Java IoT Authors: Yeshim Deniz, Elizabeth White, Pat Romanski, Liz McMillan, Zakia Bouachraoui

Related Topics: Java IoT

Java IoT: Article

JAAS in the Enterprise

An integration proposal

One thing worth noting about these basic requirements. Modest as they are, none of them are addressed in J2EE 1.3! No wonder the current JAAS/J2EE integration landscape isn't pretty. (Unfortunately, even with JACC (JSR 115) being part of J2EE 1.4, many of these requirements are still not met. We'll discuss the role of JACC later in this document.) We can and should do better.

We don't want to speculate why and how this came to be, but we can assume there were good reasons to incorporate JAAS 1.0 as is into J2EE 1.3 without spelling out all the integration details. By taking this approach, as vendors gain experience by doing the real integration work, the experience will be taken into consideration in the next J2EE update. In fact, we think that's what happened with the JAAS/J2EE integration process. The real integration work has only just begun.

Standardization Efforts
Slowly but surely, the standardization process is beginning to fill some of the voids left out in J2EE 1.3. We'll examine the two main JSRs (Java Specification Requests) directly related to the topic under discussion. Not surprisingly, there are primarily two relevant JSRs. One deals with authentication and the other with authorization.

JSR 115 Java Authorization Contract for Containers (JACC)
Incorporated as part of the J2EE 1.4 specification, the explicit intent of JSR 115 is as follows:

Define new java.security.Permission classes to satisfy the J2EE role-based authorization model. The specification will define the binding of container access decisions to operations on instances of these permission classes. The specification will define the semantics of policy providers that employ the new permission classes to address the authorization requirements of J2EE.

In a nutshell, this specification aims to consolidate the J2EE and JAAS authorization models by defining Java 2 permission classes that capture J2EE security semantics.

Since this specification is adopted as part of J2EE 1.4, any J2EE 1.4-compliant containers have built-in JACC support.

As a first release, JACC has achieved its primary goals - i.e., to define Permission classes for J2EE security constraints (thereby consolidating the authorization models) and to define a standard contract between the container and the policy provider (thereby achieving limited interoperability). On the other hand, JACC 1.0 - just like any 1.0 specifications - isn't without issues.

JACC 1.0 doesn't clarify how J2EE API such as getCallerPrincipal (which assumes a single java.security.Principal instance to be returned) should behave when multiple Principals are associated with the Subject representing the currently authenticated user as a result of JAAS authentication.

By affording the container a degree of flexibility regarding how authorization decisions are to be done, it's not clear how an application can reliably retrieve the Subject representing the currently authenticated user in a portable manner.

The authorization SPI as defined in JACC 1.0 is somewhat incomplete, thus compromising interoperability - specifically, it doesn't define a standard way to map J2EE logical roles to deployment principals. The definition of a standard role-to-principal mapping facility will be critical to achieve true PnP (plug-and-play) for JACC policy providers.

While there are still issues to be hashed out, we view JSR 115 as a step in the right direction. We expect future updates of JSR 115 that address the issues we've identified here.

JSR 19: Java Authentication Service Provider Interface for Containers
The explicit goal of this JSR is as follows:

The proposed specification will define a standard service provider interface by which authentication mechanism providers can be integrated with containers. Providers integrated through this interface will be used to establish the authentication identities used in container access decisions, including those used by the container to invock components in other containers. The specification will define standard interfaces between containers and authentication modules...

Thus JSR 196 can be viewed as the authentication equivalent of JSR 115. It seeks to define a standard SPI via which authentication modules can be integrated with containers - much like how JSR 115 defines a standard authorization SPI through which policy modules are integrated with containers.

As we write this article, only an early draft is available for review. Contained in this draft, however, is a chapter dedicated to JAAS integration called "LoginModule Bridge Profile." In this chapter a standard approach to integrate JAAS LoginModules with JSR 196 authentication modules is articulated. In so doing, this specification has the potential to effectively fill another void we have identified earlier - the need to standardize how a JAAS LoginModule is integrated with containers.

Note that while this JSR is targeted at J2EE 1.4 and above, the JSR is currently lagging behind the original proposed schedule and is not part of J2EE 5 (nor does its inclusion appear likely, as J2EE 5 is already in "proposed final draft" stage).

Nonetheless, the eventual adoption of JSR 196 should be good news to those who have invested in JAAS architecture for authentication. We look forward to working with the specification leads to ensure that the JAAS LoginModule integration is properly defined in the specification.

JAAS/J2EE Integration Strategies for Today
So you're an enterprise application architect and you see the clear benefits of an integrated J2EE/JAAS integration architecture. You know the standards are heading in the right direction, but you need a solution that works today. What are your options?

Obviously, you can stick to one vendor's implementation and migrate to standard-based containers when the standards catch up with your needs. The upside of this approach is that there's little bootstrapping cost and you can start development right away. The downside is that your application is locked-in to a specific vendor's API - and you'll ultimately pay the price of either sticking with your container vendor no matter what or re-writing your application when the standards are ready. Obviously, the extent to which your vendor of choice fulfills the requirements identified in this article, the better insulated your application will be from vendor-specific lock-in.

Another approach is to add an additional level of indirection. Instead of sticking with one vendor's API, you devise a thin wrapper layer for a small number of APIs (such as the equivalent of Subject.getSubject), which insulates your application from vendor-specific APIs. The upfront cost of this approach is obviously a bit higher - you'll have to design the wrapper layer, after all - but the benefit is also obvious. Your application will be shielded from vendor lock-ins and it'd be relatively easy to deploy it to a different vendor. (This assumes that the thin wrapper layer is properly designed so that it's configurable and it defines a SPI (Service Provider Interface) layer that lets you add plug-ins for different container vendors.) In general, we recommend this approach if you can afford the upfront cost.

Finally, you can search the Internet for open source or commercial projects that take care of this for you. At the time of this writing, there weren't many portable JAAS/J2EE integration frameworks (open source or otherwise) available, but things change, so keep an eye out for new efforts in this direction.

JAAS and J2EE are complimentary technologies that play well together. We feel that a properly defined JAAS/J2EE integration architecture provides a flexible and powerful foundation on top of which sophisticated, secure and portable enterprise-level applications are made possible. Though today's landscape is somewhat less than perfect, the industry experts are hard at work to resolve the issues identified in this article. It's our hope that a reasonably complete JAAS/J2EE architecture will emerge out of the standard bodies in the near future.

For the Java architects and designers that need a solution today, fear not - you don't need to sit idly waiting for the standards to catch up. With some careful forethought and strategic thinking, we believe it's possible to design secure JAAS/J2EE-based applications that work in today's containers - and perhaps more importantly - in tomorrow's containers as well.

More Stories By Raymond K. Ng

Raymond K. Ng has been a professional software developer for 15 years and has been involved in high-scale enterprise Java development since JDK 1.0. He currently serves as architect and development lead of Oracle Platform Security Services (OPSS) and serves on the JCP Expert Groups for JSR 115 (JACC) and JSR 196. Raymond is a Consulting Member of the Technical Staff at Oracle Corporation and is the holder of multiple patents.

More Stories By Ganesh Kirti

Ganesh Kirti is a Senior Software Development Manager at Oracle with 11 years of industry experience. He currently leads development of Java Platform Security in the Oracle Fusion Middlewrae group at Oracle. Ganesh has a wide range of engineering experience including developing Identity Management and SOA Security products.

Comments (1)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

IoT & Smart Cities Stories
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
Atmosera delivers modern cloud services that maximize the advantages of cloud-based infrastructures. Offering private, hybrid, and public cloud solutions, Atmosera works closely with customers to engineer, deploy, and operate cloud architectures with advanced services that deliver strategic business outcomes. Atmosera's expertise simplifies the process of cloud transformation and our 20+ years of experience managing complex IT environments provides our customers with the confidence and trust tha...
Where many organizations get into trouble, however, is that they try to have a broad and deep knowledge in each of these areas. This is a huge blow to an organization's productivity. By automating or outsourcing some of these pieces, such as databases, infrastructure, and networks, your team can instead focus on development, testing, and deployment. Further, organizations that focus their attention on these areas can eventually move to a test-driven development structure that condenses several l...
The graph represents a network of 1,329 Twitter users whose recent tweets contained "#DevOps", or who were replied to or mentioned in those tweets, taken from a data set limited to a maximum of 18,000 tweets. The network was obtained from Twitter on Thursday, 10 January 2019 at 23:50 UTC. The tweets in the network were tweeted over the 7-hour, 6-minute period from Thursday, 10 January 2019 at 16:29 UTC to Thursday, 10 January 2019 at 23:36 UTC. Additional tweets that were mentioned in this...
Over the course of two days, in addition to insightful conversations and presentations delving into the industry's current pressing challenges, there was considerable buzz about digital transformation and how it is enabling global enterprises to accelerate business growth. Blockchain has been a term that people hear but don't quite understand. The most common myths about blockchain include the assumption that it is private, or that there is only one blockchain, and the idea that blockchain is...
Never mind that we might not know what the future holds for cryptocurrencies and how much values will fluctuate or even how the process of mining a coin could cost as much as the value of the coin itself - cryptocurrency mining is a hot industry and shows no signs of slowing down. However, energy consumption to mine cryptocurrency is one of the biggest issues facing this industry. Burning huge amounts of electricity isn't incidental to cryptocurrency, it's basically embedded in the core of "mini...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
The term "digital transformation" (DX) is being used by everyone for just about any company initiative that involves technology, the web, ecommerce, software, or even customer experience. While the term has certainly turned into a buzzword with a lot of hype, the transition to a more connected, digital world is real and comes with real challenges. In his opening keynote, Four Essentials To Become DX Hero Status Now, Jonathan Hoppe, Co-Founder and CTO of Total Uptime Technologies, shared that ...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
Every organization is facing their own Digital Transformation as they attempt to stay ahead of the competition, or worse, just keep up. Each new opportunity, whether embracing machine learning, IoT, or a cloud migration, seems to bring new development, deployment, and management models. The results are more diverse and federated computing models than any time in our history.