As you mentioned, I am Rob Winch and I’m part of the Spring Security team; I’m the new Spring Security lead and I just accepted that position within the last couple of weeks.
Srini : Congratulations on the new position.
Thank you.
Sure; it started because I use Spring Security in my everyday life quite frequently and one of the things that’s really easy to get involved is some of the lower ticket items; so you can start answering questions on the Forums and that’s very helpful because it allows the developers to focus more on the code; and then as you grow, as you get more popularity, better understanding of what’s going on, you can start taking on small JIRAs, you know fixing small bugs, documentation and basically if you gradually grow, you’ll become recognized and hopefully become part of the team if you’re submitting good contributions; just make sure that you look over the code and review it very well before you submit it.
Well in terms of functionality, one of the main goals of the multi-tenancy is to be able to deploy once and support multiple tenants so that will reduce your cost by quite a bit; however the complexity can be quite involved; we only talked about some of the aspects of security in terms of application; there’s a lot of other concerns that you need to address but in terms of application security, you want to make sure that your data store is separated similar to how we talked about so that you know where, which data belongs to which user and you also need to make sure that your application is aware of which data is being requested; and providing a way of mapping each of those in a clean abstraction is very important so that you can swap them out later if necessary.
4. That’s from the availability stand-point. How about security?
In terms of security by separating your data, that is a form of security because it’s isolating the data; so if one tenant gets broken into, then another one is not broken into; but you also want to make sure that you scope all of your permissions and access control to you particular tenant and the user; so don’t just pay attention to the user but make sure that you’re paying attention to the tenants as well and that is one of the other things that we focused on towards the end of the presentation.
Srini : So the difference between user and the tenant I guess?
Yes.
As you mentioned, the multi-tenancy is becoming quite popular now-a-days and I’m probably only able to answer the question in terms of application; like I said there’s a lot more aspects to it than just the application though; but Hibernate and some of the other ORM tools are quite mature in this respect because they’ve had the support out there for quite some time; but in terms of some of the platform layer multi-tenancy, I’m probably not the best person to talk to on that.
Well I think one of the main points of the presentation kind of emphasizes this but we can kind of hit it hard here and it really amounts to making sure that the rest of your application is coded in a way that is not aware of the multi-tenancy; because that complication you don’t want to spread it throughout the rest of your application; so you want to try to isolate and centralize that logic as much as possible; and we are able to utilize things like Aspect Oriented Programming in order to help control that and dependency injection as well really helps.
Srini : Which are the core components of spring framework?
Exactly.
Sure; Spring Security 3.1 has been out for a little bit now but some of the new features are multiple HTTP blocks and what that allows the developer to do is isolate what is happening for a particular set of URLS; so for example you might have one type of authentication for a certain set of URLs and another for another; this comes in handy when you have an application that’s supporting something like OAuth, you could basically use a Request Matcher which is part of the APIs to say that anything that matches a JSON request is going to use OAuth and anything else is going to use a Form based login and this is nice because if the user is not authenticated, you’re going to need to present them with some way of handling the fact that they’re not authenticated; one way is the username password would be displaying is a login form but you handle it totally different if you’re using something like OAuth you would send that HTTP status code back to the client.
So right now OAuth and the Spring Security OAuth extension is fairly solidified; it’s kind of waiting for the OAuth specification to be released but the spec seems to be kind of just fine tuning things at the moment. So it’s fairly mature but at the moment it’s kind of holding off until things are solidified; but one thing I should emphasize is I’m not the lead of the OAuth extension so probably not the overall authority on that response.
Well to be honest, I’m not all the familiar with what support they’re planning on adding, but one of the things that Spring kind of tends to do is it will integrate. As we show in the presentation, we are able to support something that was not directly supported with Spring Security; we added these extensions ourselves and so what that shows is that Spring Security is rather flexible and powerful and even if there is a standard that is developed that it kind of overlaps with some of that functionality it will play, it will most likely play nicely with that new standard and complement it because larger standard bodies tend to move a lot slower than something like the Spring Framework and that’s one of the things that’s nice about it is it kind of stays ahead of the curve.
Well in terms of multi-tenancy, I don’t know that there’s any trends going on in there; I think it’s just going to continue to grow; one of the things that will probably be beneficial is supporting more types of ORMs (ORM tools) in terms of the NoSQL but I’m not really an expert in some of the NoSQL databases so they may already have support for it.
Srini : And also there’s a Spring Framework for that as well.
Yes, Spring data.
Well some of the things that are planned for the near future are probably more bug enhancements, but after that we’re going to look to try to – the current plan is to look to get more in line with some of the standard Spring stuff; so for example we hope to come up with a Java Config that complements the Java Config of standard Spring; that’s one of our more requested features and we struggle with that because the configuration of Spring Security is a lot more vast than some of the other configurations. There’s been approach using Scala beforehand by Luke, the former lead of Spring Security but some people are not able to adapt Scala so we hope to be able to add some support for Java config there.
Another thing that would be nice to add is some support for multi-factor authentication and mutual authentication so instead of just authenticating the user when the user types a username and they might enter one factor of authentication like a security question and then after the security question is answered then it presents an image and some phrase to the users so that they know that it’s safe to enter their password itself and then things like integrating with something like Google Authenticator would also be nice; so those are some of the things that we hope to support. Another thing hopefully is Servlet Async support which was recently added to the Spring MVC project. So those are some of the things that I have planned for the future; how soon that is is yet to be determined.
Srini : Right. The asynchronous nature for the servlets will definitely bring a lot of new challenges in the security space.
Exactly.
Well I read quite a bit of books but the most recent one that I’ve been reading is kind of non-security related. I really like the Signature Series by Rod Johnson and I’m reading the Continuous Delivery book and it’s really interesting in some of the insights that it provides; so I really like that aspect.
Srini : Yes, it’s a good book. I read that too; Jez Humble is one of the authors. It’s from John Wiley Publishers. Thanks for your time.
Thank you.