Security for Java EE 8 and the Cloud - RainFocus · Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Use Case • Application may manage its users or use externally

Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|

SecurityforJavaEE8andtheCloud[CON7978]

KKSriramadhesikanArchitect,PlatformSecurityOracleSeptember,2016


SafeHarborStatement

Thefollowingisintendedtooutlineourgeneralproductdirection.Itisintendedforinformationpurposesonly,andmaynotbeincorporatedintoanycontract.Itisnotacommitmenttodeliveranymaterial,code,orfunctionality,andshouldnotberelieduponinmakingpurchasingdecisions.Thedevelopment,release,andtimingofanyfeaturesorfunctionalitydescribedforOracle’sproductsremainsatthesolediscretionofOracle.


ProgramAgenda

1

2

3

4

5

6

Motivations

IdentityUseCases

HowcanJSR375help?

MoreSecurityUseCases!

WayForward?

GetInvolved


ProgramAgenda

Motivations

IdentityUseCases

HowcanJSR375help?


WayForward?

GetInvolved

1

2

3

4

5

6


Motivation• Whereenterpriseappsrunischanging– Incorporatedatacenters– Inthecloudfromoneofseveralvendors

• TheshapeoftheEnterpriseappischanging– Amonolithoracollectionofmicroservices

• Thesefactors–Drivecomplexityinhowappsarebuilt,deployed,managed,operated–Drivecomplexityinhowappsneedtoworkintheirtargetenvironment

• Canwestillstaysecure,withthesechanges?


• Networkpathswithinthecorporatenetwork• Authenticatestoon-premiseidentitysystems

• Mayuseon-premiseSingleSignontosecurewebresources

• Authorization:managedbyapplication,mappedtoon-premiseidentity

• IdentitypropagationtoexternalentitiesreliesonSAML,BasicAuth

• Secretsinlocalstoreswithseverallayersofcontrol

Apps:On-premise

Store

IdStoreSSOAgent

IAMSystem

CorporateDataCenter

PartnerSystems

AppJavaEEContainer

App

JavaEEContainer

App


• CloudVendorforcontrolsonnetwork

• Sociallogins,externalIdentitySystems

• SSOusingaCloudIdentityprovider

• RESTneedsOAuth

• IdentityPropagation-SAML,BasicAuthplusOAuthandJWT

• Moreinteractions–cloud,on-premise

• Authorization-toidentitiesfromoneofseveralidentityproviders

• Secretsneeddefenseindepth–encryption,securingtheencryptionkey?

Apps:IntheCloud

Store

IdStoreSSOAgent

CloudDataCenter

BYOIdentitySystem

PartnerSystems

(OIDC)

CloudIdP On-PremIdP

SocialLogins

JavaEEContainer

App

JavaEEContainer

App

Apps(OtherClouds)


• AllissuesofJavaEEAppinthecloudPlus• AppBoundaryischanging– Distributedprocesses,scaleindependently– Identityoneveryhop?– Eachmicroservicedealswithidentity?– Eachmicroserviceauthorizesaccess?– Eachmicroservicemanagessecrets?– WhataboutStatelessness,configuration?– Whataboutthenetworkboundary?Whichmicroservicesarepublic?

MicroServicesintheCloud

Host

ServiceA

ServiceB

Host

ServiceC

Router/LB

ServiceDiscovery

Configuration

Eventing

Logging

State/Caching/DB

Identity• On-Prem• CloudIdP• SocialLogins

SSOAgent?

PartnerSystemsApps

(CloudSystems)

ServiceC


Motivation!

Easy Hard Huh?!


ProgramAgenda

Motivations

IdentityUseCases

HowcanJSR375help?


WayForward?

GetInvolved

1

2

3

4

5

6


WhyarethesesoimportantintheCloud?


UseCase

• Applicationmaymanageitsusersoruseexternallymanagedusers• Applicationmustauthenticateusersagainstoneofseveralidentitystores• Applicationmustsupportoneoftheseauthenticationmethods– BasicAuth,OpenIDConnect

• ApplicationisabletohandleAuthenticationevents(login,logout)• DeveloperisabletouseaportableAuthenticationAPIregardlessofidentitystore

Authentication


UseCase

• Applicationmaymanageitsusersoruseexternallymanagedusers• Applicationmustbeableaccesstheidentitystore• Applicationcanbeboundtooneormoreidentitystoresatdeployment• IdentityStoreboundtotheApplicationcanbereconfigured

IdentityStore

Develop Productionon-prem MovetoCloudIntegrateTest

• FewTestUsers• K-Vstoreorincodesuffices• NoIdProp

• FewTestUsers• K-Vstoreorincodesuffices• NoIdProp

• Largeuserpopulations• LDAP,CloudIDP• SAML,Basic,OAuth

• Largeuserpopulations• LDAP,SomePartnerIDP• SAML,Basic,SomeOAuth

• Hugeuserpopulations• LDAP?,CloudIDP,PartnerIDP,

SocialLogins• SAML,Basic,OAuth


UseCase

• Applicationmustbeabletodetermineidentityofthecaller• Applicationisabletodetermineuser’sgroups.• Applicationknowscalleridentityconsistently,asidentitystoreschange

IdentityRepresentation


• FewTestUsers,Groups• FewTestUsers,Groups • Largeuser,grouppopulations• LDAP,CloudIDP• User/GroupAttributes

sometimeschange

• Largeuserpopulations• LDAP,SomePartnerIDP• User/GroupAttributes

sometimeschange

• Hugeuserpopulations• LDAP?,Cloud/PartnerIDP,SocialLogins• User,GroupAttributeschangebasedon

IDP


UseCase

• Applicationisabletodetermineuserattributesconsistently– Authenticateduser–Groups,Roles– IdentityProviderthatissuedclaimsusedincreatingtheSubject– Localorremoteuser?VirtualUser?

• ApplicationneedsaconsistentAPItoaccesssecuritycontext

SecurityContext


OpenIdConnect(OIDC)

• AuthenticationProtocolbuiltonOAuth2• SessionManagement–SingleSignon,Out• AnadditionalTokenType–IDToken• UserInfo,Discovery,ClientSelf-registrationEndpoints• Specs:OpenIDcore,Discovery,ClientRegistration

Refresher

http://openid.net/specs/openid-connect-core-1_0.html

http://openid.net/specs/openid-connect-discovery-1_0.html

http://openid.net/specs/openid-connect-registration-1_0.html


UseCase

• Atdeployment,ApplicationisconfiguredtobesecuredbyOIDC• Applicationmustcontinuetorelyonwellknownabstractionsfor– Identity– Authentication– AuthenticationEvents

OIDC


WhatdoesthismeantotheApp?

• AnAppdeveloper–NeedsaconsistentAPItoabstracttheIdentitystore,authenticationmechanism,identityrepresentation– Canrelyonconfigurationalone,tochangeastheAppprogresses

• DevOpscaneasilychangeconfigurationtosuittheenvironment


In-memoryStore

In-memoryStore

LDAP,CloudIDP

LDAPPartnerIDP

LDAP,CloudIDP,Social


ProgramAgenda

Motivations

IdentityUseCases

HowcanJSR375help?


WayForward?

GetInvolved

1

2

3

4

5

6


HowcanJSR375help?


JSR375

• StandardizeTerminology• APIforAuthenticationmechanism• APIforIdentityStore• APIforSecurityContext

Recap,RelevancetotheCloud

• APIforPasswordAliasing• APIforRole/PermissionAssignment• APIforAuthorizationInterceptors

AnecessaryfoundationfortheCloud


JSR375-CandidatesforEG

• PortableAPIforAuthentication– abstractsthespecificIdentityStoreagainstwhichtoAuthenticate

• Simpleconfiguration• ExtensibletosupportprotocolssuchasOpenIDConnectandOAuth• ProducesaConsistentrepresentationofanauthenticatedSubject• AuthenticationEvents

• UseJASPIC(JSR196)?

AuthenticationMechanism



• AbstracttheIdentityStoreusedbyanapplication• Simpleconfiguration• SupportavarietyofIdentitystores– Lightweightk-vdevelopmentstores– Traditionalstores–LDAP,DB– Cloud-specificstorese.g.SocialLogins,3rd-partyCloudIdentityproviders

• Orderabletosupportmultipleidentitystores• Abstractiontosupportvarietyofcredentialtypes– Username/Password;OAuthClientid+Secret;JWTTokens

IdentityStore



• ConsistentAPIregardlessofcontainer• EnablesApplicationtodetermine– user’sidentity– IdentityProviderthatwasusedtoestablishidentity–WhichgroupsorRolestheuserbelongsto

SecurityContext

public interface SecurityContext{ String getUserPrincipal(); boolean isUserInRole(String role); List<String> getAllUsersRoles(); boolean isAuthenticated(); }


ProgramAgenda

Motivations

IdentityUseCases

HowcanJSR375help?


WayForward?

GetInvolved

1

2

3

4

5

6


MoretoSecuritythanIdentity?


Authorization

• OAuth2

• Role/PermissionAssignment

• AuthorizationInterceptors

Lotsofgroundtocover!


OAuth2

• AnAuthorization/DelegationFramework

• StandardizedbyRFC6749– RFC6750usingbearertokens– RFC6819Securityconsiderations

• OnafoundationofTokenstandards– JSONObjectSigningEncryption(JOSE)– JWT(RFC7519),JWS(RFC7515),JWE(RFC7516),JWA(RFC7518),JWK(RFC7517)

Refresher

• Actors– ResourceOwner– Client– Resource,Resourceserver– AuthorizationServer

• Authorizationsrepresentedas‘scopes’

https://tools.ietf.org/html/rfc7519


http://www.rfc-editor.org/info/rfc7516




OAuth2AuthorizationFlowsAuthorizationCodeFlow

Server-sideAppactingonbehalfofauser

3-legged

ImplicitGrantFlowClientonbehalfofauser3-legged

ResourceOwnerGrantFlowTrustedClientonusersbehalf

2-leggedClientCredentialsFlowClientonitsownbehalf2-legged


ProblemStatement

OAuth2

AppClient

GEThttp://hostname/api/v2/customers

<<ResourceServer>>

/api/v2/customers

/api/v2/ratings

<<Resources>>

AuthorizationServer 1. CreateOAuthResources

2. RegisterwithAuthorizationServer1. CreateOAuthClient2. RegisterwithAuthorizationServer3. Updatescopesofinterest

1. ExecuteanAuthorizationFlow2. GetAccessTokenforscope(s)

/api/v2/customers3. Optionally,GetRefreshToken

Authorization:Bearerya29.Ci9g….

ValidateAccessToken,GetSubject


ProblemStatement

OAuth2

• Server-side– HowdoIregistermyOAuthResources?– HowdoIindicatemy‘scopes’?

• Client-side– HowdoIregistermyOAuthClient?– HowdoIknow‘scopes’toaskfor?– HowdoesmyclientgetTokens?– Howdoesmyclienthandleexpiry?

• CanweabstractvariationsinAuthorizationServers?• Howdowedealwithscopes/clients/resourcesatscale?


• Server-side– Annotateresourcestobesecured– AnnotateifresourceneedsBASICorOAuth2– ForOAuth2securedresources,standardizescopedeclaration– StandardizeOAuthResourceregistrationwithAuthorizationServer– AdapttospecificAuthorizationServers–DocumentAuthmethod,scopes–Swagger?

• Client-side– LifecycletohandleClientregistration• StaticordynamicallycreatedClients• SecuremanagementofClientid/Secrets

–DiscovercapabilitiesonTargetsforconstructingscopesinTokenrequests– AbstractionstoacquireToken• OAuth2FlowsasStrategies• TokenExpiryhandling

– AbstractiontoinjectTokensoninvocation

IdeasforOAuth2

• SubjecttofurtherexplorationwithEG,JAX-RSandServletSpecs

http://swagger.io/specification/%23securitySchemeObject


OAuth2Arewejustautomatingcomplexity?Isthereasimplerway?


Role/PermissionAssignment

• Applicationmaymanageitsusersoruseexternallymanagedusers

• Applicationneedstoassignrolestousers,groupsbasedonapplicationspecificmodel

UseCase



• UsersorGroupsassignedtoRoleschangesbasedondeployment• User,GrouprepresentationschangebasedonboundIdentityStore• OAuth2ScopesvsRoles–dotheyoverlap?Aretheycomplementary?

ProblemStatement



• SupportviaDeploymentdescriptorse.g.web.xml– ChangebindingatdeploymentbasedonconfiguredIdStore

• AssignScopesonOAuth2ResourcestoRoles?– EnablesApptobindScopestoRoles–WhilemappedUsers,Groupschange

Ideas

<security-role-map> <group>SalesSupport</group> <role-name>CSR</role-name></security-role-map>

publicclassCustomers{ @RolesAllowed(“CSR”) @GET

publicStringget() ...

}


AuthorizationInterceptors

• Applicationmustrestrictaccesstofunctionality• Rolesalonearetoocoarsegrained• Applicationbusinessmodeldeterminesrulesthatdriveaccess

UseCase


• ProblemStatement–NoConsistentInterceptorforpolicyenforcement–NoConsistentexternalizableRules–NeedtobebindabletochangingidentitiesbyBusinessandOperations

• Ideas– StandardizeInterceptors– EnableSecurityteamstobuildcustomAuthorizationlogic– Externalized,standardizedrulelanguage– IdentityandSecurityContextaware

AuthorizationInterceptors


Secrets

• Applicationneedstobeabletosecurelymanagesecrets• Secretsmayincludepasswordstoresourcese.g.OAuthclientid+secrets• Applicationsareablesecuresecretsinaportableway• Secretsareneverstoredincleartext• Valueschangeandareboundperdeployment• Statehastobeexternalized– ApplicationmayconsumesecretsfromaKeyManagementSystem(KMS)

UseCase


Secrets

• ApplicationreferstosecretsviaAliases• AliasesconfiguredviaAnnotationsorDeploymentDescriptors• Lifecycle– BundleAlias+valueasasecretsarchivewiththeapplication– BindvaluestoAliasesatDeployment• FromanexternalKMS?

– Toolingtomanagesecretsarchive

• RelyonPKCS12supportinjava.security.KeyStore?

Ideas


http://openjdk.java.net/jeps/229


ProgramAgenda

Motivations

IdentityUseCases

HowcanJSR375help?


Wayforward

GetInvolved

1

2

3

4

5

6


ConsistentlySecure:On-premtoCloud


WayForward?

• Authentication–OpenIDConnect• Authorization(incl.OAuth)• SecretManagement(incl.PasswordAliasing)

• Securitymicroservices

• Packaging,Configuration,Binding

• StandardizeTerminology• Authenticationmechanism• IdentityStore• SecurityContext

JavaEE8

JavaEE9


Logging

Identity• On-Prem• CloudIdP• SocialLogins

PartnerSystems

Apps(CloudSystems)

HostServiceA

ServiceB

Host

ServiceCServiceC

Eventing

Configuration

State/Caching/DB

ServiceDiscovery

Router/LB

SSOAgent?


• ProblemStatement– EnableusingOIDCforAuthenticationatDeployment

– TransparenttotheApplication– SolelythroughConfiguration– RegardlessofspecificOIDCImplementation

• Ideas– OIDCFlowsasanAuthenticationMechanism– Standardize,abstractnecessaryconfiguration– Configurableatdeployment– EncapsulatewithintheSecurityContext• Representationsofuseridentity,groupmemberships

• BasedonClaimsinOIDCIdentityTokenfromOpenIdProvider(OP)

– ProvideApplicationsaccessto/userInfoendpointviatheIdentityStoreabstraction

JavaEE9Candidates-OpenIdConnect


• Authorization–Discover/publishOauthResources–OauthClientregistration– AuthorizationInterceptors– AuthorizationRulesEL– Role/Permissionassignment

• SecretManagement– AbstractingsecretstheApplicationneeds– Bindsecretvaluesatdeployment– StandardizebindingvaluesfromKMSsystems

JavaEE9Candidates–Authorization,SecretManagement


• IdentityServices– Authenticationimplementations– AuthenticationConfiguration– IdentityStoreConfiguration,handling– TokenAcquisition,Exchange

• SecretsManagement– APIstomanagesecrets– APIstogetsecrets– Abstractspersistence,statemanagement

• AuthorizationService– APIstopublish,managepolicy,rolemapping– APIstogetdecisions

• Mix-inServicesasfunctionallyneeded• PackagingandLifecycle– StandardizeSecurityConfiguration– ExternalizeConfiguration– BindValuesatdeployment

JavaEE9Candidates–SecurityMicroServices


WheredowegonextintheEG?

2017• BuildafoundationforIdentitywithJSR375inJavaEE8

2018• CandidatesforFocusinJavaEE9• SecurityinPackaging,Configuration,Build• SecurityMicroServices• Authorization• SecretManagement


Simple.Consistent.Secure


ProgramAgenda

Motivations

IdentityUseCases

HowcanJSR375help?


WayForward?

GetInvolved

1

2

3

4

5

6


GetInvolved

• ProjectPageforallresources:https://java.net/projects/javaee-security-spec

• Subscribe,Contribute:[email protected]

• Playground:https://github.com/javaee-security-spec/javaee-security-proposals

https://java.net/projects/javaee-security-spec

https://java.net/projects/javaee-security-spec

mailto:[email protected]

https://github.com/javaee-security-spec/javaee-security-proposals


NextSteps

• Takethesurvey– http://glassfish.org/survey

• Sendtechnicalcommentsto– [email protected]

• JointheJCP–cometoHackergardeninJavaHub– https://jcp.org/en/participation/membership_drive

• JoinortracktheJSRsastheyprogress– https://java.net/projects/javaee-spec/pages/Specifications

• Adopt-a-JSR– https://community.oracle.com/community/java/jcp/adopt-a-jsr

Giveusyourfeedback

http://glassfish.org/survey

mailto:[email protected]

https://jcp.org/en/participation/membership_drive

https://java.net/projects/javaee-spec/pages/Specifications



https://community.oracle.com/community/java/jcp/adopt-a-jsr


WheretoLearnMoreatJavaOneSessionNumber SessionTitle Day/Time

CON7983 JAX-RS2.1forJavaEE8 Tuesday12:30p.m.

CON8292 PortableCloudApplicationswithJavaEE Tuesday2:30p.m.

CON7980 Servlet4.0:StatusUpdateandHTTP/2 Tuesday4:00p.m.

CON7978 SecurityforJavaEE8andtheCloud Tuesday5:30p.m.

CON7979 ConfigurationforJavaEE8andtheCloud Wednesday11:30a.m.

CON7977 JavaEENext–HTTP/2andREST Wednesday1:00p.m.

CON6077 TheIllusionofStatelessness Wednesday4:30p.m.

CON7981 JSF2.3 Thursday11:30a.m.


Q&A

Documents

Security for Java EE 8 and the Cloud - RainFocus · Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Use Case • Application may manage its users or use externally