AeroGear from JBoss, is a mobile development framework that provides open source libraries for mobile connectivity. It supports mobile web and hybrid, native apps on iOS & Android, and server side resources with extensions into existing projects like RESTEasy.
There are several sub-projects under AeroGear project umbrella which include Android Library, AeroGear Connectivity, AeroGear Controller, JavaScript Library, AeroGear Persistence, Security, AeroGear Server Integration, and the iOS Library.
AeroGear Security module provides time-based One-time Password (OTP) with support on the server and client side. Other security providers include PicketLink and PicketBox libraries.
Jay Balunas and Marius Bogoevici from JBoss team spoke at JavaOne 2012 Conference about using AeroGear and PicketLink frameworks to implement the security for Java EE mobile applications. InfoQ spoke with Jay, Marius and Anil Saldhana about mobile development using AeroGear framework and how to secure mobile applications.
InfoQ: How different is developing secure applications for mobile devices compared to the traditional client/server and web applications?
JBoss Team: Mobile devices introduce new usage models such as operating offline, as well as stricter requirements with regards to traffic - chatty applications drain the batteries faster, etc. Furthermore, the advent of HTML 5 has revitalized the concept of rich client applications, with the browser as the runtime platform. In terms of approaches to authentication, using social media sites as identity providers is a frequent requirement. And with the rise of mobile devices and employees wanting to bring their devices to use at work, organizations of all kinds are actively exploring ways to extend their server side applications out to the mobile devices.
Also mobile devices are more likely to get lost, so data needs to be protected on the device. Mobile devices can be operating in different Wi-Fi zones and cell provider zones, and data in transit needs to be secured from eavesdropping. Mobile devices can have multiple applications installed, and the private data of one app should not get leaked into another app. This is usually taken care of by the mobile operating system, but all necessary precautions must be taken.
Extending confidential or proprietary data and functionality to mobile devices necessitates that mobile web applications authenticate with existing enterprise credentials. AeroGear & PicketLink enable these enterprise mobile apps to use existing authentication standards in mobile apps. Thus, with significantly more data stored on the client, and with more the application logic running there, as well as all the other challenges that we already mentioned, the old model where the entire security solution for your application can reside on the server side is not applicable anymore. Sure, servers are still the gatekeepers, but a modern security solution for mobile applications requires a smarter cooperation model between clients and the server.
InfoQ: What is the main goal and philosophy behind AeroGear framework?
JB: AeroGear started as an open source project focused on making the development of mobile applications easier across the major mobile clients and to extend the power of a JavaEE server functionality for these new clients and developers.
Some of our specific philosophies are:
- Mobile web, Hybrid (focused on Apache Cordova), and Native (focused on iOS, and Android) are all valid client development platforms.
- Use a common set of verbs and concepts across the clients, but tailor the development experience for the given platform.
- Extend the best parts of JavaEE to the current generation clients and beyond.
- Focus on the enterprise, so security, server-based persistence, and programming efficiency are key.
InfoQ: At this year’s JavaOne Conference, you talked about using AeroGear and PicketLink frameworks for providing end to end security in Java based mobile applications. Can you discuss this more and how these two frameworks complement each other to provide secure mobile applications?
JB: PicketLink provides the solution for a general purpose server-side enterprise Java security framework. AeroGear builds on top of it, adding both server-side components that tailor the functionality of PicketLink to the needs of mobile applications, as well as client-side components for building rich web, hybrid, and native Android/iOS applications that interact with the server side.
Additionally, as mentioned above, security and identity management are keys to enterprise use of mobile in their day to day activities. AeroGear will work with PicketLink to provide authentication of various types for mobile apps, from traditional LDAP, to newer OAuth based security options.
InfoQ: What is the tool support of using AeroGear framework to develop mobile web and hybrid applications?
JB: AeroGear comes with the backing of a set of tools and frameworks that ease the task of mobile developers.
In terms of an IDE, the JBoss Developer Studio (JBDS) provides the support for developing mobile applications with Aerogear and we’re working towards integrating features for more advanced hybrid and JavaScript development within JBDS. At the same time the Arquillian project has been make progress on a variety of “in-container” and “on-device” testing approaches. Then on Forge we’re looking to get the HTML5 and REST plugins up to speed before possibly venturing into hybrid RAD.
When talking about 3rd party tools or frameworks AeroGear is focused on Apache Cordova for hybrid applications. For JavaScript we’re using jquery internally, but looking at integration options including Backbone.js, Angular.js, and others.
InfoQ: What is the testing support for the mobile applications to test them using unit testing and testing on emulators?
JB: Arquillian and its extensions Drone and Warp provide a sophisticated ecosystem for running both server-side as well as client-side tests. This includes not only web-based applications (including HTML5 applications), but also native mobile applications through Arquillian Android.
InfoQ: What security frameworks/libraries are supported by PicketLink?
JB: PicketLink is a security framework of its own, so it provides its own solutions for implementing various security standards. It has support for authentication mechanisms that include the traditional user/credential model as well as advanced mechanisms that include Kerberos, SAML, OTP, DIGEST and access control mechanisms including fine grained permission model, XACML, Drools rules based authorization. PicketLink supports identity stores that can be LDAP compliant directory servers and databases. OAuth2 authorization of resources is also supported. Integration with Apache DeltaSpike allows it to potentially interoperate with other security libraries (such as Apache Shiro).
InfoQ: How does security especially authentication and authorization work in mobile devices when using PicketLink?
JB: We wouldn’t limit the conversation to just PicketLink, but should also include Aerogear in the discussion. Here’s why. PicketLink, by design, operates on the server side. There, using a decoupled authentication/authorization model, it can combine various identity management sources and authentication processes, with different authorization strategies, which allow developers to secure various access points of the application logic - RESTful endpoints, or business methods for example. Beyond that, on the server side Aerogear provides mechanisms for securing URLs through its controller. But mobile applications can make good use of client-side security as well (even if the ultimate security arbiter is the server) as PicketLink provides facilities for writing authentication and complex authorization/permission models which can be used on mobile devices to minimize server chatter, by caching permissions on the client-side and performing certain authorizations there, which has tangible benefits for mobile applications. This is where Aerogear adds value through its client-side libraries.
On the other hand, the security checks can also be performed server side to keep mobile applications lightweight. PicketLink provides OAuth2 support for complex authorization workflows.
InfoQ: What is the future roadmap of these two projects?
JB: For AeroGear, our initial release is focused on the foundation around secure persistence with queries and paging. Integrating PicketLink Identity management and controls into our client side access APIs makes it easy to develop traditional enterprise applications securely, but in a mobile client of your choosing (web, hybrid, or native). We are planning on releasing our 1.0.0.Final version in early 2013.
The really exciting part is what we can build on from this base. We’re currently discussing functionality like cross client data synchronization, unified native push (with non-native fallbacks, and IDM integration), messaging (CDI, JMS, etc.), offline secure persistence, client side bean validation, and more.
For the PicketLink project, the roadmap is posted at this link.
They are targeting the final release of PicketLink v3 in early 2013 as well.
About the Interviewees
Marius Bogoevici is a Senior Software Engineer with Red Hat, and architect for the JBoss Developer Framework reference application, TicketMonster. | |
Anil Saldhana is the lead security architect at JBoss. He is the founder of project PicketLink at JBoss Community. | |
Jay Balunas is a Mobile Platform Architect for Red Hat, and founder of the AeroGear project. |