Google Site Search


Monday, December 12, 2011

Java Identity JSR: A positive step

The latest JSR on Java Identity is a very positive step in fostering security in Java applications. Since the JSR targets Java SE (as well as Java EE), it will have a very beneficial impact on Java applications running within the VM. You do not require a Java EE application server to avail the Identity services. A presentation on the JSR, given by the spec lead, Ron Monzillo is available at A complaint I often hear from Java developers is the lack of consistent, standard API/annotations that they can use for securing their applications. JSR 351 aims to provide the necessary API as well as annotations. This should have happened long ago, but at least now, there is a positive attempt in the direction. I fervently hope that all the framework developers pay attention to this JSR (and not fall prey to the NIH syndrome). With the proliferation of Identity standards and the lack of coherence among them, it has become very hard for application writers to grasp the concepts of security. They usually take the easy way out (a simple password based system). I wish the JSR committee all the success. I am planning to be on the committee. You are welcome to participate. The proposed reference implementation is going to under the Apache 2.0 license and the tck will be free of charge. [Slide 10]

No comments: