Java IoT Authors: Yeshim Deniz, Pat Romanski, Liz McMillan, Elizabeth White, Zakia Bouachraoui

Related Topics: Java IoT

Java IoT: Article

JAAS in the Enterprise

An integration proposal

One thing worth noting about these basic requirements. Modest as they are, none of them are addressed in J2EE 1.3! No wonder the current JAAS/J2EE integration landscape isn't pretty. (Unfortunately, even with JACC (JSR 115) being part of J2EE 1.4, many of these requirements are still not met. We'll discuss the role of JACC later in this document.) We can and should do better.

We don't want to speculate why and how this came to be, but we can assume there were good reasons to incorporate JAAS 1.0 as is into J2EE 1.3 without spelling out all the integration details. By taking this approach, as vendors gain experience by doing the real integration work, the experience will be taken into consideration in the next J2EE update. In fact, we think that's what happened with the JAAS/J2EE integration process. The real integration work has only just begun.

Standardization Efforts
Slowly but surely, the standardization process is beginning to fill some of the voids left out in J2EE 1.3. We'll examine the two main JSRs (Java Specification Requests) directly related to the topic under discussion. Not surprisingly, there are primarily two relevant JSRs. One deals with authentication and the other with authorization.

JSR 115 Java Authorization Contract for Containers (JACC)
Incorporated as part of the J2EE 1.4 specification, the explicit intent of JSR 115 is as follows:

Define new java.security.Permission classes to satisfy the J2EE role-based authorization model. The specification will define the binding of container access decisions to operations on instances of these permission classes. The specification will define the semantics of policy providers that employ the new permission classes to address the authorization requirements of J2EE.

In a nutshell, this specification aims to consolidate the J2EE and JAAS authorization models by defining Java 2 permission classes that capture J2EE security semantics.

Since this specification is adopted as part of J2EE 1.4, any J2EE 1.4-compliant containers have built-in JACC support.

As a first release, JACC has achieved its primary goals - i.e., to define Permission classes for J2EE security constraints (thereby consolidating the authorization models) and to define a standard contract between the container and the policy provider (thereby achieving limited interoperability). On the other hand, JACC 1.0 - just like any 1.0 specifications - isn't without issues.

JACC 1.0 doesn't clarify how J2EE API such as getCallerPrincipal (which assumes a single java.security.Principal instance to be returned) should behave when multiple Principals are associated with the Subject representing the currently authenticated user as a result of JAAS authentication.

By affording the container a degree of flexibility regarding how authorization decisions are to be done, it's not clear how an application can reliably retrieve the Subject representing the currently authenticated user in a portable manner.

The authorization SPI as defined in JACC 1.0 is somewhat incomplete, thus compromising interoperability - specifically, it doesn't define a standard way to map J2EE logical roles to deployment principals. The definition of a standard role-to-principal mapping facility will be critical to achieve true PnP (plug-and-play) for JACC policy providers.

While there are still issues to be hashed out, we view JSR 115 as a step in the right direction. We expect future updates of JSR 115 that address the issues we've identified here.

JSR 19: Java Authentication Service Provider Interface for Containers
The explicit goal of this JSR is as follows:

The proposed specification will define a standard service provider interface by which authentication mechanism providers can be integrated with containers. Providers integrated through this interface will be used to establish the authentication identities used in container access decisions, including those used by the container to invock components in other containers. The specification will define standard interfaces between containers and authentication modules...

Thus JSR 196 can be viewed as the authentication equivalent of JSR 115. It seeks to define a standard SPI via which authentication modules can be integrated with containers - much like how JSR 115 defines a standard authorization SPI through which policy modules are integrated with containers.

As we write this article, only an early draft is available for review. Contained in this draft, however, is a chapter dedicated to JAAS integration called "LoginModule Bridge Profile." In this chapter a standard approach to integrate JAAS LoginModules with JSR 196 authentication modules is articulated. In so doing, this specification has the potential to effectively fill another void we have identified earlier - the need to standardize how a JAAS LoginModule is integrated with containers.

Note that while this JSR is targeted at J2EE 1.4 and above, the JSR is currently lagging behind the original proposed schedule and is not part of J2EE 5 (nor does its inclusion appear likely, as J2EE 5 is already in "proposed final draft" stage).

Nonetheless, the eventual adoption of JSR 196 should be good news to those who have invested in JAAS architecture for authentication. We look forward to working with the specification leads to ensure that the JAAS LoginModule integration is properly defined in the specification.

JAAS/J2EE Integration Strategies for Today
So you're an enterprise application architect and you see the clear benefits of an integrated J2EE/JAAS integration architecture. You know the standards are heading in the right direction, but you need a solution that works today. What are your options?

Obviously, you can stick to one vendor's implementation and migrate to standard-based containers when the standards catch up with your needs. The upside of this approach is that there's little bootstrapping cost and you can start development right away. The downside is that your application is locked-in to a specific vendor's API - and you'll ultimately pay the price of either sticking with your container vendor no matter what or re-writing your application when the standards are ready. Obviously, the extent to which your vendor of choice fulfills the requirements identified in this article, the better insulated your application will be from vendor-specific lock-in.

Another approach is to add an additional level of indirection. Instead of sticking with one vendor's API, you devise a thin wrapper layer for a small number of APIs (such as the equivalent of Subject.getSubject), which insulates your application from vendor-specific APIs. The upfront cost of this approach is obviously a bit higher - you'll have to design the wrapper layer, after all - but the benefit is also obvious. Your application will be shielded from vendor lock-ins and it'd be relatively easy to deploy it to a different vendor. (This assumes that the thin wrapper layer is properly designed so that it's configurable and it defines a SPI (Service Provider Interface) layer that lets you add plug-ins for different container vendors.) In general, we recommend this approach if you can afford the upfront cost.

Finally, you can search the Internet for open source or commercial projects that take care of this for you. At the time of this writing, there weren't many portable JAAS/J2EE integration frameworks (open source or otherwise) available, but things change, so keep an eye out for new efforts in this direction.

JAAS and J2EE are complimentary technologies that play well together. We feel that a properly defined JAAS/J2EE integration architecture provides a flexible and powerful foundation on top of which sophisticated, secure and portable enterprise-level applications are made possible. Though today's landscape is somewhat less than perfect, the industry experts are hard at work to resolve the issues identified in this article. It's our hope that a reasonably complete JAAS/J2EE architecture will emerge out of the standard bodies in the near future.

For the Java architects and designers that need a solution today, fear not - you don't need to sit idly waiting for the standards to catch up. With some careful forethought and strategic thinking, we believe it's possible to design secure JAAS/J2EE-based applications that work in today's containers - and perhaps more importantly - in tomorrow's containers as well.

More Stories By Raymond K. Ng

Raymond K. Ng has been a professional software developer for 15 years and has been involved in high-scale enterprise Java development since JDK 1.0. He currently serves as architect and development lead of Oracle Platform Security Services (OPSS) and serves on the JCP Expert Groups for JSR 115 (JACC) and JSR 196. Raymond is a Consulting Member of the Technical Staff at Oracle Corporation and is the holder of multiple patents.

More Stories By Ganesh Kirti

Ganesh Kirti is a Senior Software Development Manager at Oracle with 11 years of industry experience. He currently leads development of Java Platform Security in the Oracle Fusion Middlewrae group at Oracle. Ganesh has a wide range of engineering experience including developing Identity Management and SOA Security products.

Comments (1)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

IoT & Smart Cities Stories
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
Digital Transformation is much more than a buzzword. The radical shift to digital mechanisms for almost every process is evident across all industries and verticals. This is often especially true in financial services, where the legacy environment is many times unable to keep up with the rapidly shifting demands of the consumer. The constant pressure to provide complete, omnichannel delivery of customer-facing solutions to meet both regulatory and customer demands is putting enormous pressure on...
IoT is rapidly becoming mainstream as more and more investments are made into the platforms and technology. As this movement continues to expand and gain momentum it creates a massive wall of noise that can be difficult to sift through. Unfortunately, this inevitably makes IoT less approachable for people to get started with and can hamper efforts to integrate this key technology into your own portfolio. There are so many connected products already in place today with many hundreds more on the h...
The standardization of container runtimes and images has sparked the creation of an almost overwhelming number of new open source projects that build on and otherwise work with these specifications. Of course, there's Kubernetes, which orchestrates and manages collections of containers. It was one of the first and best-known examples of projects that make containers truly useful for production use. However, more recently, the container ecosystem has truly exploded. A service mesh like Istio addr...
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
Charles Araujo is an industry analyst, internationally recognized authority on the Digital Enterprise and author of The Quantum Age of IT: Why Everything You Know About IT is About to Change. As Principal Analyst with Intellyx, he writes, speaks and advises organizations on how to navigate through this time of disruption. He is also the founder of The Institute for Digital Transformation and a sought after keynote speaker. He has been a regular contributor to both InformationWeek and CIO Insight...
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
To Really Work for Enterprises, MultiCloud Adoption Requires Far Better and Inclusive Cloud Monitoring and Cost Management … But How? Overwhelmingly, even as enterprises have adopted cloud computing and are expanding to multi-cloud computing, IT leaders remain concerned about how to monitor, manage and control costs across hybrid and multi-cloud deployments. It’s clear that traditional IT monitoring and management approaches, designed after all for on-premises data centers, are falling short in ...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more busine...