Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
SecurityforJavaEE8andtheCloud[CON7978]
KKSriramadhesikanArchitect,PlatformSecurityOracleSeptember,2016
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
SafeHarborStatement
Thefollowingisintendedtooutlineourgeneralproductdirection.Itisintendedforinformationpurposesonly,andmaynotbeincorporatedintoanycontract.Itisnotacommitmenttodeliveranymaterial,code,orfunctionality,andshouldnotberelieduponinmakingpurchasingdecisions.Thedevelopment,release,andtimingofanyfeaturesorfunctionalitydescribedforOracle’sproductsremainsatthesolediscretionofOracle.
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
ProgramAgenda
1
2
3
4
5
6
Motivations
IdentityUseCases
HowcanJSR375help?
MoreSecurityUseCases!
WayForward?
GetInvolved
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
ProgramAgenda
Motivations
IdentityUseCases
HowcanJSR375help?
MoreSecurityUseCases!
WayForward?
GetInvolved
1
2
3
4
5
6
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
Motivation• Whereenterpriseappsrunischanging– Incorporatedatacenters– Inthecloudfromoneofseveralvendors
• TheshapeoftheEnterpriseappischanging– Amonolithoracollectionofmicroservices
• Thesefactors–Drivecomplexityinhowappsarebuilt,deployed,managed,operated–Drivecomplexityinhowappsneedtoworkintheirtargetenvironment
• Canwestillstaysecure,withthesechanges?
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
• Networkpathswithinthecorporatenetwork• Authenticatestoon-premiseidentitysystems
• Mayuseon-premiseSingleSignontosecurewebresources
• Authorization:managedbyapplication,mappedtoon-premiseidentity
• IdentitypropagationtoexternalentitiesreliesonSAML,BasicAuth
• Secretsinlocalstoreswithseverallayersofcontrol
Apps:On-premise
Store
IdStoreSSOAgent
IAMSystem
CorporateDataCenter
PartnerSystems
AppJavaEEContainer
App
JavaEEContainer
App
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
• CloudVendorforcontrolsonnetwork
• Sociallogins,externalIdentitySystems
• SSOusingaCloudIdentityprovider
• RESTneedsOAuth
• IdentityPropagation-SAML,BasicAuthplusOAuthandJWT
• Moreinteractions–cloud,on-premise
• Authorization-toidentitiesfromoneofseveralidentityproviders
• Secretsneeddefenseindepth–encryption,securingtheencryptionkey?
Apps:IntheCloud
Store
IdStoreSSOAgent
CloudDataCenter
BYOIdentitySystem
PartnerSystems
(OIDC)
CloudIdP On-PremIdP
SocialLogins
JavaEEContainer
App
JavaEEContainer
App
Apps(OtherClouds)
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
• AllissuesofJavaEEAppinthecloudPlus• AppBoundaryischanging– Distributedprocesses,scaleindependently– Identityoneveryhop?– Eachmicroservicedealswithidentity?– Eachmicroserviceauthorizesaccess?– Eachmicroservicemanagessecrets?– WhataboutStatelessness,configuration?– Whataboutthenetworkboundary?Whichmicroservicesarepublic?
MicroServicesintheCloud
Host
ServiceA
ServiceB
Host
ServiceC
Router/LB
ServiceDiscovery
Configuration
Eventing
Logging
State/Caching/DB
Identity• On-Prem• CloudIdP• SocialLogins
SSOAgent?
PartnerSystemsApps
(CloudSystems)
ServiceC
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
Motivation!
Easy Hard Huh?!
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
ProgramAgenda
Motivations
IdentityUseCases
HowcanJSR375help?
MoreSecurityUseCases!
WayForward?
GetInvolved
1
2
3
4
5
6
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
WhyarethesesoimportantintheCloud?
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
UseCase
• Applicationmaymanageitsusersoruseexternallymanagedusers• Applicationmustauthenticateusersagainstoneofseveralidentitystores• Applicationmustsupportoneoftheseauthenticationmethods– BasicAuth,OpenIDConnect
• ApplicationisabletohandleAuthenticationevents(login,logout)• DeveloperisabletouseaportableAuthenticationAPIregardlessofidentitystore
Authentication
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
UseCase
• Applicationmaymanageitsusersoruseexternallymanagedusers• Applicationmustbeableaccesstheidentitystore• Applicationcanbeboundtooneormoreidentitystoresatdeployment• IdentityStoreboundtotheApplicationcanbereconfigured
IdentityStore
Develop Productionon-prem MovetoCloudIntegrateTest
• FewTestUsers• K-Vstoreorincodesuffices• NoIdProp
• FewTestUsers• K-Vstoreorincodesuffices• NoIdProp
• Largeuserpopulations• LDAP,CloudIDP• SAML,Basic,OAuth
• Largeuserpopulations• LDAP,SomePartnerIDP• SAML,Basic,SomeOAuth
• Hugeuserpopulations• LDAP?,CloudIDP,PartnerIDP,
SocialLogins• SAML,Basic,OAuth
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
UseCase
• Applicationmustbeabletodetermineidentityofthecaller• Applicationisabletodetermineuser’sgroups.• Applicationknowscalleridentityconsistently,asidentitystoreschange
IdentityRepresentation
Develop Productionon-prem MovetoCloudIntegrateTest
• FewTestUsers,Groups• FewTestUsers,Groups • Largeuser,grouppopulations• LDAP,CloudIDP• User/GroupAttributes
sometimeschange
• Largeuserpopulations• LDAP,SomePartnerIDP• User/GroupAttributes
sometimeschange
• Hugeuserpopulations• LDAP?,Cloud/PartnerIDP,SocialLogins• User,GroupAttributeschangebasedon
IDP
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
UseCase
• Applicationisabletodetermineuserattributesconsistently– Authenticateduser–Groups,Roles– IdentityProviderthatissuedclaimsusedincreatingtheSubject– Localorremoteuser?VirtualUser?
• ApplicationneedsaconsistentAPItoaccesssecuritycontext
SecurityContext
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
OpenIdConnect(OIDC)
• AuthenticationProtocolbuiltonOAuth2• SessionManagement–SingleSignon,Out• AnadditionalTokenType–IDToken• UserInfo,Discovery,ClientSelf-registrationEndpoints• Specs:OpenIDcore,Discovery,ClientRegistration
Refresher
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
UseCase
• Atdeployment,ApplicationisconfiguredtobesecuredbyOIDC• Applicationmustcontinuetorelyonwellknownabstractionsfor– Identity– Authentication– AuthenticationEvents
OIDC
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
WhatdoesthismeantotheApp?
• AnAppdeveloper–NeedsaconsistentAPItoabstracttheIdentitystore,authenticationmechanism,identityrepresentation– Canrelyonconfigurationalone,tochangeastheAppprogresses
• DevOpscaneasilychangeconfigurationtosuittheenvironment
Develop Productionon-prem MovetoCloudIntegrateTest
In-memoryStore
In-memoryStore
LDAP,CloudIDP
LDAPPartnerIDP
LDAP,CloudIDP,Social
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
ProgramAgenda
Motivations
IdentityUseCases
HowcanJSR375help?
MoreSecurityUseCases!
WayForward?
GetInvolved
1
2
3
4
5
6
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
HowcanJSR375help?
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
JSR375
• StandardizeTerminology• APIforAuthenticationmechanism• APIforIdentityStore• APIforSecurityContext
Recap,RelevancetotheCloud
• APIforPasswordAliasing• APIforRole/PermissionAssignment• APIforAuthorizationInterceptors
AnecessaryfoundationfortheCloud
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
JSR375-CandidatesforEG
• PortableAPIforAuthentication– abstractsthespecificIdentityStoreagainstwhichtoAuthenticate
• Simpleconfiguration• ExtensibletosupportprotocolssuchasOpenIDConnectandOAuth• ProducesaConsistentrepresentationofanauthenticatedSubject• AuthenticationEvents
• UseJASPIC(JSR196)?
AuthenticationMechanism
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
JSR375-CandidatesforEG
• AbstracttheIdentityStoreusedbyanapplication• Simpleconfiguration• SupportavarietyofIdentitystores– Lightweightk-vdevelopmentstores– Traditionalstores–LDAP,DB– Cloud-specificstorese.g.SocialLogins,3rd-partyCloudIdentityproviders
• Orderabletosupportmultipleidentitystores• Abstractiontosupportvarietyofcredentialtypes– Username/Password;OAuthClientid+Secret;JWTTokens
IdentityStore
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
JSR375-CandidatesforEG
• ConsistentAPIregardlessofcontainer• EnablesApplicationtodetermine– user’sidentity– IdentityProviderthatwasusedtoestablishidentity–WhichgroupsorRolestheuserbelongsto
SecurityContext
public interface SecurityContext{ String getUserPrincipal(); boolean isUserInRole(String role); List<String> getAllUsersRoles(); boolean isAuthenticated(); }
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
ProgramAgenda
Motivations
IdentityUseCases
HowcanJSR375help?
MoreSecurityUseCases!
WayForward?
GetInvolved
1
2
3
4
5
6
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
MoretoSecuritythanIdentity?
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
Authorization
• OAuth2
• Role/PermissionAssignment
• AuthorizationInterceptors
Lotsofgroundtocover!
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
OAuth2
• AnAuthorization/DelegationFramework
• StandardizedbyRFC6749– RFC6750usingbearertokens– RFC6819Securityconsiderations
• OnafoundationofTokenstandards– JSONObjectSigningEncryption(JOSE)– JWT(RFC7519),JWS(RFC7515),JWE(RFC7516),JWA(RFC7518),JWK(RFC7517)
Refresher
• Actors– ResourceOwner– Client– Resource,Resourceserver– AuthorizationServer
• Authorizationsrepresentedas‘scopes’
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
OAuth2AuthorizationFlowsAuthorizationCodeFlow
Server-sideAppactingonbehalfofauser
3-legged
ImplicitGrantFlowClientonbehalfofauser3-legged
ResourceOwnerGrantFlowTrustedClientonusersbehalf
2-leggedClientCredentialsFlowClientonitsownbehalf2-legged
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
ProblemStatement
OAuth2
AppClient
GEThttp://hostname/api/v2/customers
<<ResourceServer>>
/api/v2/customers
/api/v2/ratings
<<Resources>>
AuthorizationServer 1. CreateOAuthResources
2. RegisterwithAuthorizationServer1. CreateOAuthClient2. RegisterwithAuthorizationServer3. Updatescopesofinterest
1. ExecuteanAuthorizationFlow2. GetAccessTokenforscope(s)
/api/v2/customers3. Optionally,GetRefreshToken
Authorization:Bearerya29.Ci9g….
ValidateAccessToken,GetSubject
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
ProblemStatement
OAuth2
• Server-side– HowdoIregistermyOAuthResources?– HowdoIindicatemy‘scopes’?
• Client-side– HowdoIregistermyOAuthClient?– HowdoIknow‘scopes’toaskfor?– HowdoesmyclientgetTokens?– Howdoesmyclienthandleexpiry?
• CanweabstractvariationsinAuthorizationServers?• Howdowedealwithscopes/clients/resourcesatscale?
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
• Server-side– Annotateresourcestobesecured– AnnotateifresourceneedsBASICorOAuth2– ForOAuth2securedresources,standardizescopedeclaration– StandardizeOAuthResourceregistrationwithAuthorizationServer– AdapttospecificAuthorizationServers–DocumentAuthmethod,scopes–Swagger?
• Client-side– LifecycletohandleClientregistration• StaticordynamicallycreatedClients• SecuremanagementofClientid/Secrets
–DiscovercapabilitiesonTargetsforconstructingscopesinTokenrequests– AbstractionstoacquireToken• OAuth2FlowsasStrategies• TokenExpiryhandling
– AbstractiontoinjectTokensoninvocation
IdeasforOAuth2
• SubjecttofurtherexplorationwithEG,JAX-RSandServletSpecs
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
OAuth2Arewejustautomatingcomplexity?Isthereasimplerway?
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
Role/PermissionAssignment
• Applicationmaymanageitsusersoruseexternallymanagedusers
• Applicationneedstoassignrolestousers,groupsbasedonapplicationspecificmodel
UseCase
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
Role/PermissionAssignment
• UsersorGroupsassignedtoRoleschangesbasedondeployment• User,GrouprepresentationschangebasedonboundIdentityStore• OAuth2ScopesvsRoles–dotheyoverlap?Aretheycomplementary?
ProblemStatement
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
Role/PermissionAssignment
• SupportviaDeploymentdescriptorse.g.web.xml– ChangebindingatdeploymentbasedonconfiguredIdStore
• AssignScopesonOAuth2ResourcestoRoles?– EnablesApptobindScopestoRoles–WhilemappedUsers,Groupschange
Ideas
<security-role-map> <group>SalesSupport</group> <role-name>CSR</role-name></security-role-map>
publicclassCustomers{ @RolesAllowed(“CSR”) @GET
publicStringget() ...
}
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
AuthorizationInterceptors
• Applicationmustrestrictaccesstofunctionality• Rolesalonearetoocoarsegrained• Applicationbusinessmodeldeterminesrulesthatdriveaccess
UseCase
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
• ProblemStatement–NoConsistentInterceptorforpolicyenforcement–NoConsistentexternalizableRules–NeedtobebindabletochangingidentitiesbyBusinessandOperations
• Ideas– StandardizeInterceptors– EnableSecurityteamstobuildcustomAuthorizationlogic– Externalized,standardizedrulelanguage– IdentityandSecurityContextaware
AuthorizationInterceptors
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
Secrets
• Applicationneedstobeabletosecurelymanagesecrets• Secretsmayincludepasswordstoresourcese.g.OAuthclientid+secrets• Applicationsareablesecuresecretsinaportableway• Secretsareneverstoredincleartext• Valueschangeandareboundperdeployment• Statehastobeexternalized– ApplicationmayconsumesecretsfromaKeyManagementSystem(KMS)
UseCase
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
Secrets
• ApplicationreferstosecretsviaAliases• AliasesconfiguredviaAnnotationsorDeploymentDescriptors• Lifecycle– BundleAlias+valueasasecretsarchivewiththeapplication– BindvaluestoAliasesatDeployment• FromanexternalKMS?
– Toolingtomanagesecretsarchive
• RelyonPKCS12supportinjava.security.KeyStore?
Ideas
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
ProgramAgenda
Motivations
IdentityUseCases
HowcanJSR375help?
MoreSecurityUseCases!
Wayforward
GetInvolved
1
2
3
4
5
6
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
ConsistentlySecure:On-premtoCloud
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
WayForward?
• Authentication–OpenIDConnect• Authorization(incl.OAuth)• SecretManagement(incl.PasswordAliasing)
• Securitymicroservices
• Packaging,Configuration,Binding
• StandardizeTerminology• Authenticationmechanism• IdentityStore• SecurityContext
JavaEE8
JavaEE9
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
Logging
Identity• On-Prem• CloudIdP• SocialLogins
PartnerSystems
Apps(CloudSystems)
HostServiceA
ServiceB
Host
ServiceCServiceC
Eventing
Configuration
State/Caching/DB
ServiceDiscovery
Router/LB
SSOAgent?
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
• ProblemStatement– EnableusingOIDCforAuthenticationatDeployment
– TransparenttotheApplication– SolelythroughConfiguration– RegardlessofspecificOIDCImplementation
• Ideas– OIDCFlowsasanAuthenticationMechanism– Standardize,abstractnecessaryconfiguration– Configurableatdeployment– EncapsulatewithintheSecurityContext• Representationsofuseridentity,groupmemberships
• BasedonClaimsinOIDCIdentityTokenfromOpenIdProvider(OP)
– ProvideApplicationsaccessto/userInfoendpointviatheIdentityStoreabstraction
JavaEE9Candidates-OpenIdConnect
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
• Authorization–Discover/publishOauthResources–OauthClientregistration– AuthorizationInterceptors– AuthorizationRulesEL– Role/Permissionassignment
• SecretManagement– AbstractingsecretstheApplicationneeds– Bindsecretvaluesatdeployment– StandardizebindingvaluesfromKMSsystems
JavaEE9Candidates–Authorization,SecretManagement
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
• IdentityServices– Authenticationimplementations– AuthenticationConfiguration– IdentityStoreConfiguration,handling– TokenAcquisition,Exchange
• SecretsManagement– APIstomanagesecrets– APIstogetsecrets– Abstractspersistence,statemanagement
• AuthorizationService– APIstopublish,managepolicy,rolemapping– APIstogetdecisions
• Mix-inServicesasfunctionallyneeded• PackagingandLifecycle– StandardizeSecurityConfiguration– ExternalizeConfiguration– BindValuesatdeployment
JavaEE9Candidates–SecurityMicroServices
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
WheredowegonextintheEG?
2017• BuildafoundationforIdentitywithJSR375inJavaEE8
2018• CandidatesforFocusinJavaEE9• SecurityinPackaging,Configuration,Build• SecurityMicroServices• Authorization• SecretManagement
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
Simple.Consistent.Secure
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
ProgramAgenda
Motivations
IdentityUseCases
HowcanJSR375help?
MoreSecurityUseCases!
WayForward?
GetInvolved
1
2
3
4
5
6
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
GetInvolved
• ProjectPageforallresources:https://java.net/projects/javaee-security-spec
• Subscribe,Contribute:[email protected]
• Playground:https://github.com/javaee-security-spec/javaee-security-proposals
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
NextSteps
• Takethesurvey– http://glassfish.org/survey
• Sendtechnicalcommentsto– [email protected]
• JointheJCP–cometoHackergardeninJavaHub– https://jcp.org/en/participation/membership_drive
• JoinortracktheJSRsastheyprogress– https://java.net/projects/javaee-spec/pages/Specifications
• Adopt-a-JSR– https://community.oracle.com/community/java/jcp/adopt-a-jsr
Giveusyourfeedback
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
WheretoLearnMoreatJavaOneSessionNumber SessionTitle Day/Time
CON7983 JAX-RS2.1forJavaEE8 Tuesday12:30p.m.
CON8292 PortableCloudApplicationswithJavaEE Tuesday2:30p.m.
CON7980 Servlet4.0:StatusUpdateandHTTP/2 Tuesday4:00p.m.
CON7978 SecurityforJavaEE8andtheCloud Tuesday5:30p.m.
CON7979 ConfigurationforJavaEE8andtheCloud Wednesday11:30a.m.
CON7977 JavaEENext–HTTP/2andREST Wednesday1:00p.m.
CON6077 TheIllusionofStatelessness Wednesday4:30p.m.
CON7981 JSF2.3 Thursday11:30a.m.
Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|
Q&A