jsr342-experts@javaee-spec.java.net

[jsr342-experts] Re: security manager requirements in Java EE

From: Werner Keil <werner.keil_at_gmail.com>
Date: Fri, 17 Feb 2012 13:12:22 +0100

Deepak/all,

Thanks a lot for the discussion. This sounds very interesting and useful,
especially in a PaaS and Multi-Tenancy scenario EE7 and beyond try to cover
as good as possible.

While it is just one aspect of Security, and may or may not be on the EE7
Release train from a time perspective, Java Identity (JSR-351) also should
be taken into consideration for this.
It wasn't part of the EE stack, but at least BEA from WebLogic 9/10 on
included functionality like Identity Management rather tightly into its
server and portal products. And clients I helped use that in a very PaaS
like environment. E.g. offering their platform to leading investment banks
and insurance companies, both Credit Suisse, UBS, Capita, MetLife, BOA or
many others.

Still specific and proprietary to their services, not only these users of
Java EE 6 or before would welcome a more common standard for Security,
Identity and Authentication, including some of the new trends like OAuth
that Social Media have made extremely popular.

Kind Regards,
-- 
Werner Keil | JCP Executive Committee Member (ME) | Eclipse UOMo Lead
Twitter @wernerkeil | #Java_Social | #EclipseUOMo | #OpenDDR
Skype werner.keil | Google+ gplus.to/wernerkeil
* Social Media Week: February 13-17 2012, Hamburg, Germany. Werner Keil,
JCP EC (ME) Member, Social JSR Co-Spec Lead presents "Java Social"
* Global Android DevCamp: February 18-19 2012, Frankfurt, Germany. Werner
Keil, JCP EC (ME) Member, UOMo Lead will represent "UOMo and Storyoid"
On Fri, Feb 17, 2012 at 8:06 AM, Deepak Anupalli <deepak_at_pramati.com> wrote:
> (Comments Inline)
>
> > -----Original Message-----
> > From: Bill Shannon [mailto:bill.shannon_at_oracle.com]
> > Sent: 11 February 2012 03:32
> > To: jsr342-experts_at_javaee-spec.java.net
> > Subject: [jsr342-experts] security manager requirements in Java EE
> >
> > Security has always been a key part of the Java EE platform.
> >  From the beginning we defined the Java security permissions that an
> > application should expect to have, and we expected that application
> servers
> > would want to control what permissions applications should have.  Several
> > releases ago we clarified the requirements so that application servers
> may
> > run without a security manager.  This was commonly used in development
> > environments, and in non-Java EE application servers such as Tomcat.
> >
> > Unfortunately, what we failed to do was to make it clear that Java EE
> > applications servers were also required to be able to run *with* a
> security
> > manager, and to be able to enforce Java security permissions.
> >
> > ***** Unless there are objections, we intend to make this
> > ***** requirement explicit in the EE 7 spec.
> >
> >
> > One of the reasons this issue comes up is that some library and framework
> > developers seem to assume that they can do anything they want with any
> > Java API.  Users then complain when these libraries or frameworks don't
> > work in an application server that uses a security manager.
> >
> > A degenerate way that an application server could meet the requirement to
> > be able to run with a security manager would be to simply grant all
> > applications all permissions all the time.  Obviously that wouldn't
> address the
> > core problem.  Thus, we believe we also need a clear requirement that the
> > application server be able to
> > *restrict* the set of permissions granted to an application.
> >
> > Defining a requirement in this area is a bit tricky.  While it might seem
> > attractive to require that an application server be able to run
> applications
> > with *only* the minimum permissions defined in the spec, it's possible
> that
> > there could be product specific (non-standard) permissions that are
> needed.
> > Still, it seems like it would be good to define some boundaries here.
> >
> > ***** Would you support a requirement to be able to run
> > ***** applications with a restricted set of permissions?
>
> Most App Servers do have Java Policy configuration and run the Server VM in
> a security sandbox. AFAIK, Java EE TCK verifies an existing set of Java EE
> security permissions defined in the Java EE platform specification
> EE.6.2.3.
>
> How different is this new set going to be from the existing one?
>
> >
> >
> > We think it's especially likely that a Java EE cloud product will use a
> security
> > manager to maintain control over the operational environment.  Remember,
> > our target is PaaS, not Middleware over IaaS:
> > http://blogs.oracle.com/rezashafii/entry/paas_is_not_middleware_over
> >
> > In a true PaaS environment, application permissions are likely to be
> restricted
> > to only what's needed.  In such an environment, it may be useful to know
> if
> > the application needs any permissions beyond the minimum that the
> > platform spec guarantees.
> >
> > Something we've been considering for quite some time is to provide a way
> > for an application to include a list of these additional permissions it
> needs.
> > The platform implementation could then evaluate these permissions and
> > ensure that the application is granted what it needs, or reject
> deployment
> of
> > the application.
> >
> > ***** Would you support including such a capability in Java EE?
>
> This is an area with possible impedance mismatch between Paas Provider and
> the PaaS Customer in terms of expected configuration. But, I strongly feel
> we should leave it out to the Paas Provider to figure out contract for
> enforcing required security policy for their Customers.
>
> Just some thoughts, not sure if we talked about this earlier. Can the same
> VM/Instance host applications belonging to different tenants with separate
> set of VM/platform/vendor-specific configurations?
>
> To elaborate a little bit, each application can have an entirely different
> memory footprint OR for web applications tuning parameters like socket
> pools, thread pools, buffer sizes, denial of service(DOS) etc. could be
> entirely different. When we are talking about multi-tenancy at platform,
> can
> these applications with different config requirements be provisioned on the
> same containers?
>
> If not, what's the guarantee an application be provisioned or deployed on
> the PaaS platform. In order to truly envision multi-tenancy of the
> platform,
> there should be some guarantee on the environment/configuration a PaaS
> provider makes to its customers.
>
> >
> >
> > Other than the first item above, we're not sure how many of these items
> we
> > can address for EE 7, but we wanted to see if there was support in
> principle
> > for these items before we moved forward.
> >
> > Let us know what you think.
>
> -Deepak
>
>