JAAS, JASPIC, JACC. If those acronyms do not sound familiar, you are in good company. I have been developing with Java EE for almost two decades and I was not terribly familiar with them until I seriously started thinking about revamping Java EE security in the early Java EE 7 timeframe. Those are the three main Java EE related standard APIs that have remained largely unchanged since the J2EE era. That is until the Java EE Security API aimed for Java EE 8.

The reason I mostly didn't need to know about these APIs is because of the way Java EE security has evolved over the years. As of Java EE 7 the way applications work is that you do some minimal web.xml configuration declaring what type of authentication you want (basic, form, digest, etc), what application server "realm" (logical link name to application server security configuration) and what roles (security groups) have access to secure parts of the application. Most of the real work is typically actually done in application server admin GUI wizards like configuring what identity store you want to use (database, LDAP, etc) and how underlying groups map to roles (for most of my applications the application roles and identity store groups are exactly the same). There are certainly some benefits to this approach that most other technologies do not have. Most of the heavy lifting for security is just a few mouse clicks as opposed to writing and maintaining code. You can hand off the work of securing the application to an admin where this work often best belongs. Application servers have sophisticated security admin tooling that seems to have everything under the Sun including things like federated security through SAML.

This is not the approach more feature poor runtimes that lack admin GUIs take and the approach also has some downsides. The most significant downside is that beyond learning Java EE APIs as a developer you also need to know about each application server's security administration features. This also means that these features are slightly different from one application server to another, limiting application portability. In a PaaS environment, it is a lot easier if all security configuration is done inside the application itself, making the application more self-contained. The last problem is related to the age and focus of the current APIs used in Java EE - JAAS, JASPIC, JACC. These APIs have not gone through a significant revision in a while and their focus is on vendor plug-in writers, not application developers. This becomes a problem when developers need to do things that the application server does not have built-in support for such as using a custom data store (say using a security database with a poorly designed legacy schema) or using a custom authentication mechanism (say your own homegrown HTTP headers for federated security). There are third party frameworks in the Java EE ecosystem such as Shiro and PicketLink that attempt to solve these issues - in particular making application security embedded. These frameworks are of course non-standard and increase the need to add more runtime dependencies in the application.

The new Java EE Security API slated for Java EE 8 aims to solve these problems by simplifying and modernizing security in the platform. The Security API will make it possible to embed security in most common cases in the application in the simplest way possible. It will allow for easy extensibility by providing a much simpler, modernized, developer-focused alternative to JASPIC, JAAS and JACC. In the process, it will introduce simple standard terms and interfaces for Java EE security. It will also add some cool new authorization mechanisms in addition to the basic role based security that Java EE offers today.

Specification lead Alex Kosowski described all of this well during his JavaOne 2015 talk (click here).

The Java EE Security API is one of the most important and perhaps most awaited parts of Java EE 8. It is not very surprising that it is one of the Java EE 8 JSRs that has seen the most active participation from the community - Alex refers to some of this participation in his talk. You should feel encouraged to participate yourself perhaps starting by viewing the video above.