feedback of the Java EE 8 Community Survey. Security simplification vote count was second only to JSR 367 JSONB - the Java API for JSON binding.

JSR 375 is currently in a review period during which feedback can be posted to the Java EE Security API mailing list. According to JCP procedures comments will be reviewed by the expert group before they vote on approving the JSR.

Rate this Article

Adoption
Style

This content is in the Java topic

Related Topics:
BT