Re: [es-dev] EE Security.Next

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [es-dev] EE Security.Next

From: arjan tijms <arjan.tijms@xxxxxxxxx>
Date: Sun, 8 Jul 2018 19:16:36 +0200
Delivered-to: es-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/es-dev>
List-help: <mailto:es-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/es-dev>, <mailto:es-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/es-dev>, <mailto:es-dev-request@eclipse.org?subject=unsubscribe>

I agree. Too much handholding doesn't quite help the target audience. Whether it was a technical limitation or enforcing "best practices", but forcing an interface for EJB beans and forcing EJB beans to be in a separate "business layer" wasn't much received either.

I'd say if it's good enough for Spring than within limits it should be good enough for us as well. Java EE and Spring have historically appealed to approximately the same audience.

Also, don't forget that not too long ago the obscure vendor specific configuration that everyone hated was actually seen as a "best practice" and "more secure". The argument I often heard was that developers are like cowboys and can't be trusted with security, so this task should be left too the responsible sysops. Obviously I don't agree with that.

On Sun, Jul 8, 2018 at 6:25 PM reza_rahman <reza_rahman@xxxxxxxxx> wrote:

Personally, I think a developer friendly technology should try to fully support testing and prototyping. Java EE developers aren't children. They can be trusted to differentiate what should not go into production.

FYI things like Spring Security have these kinds of features baked in.

Sent via the Samsung Galaxy S7, an AT&T 4G LTE smartphone

-------- Original message --------
From: arjan tijms <arjan.tijms@xxxxxxxxx>
Date: 7/8/18 3:09 AM (GMT-05:00)
To: Reza Rahman <reza_rahman@xxxxxxxxx>
Cc: es developer discussions <es-dev@xxxxxxxxxxx>
Subject: Re: EE Security.Next

Hi,

On Saturday, July 7, 2018, Reza Rahman <reza_rahman@xxxxxxxxx> wrote

* CDI replacement for existing authorization annotations (your examples look good, I would leave the old annotations alone)
* Password aliasing
* OAuth/OpenID Connect/JWT (I think we need to roll in the MicroProfile work sooner rather than later)
* Embedded identity provider (for testing, prototyping, etc)

We actually had this one (implemented almost directly from the example in your ticket), but Will wanted it removed since having test / prototyping support in the code was a bad practice according to him (he was afraid such embedded identity stores would remain in the code when going into production)

* EL enabled authorization annotations. Here is a couple of examples:
@IsAuthorized("hasRoles('Manager') && schedule.officeHours")
public void transferFunds();

@IsAuthorized(
"hasRoles('Manager') && hasAttribute('directReports', employeeId)")
public double getSalary(long employeeId);

On 7/7/2018 10:08 AM, arjan tijms wrote:
Hi,

Although there's still *a lot* that needs to be taken care of over at Eclipse regarding the transfer, we are able to start the work for the next version of the API project and the implementation in Soteria.

We already started with some small things such as fixing a few warnings in Soteria, squashing a couple of bugs, and re-installing the tests for Liberty. For the API a few non-controversial things were added such as two extra wrappers and annotation literals for the interceptor binding annotations.

It probably would be good to think a little about what we'd like to do with the API going forward.

Listening to some of the feedback I think the next version should mainly be a continuation of the work done for 1.0. As for the version number, I think 1.1 would be a good candidate (I don't think anyone mentioned major breaking or revolutionary changes warranting a 2.0 number).

A big difference this time is that both JASPIC and JACC are open for changes as well. During JSR 375 we had the problem that e.g. JASPIC wasn't open for changes since it wasn't active, and it couldn't be made active since it wasn't planned to be active.

This does mean we know have to make choices whether a change should go into JASPIC, JACC, EE Security or in a combination of these.

The things we can do vary between the boring but necessary infrastructure/compatibility fixes, and some higher level user features.

As for compatibility fixes:

We should have a clean way to fetch the caller principal from a Subject. Discussed before and most supported was a "Subject reader", which would be an interface implemented by the container that knows how to return -the- caller principal from a Subject. This is essentially the reverse of the JASPIC CallerPrincipalCallback which writes the Principal.

At the end of JSR 375 we had some issues when Will used an obscure clause in the JASPIC spec to escape from the responsibility of having to provide the exact Principal in e.g. HttpServletRequest#getUserPrincipal that was provided by a SAM. The spec currently says it MUST be possible to configure the container to return the exact Principal, but doesn't say HOW this must be done. We should definitely fix the wording here to prevent running into the same or similar issues.

The group-to-role-mapper on which JACC depends was in scope to be standardised, but we ran out of time.

As for user facing features:

The role checking interceptors weren't done for 1.0, but are still very often asked for. We could decide to go for a new annotation here which we can give more options for example:

@RolesPermitted("foo")

public void someMethod();

@RolesPermitted(value = {"foo", "bar"}, semantics = AND)

public void someMethod();

@RolesPermitted(value = "foo", _onDenied_=EXCEPTION)

public void someMethod();

@RolesPermitted(value = "foo", _onDenied_=START_HTTP_AUTHENTICATE)

public void someMethod();

We could also use the existing @RolesAllowed, with perhaps an extra annotation tot set extra options.

@RolesAllowed( {"foo", "bar"} )

@RolesAllowedOptions(semantics = AND)

public void someMethod();

Multiple authentication mechanisms in various ways (next to each other (per url pattern), stacked, and letting user choose) has been mentioned before and was recently requested again.

Custom authorisation rules is another one. I prototyped this for 1.0, but there wasn't enough time to fully discuss it. This would essentially provide a very user friendly API on top of the low-level JACC providers. It would allow for things such as checking roles with an external system (without having to request all roles from that system in advance), setting time based roles, adding and removing roles and constraints for the application programmatically at startup in an easy way, etc.

Adding a few additional authentication mechanisms such as OAuth2 and JWT. There's a small complication here that MP has defined a JWT authentication mechanism as well, so we may have to find a way to align with that (in Payara the MP-JWT is fully implemented as an EE Security authentication mechanism, but other implementations didn't do that).

There's a bunch more we can do probably, but these are a few of the things that immediately come to mind.

Kind regards,

Arjan
_______________________________________________
es-dev mailing list
es-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/es-dev

Follow-Ups:
- Re: [es-dev] EE Security.Next
  - From: reza_rahman

References:
- Re: [es-dev] EE Security.Next
  - From: arjan tijms

Prev by Date: Re: [es-dev] EE Security.Next
Next by Date: Re: [es-dev] EE Security.Next
Previous by thread: Re: [es-dev] EE Security.Next
Next by thread: Re: [es-dev] EE Security.Next
Index(es):
- Date
- Thread

Breadcrumbs