Google Site Search


Sunday, March 2, 2008

Security is way underspecified in Java EE

With all the talk on the profiles in Java EE 6 harping around whether the basic profile should be equivalent to just the tomcat container services or there is a need for an additional profile to incorporate EJB3, JPA and Web Beans, one has to understand that very limited progress has been made at extending security in Java EE 6. Well, JSR-196 is a welcome change. But it mainly deals with the externalization of the authentication aspects. Plus JASPI took years to complete. We have suddenly screeched to a ground halt as far as authorization needs of the modern enterprise is concerned.

Ok, my personal take on the profiles. I vote for the one with web beans. A simple web profile (with just servlets and JSPs plus adornments) is not really fit to be termed Java EE 6. Modern web developers need web frameworks (just not JSPs and Servlets) to do their development. Web Beans with a mix of EJB3.1 and JPA certainly meets the need of these web developers. Now come on, since when developers are doing just JSPs and Servlets? For web development, you need a persistence layer at all times. Since the Java world has converged on JPA, why not include it in the profile? We are talking about the EE space, so naturally your web components (my hands itched to say, beans) will want to talk to some enterprise components aka EJBs. Since you need the feather-lite version of the EJB specification (we are talking about simple profiles, right? Hence the lite version) which will be the EJB 3.1 version. Now for those morons who equated CMP beans to EJBs, you can stick to your EE profile consisting of just servlets and JSPs (with some insignificant step children of course). There is no need to drag sane people to your bandwagon.

Authorization has totally taken a back seat with the cumbersome JACC (JSR-115) as the only specification that is mandated. We have already seen with JBoss Portal that JACC needs to be extended to incorporate portal needs (remember, JACC just deals with web and ejbs). JACC is not totally intuitive to developers/implementers.

There has been new directions with JBoss with initiatives in Instance Based Security (Rules, Portal and jBPM demands), XACML (fine grained authorization) and the Authorization Framework (Pluggable authorization modules). I would love to see some additional work done in this regard in the JCP.

Time to ping Ron Monzillo at Sun. He is the main security spec lead from Sun (JACC, JASPI).

I will be with Hal Lochart(BEA) and Tony Nadalin(IBM) this week at the IDTrust 08. We are on the same panel from Oasis. It will be interesting to brainstorm ideas with them. My presentation at the panel (I will post the link to the presentation after the workshop is over) is about extending Java EE to incorporate the identity and access control needs of the modern enterprise.

What bothers you as a Java EE user?

UPDATE: Do not forget to check out the comments for this post....

1 comment:

Craig said...

Well said, Anil.

Something that shouldn't be overlooked is authorization for web services as well. An authz framework that handles web/servlet, EJB, portlets, web services and the like would be fantastic.

I think the biggest benefit of a unified framework would be the standard way of passing user credentials and user context from the app server to the security layer. This is something that's really, really lacking.

(This is Craig from IBM... I can't work out how to link this comment back to my personal site?)