JSR Community Expert Group

Summary | Proposal | Detail (Summary & Proposal) | Nominations JSRs: Java Specification Requests JSR 375: Java TM EE Security API

Stage Access Start Finish Final Release Download page 19 Sep, 2017 Final Approval Ballot View results 08 Aug, 2017 21 Aug, 2017 Proposed Final Draft Download page 14 Jul, 2017 Public Review Ballot View results 27 Jun, 2017 10 Jul, 2017 Public Review Download page 25 May, 2017 24 Jun, 2017 Early Draft Review Download page 13 Mar, 2017 12 Apr, 2017 JSR Renewal Ballot 2 View results 29 Nov, 2016 12 Dec, 2016 JSR Renewal Ballot View results 10 Nov, 2015 23 Nov, 2015 JSR Review Ballot View results 09 Dec, 2014 22 Dec, 2014 JSR Review 25 Nov, 2014 08 Dec, 2014 Status: Final

JCP version in use: 2.10

Java Specification Participation Agreement version in use: 2.0





Description:

The goal of this JSR is to improve the Java EE platform by ensuring the Security API aspect is useful in the modern cloud/PaaS application paradigm.



Expert Group Transparency:

Public Project Page

Public Communications

Issue Tracking



2.0The goal of this JSR is to improve the Java EE platform by ensuring the Security API aspect is useful in the modern cloud/PaaS application paradigm. Team

Specification Leads Will Hopkins Oracle Expert Group Adam Bien Rudy De Busscher Ivar Grimstad IBM

: Ajay Reddy Jemurai

: Matt Konda Werner Keil Oracle

: Will Hopkins Oracle

: Alex Kosowski Red Hat

: Darran Lofthouse Red Hat

: Pedro Igor Silva Stormpath, Inc.

: Les Hazlewood Arjan Tijms Tomitribe

: David Blevins Tomitribe

: Jean-Louis Monteiro Contributors Gonzalez de Aguero, Guillermo John Hogan Elder Moraes Fatih Mutluay Reza Rahman Ashley Richardson

The following updates have been made to the original proposal: 2017.05.24 :

2.12 Please describe the anticipated schedule for the development of this specification. 2017-03-13 Early Draft Review Start

2017-04-12 Early Draft Review End

2017-05-23 Public Review Start

2017-06-19 Public Review End

2017-06-20 Public Review Ballot Start

2017-07-03 Public Review Ballot End

2017-07-05 Proposed Final Draft Start

2017-07-19 Proposed Final Draft End

2017-07-25 Final Approval Ballot Start

2017-08-07 Final Approval Ballot End

2017-08-10 GA Release 2016.10.07 :

The Specification Lead changed from Alex Kosowski to Will Hopkins. Specification Lead: Will Hopkins E-Mail Address: will.hopkins @ oracle.com Telephone Number: +1 781 442 0310 Fax Number: - 2015.07.14 :

The schedule has been updated:

Q4 2015 Early Draft

Q1 2016 Public Review

Q3 2016 Proposed Final Draft

H1 2017 Final Release

Original Java Specification Request (JSR) Identification | Request | Contributions

Section 1. Identification Submitting Member: Oracle Name of Contact Person: Alex Kosowski E-Mail Address: alex.kosowski @ oracle.com Telephone Number: +1 856 359 2921 Fax Number: +1 856 359 2921 NOTE that this information has been updated from this original proposal.

Specification Lead Member: Oracle Corporation Specification Lead: Alex Kosowski E-Mail Address: alex.kosowski @ oracle.com Telephone Number: +1 856 359 2921 Fax Number: +1 856 359 2921

Initial Expert Group Membership: TBD Supporting this JSR: Mite Mitreski

JUGMK (Java User Group Macedonia)

IBM

Michael Remijan

Antonio Goncalves

ZEEF (Arjan Tijms)

Alexander Salvanos

Kito Mann



Section 2: Request 2.1 Please describe the proposed Specification: The goal of this JSR is to improve the Java EE platform by ensuring the Security API aspect is useful in the modern cloud/PaaS application paradigm. This promotes self-contained application portability across all Java EE servers, and promotes use of modern programming concepts such as expression language, and contexts and dependency injection. This JSR will holistically attempt to simplify, standardize, and modernize the Security API across the platform in areas identified by the community via survey results and submitted JIRA issues. The Security API JSR will enhance the following areas: - User Management - Currently, there is no standardized support for user management in Java EE. Applications have no portable way of creating, deleting, updating, and grouping users within the Java EE platform. Typical workarounds include using third-party libraries or developing in-house solutions, the results of which may be vulnerable and unsecure. We are proposing a standardized user service, which would enable an application to perform user management operations, such as create, delete, update, and group users. The user service would manipulate users from a user source. We are considering user sources originating from resources such as LDAP, data source, files, embedded, and the server platform. The user source would be changeable per deployment environment, enabling a different user source for development, test, and production. The user source would typically be scoped to the application, however may be shared across applications by means currently used to share resources (e.g., JNDI lookup). We expect that some user sources would not support all user service operations, so the user service API would support a means to determine the capabilities of the configured user source. - Password Aliasing - Currently, there is no standardized support for secure password reference and storage in Java EE. Applications may be required to supply passwords in various locations, such as annotations, deployment descriptors, URLs, and files. Typical workarounds include password encryption by third party libraries or plain-text password storage, which may result in vulnerable, unsecure solutions. We are proposing a standardized syntax for indicating password alias, and a means for resolving the alias to a password value. The password repository would be a secure credentials archive, to be self-contained and deployed with the application. We are considering having the secure credentials archive include other credentials, such as key stores and trust stores. - Role Mapping - Currently, there is no standardized support for role mapping in Java EE. Applications have no portable way of mapping authority roles to users and user groups within the Java EE platform. Typical workarounds include using third-party libraries or developing in-house solutions, the results of which may be vulnerable and unsecure. We are proposing a standardized role service, which would enable an application to perform role mapping operations, such as granting, revoking, and querying user and group roles. The role service would manipulate mappings from a role mapper. We are considering role mappers which have mappings originating from resources such as LDAP, data source, files, embedded, and the server platform. Also, we are considering a one-to-one group-to-role mapper, which maps groups directly to roles. The role mapper would be changeable per deployment environment, enabling different mappings for development, test, and production. The role mapper would typically be scoped to the application, however may be shared across applications by means currently used to share resources (e.g., JNDI lookup). We expect some role mappers would not support all role service operations, so the role service API would support a means to determine the capabilities of the configured role mapper. - Authentication - We propose the following three enhancements regarding authentication. We propose a means to enable an application to inform the platform runtime which user service and role service to use, if any. This would be an application-scoped configuration that would bind an application-defined user service reference and an application-defined role service reference, for use by the platform runtime whenever authentication is performed within the application. The configuration would be changeable per deployment environment, enabling different bindings for development, test, and production. We propose a means to enable each servlet to be configured with different authentication methods within a single web application. Currently, Java EE web applications only support one selected authentication method per application. This proposal would enable different servlet-based modules (e.g. JSF and REST) to be configured with different authentication methods within the same application deployment. We are considering adding an API to enable HttpServletRequest.authenticate to operate asynchronously, providing a non-blocking overloaded version with a callback. - Authorization - Currently, Java EE only supports method access decisions by checking the assigned role of the authenticated user. There is no standardized support for incorporating application-domain rules into the authorization decision. Typical workarounds include using third-party libraries or developing in-house solutions, the results of which may be vulnerable and unsecure. We are proposing a new standardized method interceptor annotation, capable of incorporating application-based rules into the method access decision. This interceptor annotation would be invoked like a CDI Interceptor using @AroundInvoke. The rules would have access to the current invocation context, including attributes of the authenticated user. We are considering the rules to be text-based as Java Expression Language (EL), which would include access to managed beans. These EL rules could be embedded as inline text, or referenced from an external resource. We are considering supporting external rule sources, such as LDAP, data source, and file. Additionally, we are considering supporting standardized CDI Events as part of the access decision. This would enable selected classes declared as invocation observers to make access decisions based on the invocation context. 2.2 What is the target Java platform? (i.e., desktop, server, personal, embedded, card, etc.) This specification is targeted for Java EE 8 or higher platforms. 2.3 The Executive Committees would like to ensure JSR submitters think about how their proposed technology relates to all of the Java platform editions. Please provide details here for which platform editions are being targeted by this JSR, and how this JSR has considered the relationship with the other platform editions. This specification targets the Java EE 8 Platform. It will be based on the corresponding release of the Java SE 8 platform. 2.4 What need of the Java community will be addressed by the proposed specification? See 2.1 above. 2.5 Why isn't this need met by existing specifications? See 2.1 above. 2.6 Please give a short description of the underlying technology or technologies: Java EE Security is cross-cutting across all of the Java EE stack. A detailed description of Java EE functionality can be found in the Java EE Specification, see http://jcp.org/en/jsr/detail?id=342. 2.7 Is there a proposed package name for the API Specification? (i.e., javapi.something , org.something , etc.) javax.security

javax.annotation.security 2.8 Does the proposed specification have any dependencies on specific operating systems, CPUs, or I/O devices that you know of? No. 2.9 Are there any security issues that cannot be addressed by the current security model? See 2.1 above. 2.10 Are there any internationalization or localization issues? This JSR will use the I18N support in Java SE. 2.11 Are there any existing specifications that might be rendered obsolete, deprecated, or in need of revision as a result of this work? Java Servlet 4.0 Specification may need revision to reflect per-servlet login configuration proposed in this JSR. 2.12 Please describe the anticipated schedule for the development of this specification. Q3 2014 Expert Group formed

Q1 2015 Early Draft

Q3 2015 Public Review

Q4 2015 Proposed Final Draft

Q3 2016 Final Release

Note that this information has been updated from this original proposal. 2.13 Please describe the anticipated working model for the Expert Group working on developing this specification. The primary means of communication will be email, with conference calls and face-to-face meetings scheduled as needed. We will solicit feedback from the community and leverage the open source development model. 2.14 Provide detailed answers to the transparency checklist, making sure to include URLs as appropriate: The http://java.net/projects/javaee-security-spec project site will be used to track all issues and disseminate information on the progress of the JSR.

- Is the schedule for the JSR publicly available, current, and updated regularly?

The schedule will be available on the project site, http://java.net/projects/javaee-security-spec, and via the Community tab of the JSR.

- Can the public read and/or write to a wiki for the JSR?

The http://java.net/projects/javaee-security-spec project users list (users@javaee-security-spec.java.net) is used for this purpose.

- Is there a publicly accessible discussion board for the JSR that you read and respond to regularly?

The http://java.net/projects/javaee-security-spec project users list is used for this purpose.

- Have you spoken at conferences and events about the JSR recently?

No, this is a new JSR.

- Are you using open-source processes for the development of the RI and/or the TCK?

The RI is being done under the open source GlassFish project at http://glassfish.java.net. The TCK is not open source.

- What are the Terms of Use required to use the collaboration tools you have prepared to use with the Expert Group, so that prospective EG members can judge whether they are compatible with the JSPA?

The terms of use are those of java.net: http://www.java.net/javanet-web-site-terms-use

- What is the location of your publicly-accessible Issue list? In order to enable EC members to judge whether Issues have been adequately addressed, the list must make a clear distinction between Issues that are still open, Issues that have been deferred, and those that are closed, and must indicate the reason for any change of state.

The publicly-accessible Issue list is available at http://java.net/jira/browse/javaee-security-spec

- What is the mechanism for the public to provide feedback on your JSR?

The public can provide feedback on the JSR by means of the users list.

- Where is the publicly-accessible document archive for your Expert Group?

The publicly-accessible document archive is available at http://java.net/projects/javaee-security-spec/downloads

- Does the Community tab for my JSR have links to and information about all public communication mechanisms and sites for the development of my JSR?

Yes, it will.

- Do you have a Twitter account or other social networking feed which people can follow for updates on your JSR?

Updates on the JSR will be made available on the project site, http://java.net/projects/javaee-security-spec, and by means of the users list for the project.

- Which specific areas of feedback should interested community members (such as the Adopt-a-JSR program) provide to improve the JSR (please also post this to your Community tab)?

The formation of Adopt-a-JSR groups to provide technical feedback for Security API JSR is encouraged and supported. 2.15 Please describe how the RI and TCK will de delivered, i.e. as part of a profile or platform edition, or stand-alone, or both. Include version information for the profile or platform in your answer. The RI and TCK for Security API JSR will be delivered in the same way as Java EE 8 platform. 2.16 Please state the rationale if previous versions are available stand-alone and you are now proposing in 2.13 to only deliver RI and TCK as part of a profile or platform edition (See sections 1.1.5 and 1.1.6 of the JCP 2 document). N/A 2.17 Please provide a description of the business terms for the Specification, RI and TCK that will apply when this JSR is final. This specification is planned to be licensed similarly to existing Java EE JSRs, such as JAX-RS 2.0 (JSR-339). Java EE Security API 1.0 specification license RI license Commercial use: The RI will be available for commercial use under the CDDL 1.1 open source license, the GPLv2 with Classpath Exception open source license, or this license. Non-Commercial use The RI will be available for non-Commercial use under the CDDL 1.1 open source license or the GPLv2 with Classpath Exception open source license. TCK license Commercial use The Java EE 8 TCK will be available for commercial use under this TCK license. Non-Commercial use As required by the Java Specification Participation Agreement (JSPA), the TCK will be licensed at no charge without support to qualified not-for-profit. The Compatibility Testing Scholarship Program will verify such qualification. Support may also be provided at no charge with approval of the scholarship board. For more information, please refer to: http://www.oracle.com/technetwork/java/index-137188.html 2.18 Please describe the communications channel you have established for the public to observe Expert Group deliberations, provide feedback, and view archives of all Expert Group communications. The Expert Group will conduct business on a publicly readable alias. The public will have an alias on which to provide feedback and discuss issues related to the JSR. There will also be a publicly accessible JIRA and document archive. (See also 2.19 and 2.20 below.) 2.19 What is the URL of the Issue Tracker that the public can read, and how does the public log issues in the Issue Tracker? https://java.net/jira/browse/JAVAEE_SECURITY_SPEC 2.20 Please provide the location of the publicly accessible document archive you have created for the Expert Group. https://java.net/projects/javaee-security-spec/downloads







Section 3: Contributions 3.1 Please list any existing documents, specifications, or implementations that describe the technology. Please include links to the documents if they are publicly available. Existing documents that describe the technology are Java Platform, Enterprise Edition Specification Version 7 and Java Platform, Enterprise Edition Web Profile Specification, Version 7: http://jcp.org/en/jsr/detail?id=342. 3.2 Explanation of how these items might be used as a starting point for the work. The existing Java EE 7 specification will be the starting point for this work.



