jsr340-experts@servlet-spec.java.net

[jsr340-experts] Re: Multi-tenancy and web container

From: Jeff Williams <jeff.williams_at_aspectsecurity.com>
Date: Tue, 15 Nov 2011 10:26:59 -0500

Rajiv,

 

I'm interested in how this will work from a security perspective. Could
you point me to the plan for keeping the various tenants from affecting
(either inadvertently or maliciously) each other? Will certain Java
APIs be removed or restricted (like Google AppEngine)? Thanks,

 

--Jeff

 

Jeff Williams, CEO

Aspect Security

410-707-1487

 

From: Rajiv Mordani [mailto:rajiv.mordani_at_oracle.com]
Sent: Friday, November 11, 2011 9:33 PM
To: jsr340-experts_at_servlet-spec.java.net
Subject: [jsr340-experts] Multi-tenancy and web container

 

As part of Java EE 7 one of the areas of focus is - multi-tenancy / PaaS
style deployments of applications. As I have sent previously to the EG
the current proposal for Java EE Platform as for PaaS as it stands today
is described at [1].

I would like to start the discussion around the requirements for what it
means for the Web Container. In particular for the multi-tenancy aspect
in a PaaS environment, what are the customizations that each tenant can
provide and how they will be reflected in the spec. Some initial
thoughts that I had are listed below -

* URL mapping
* init-params
* Customization of resources to be loaded per tenant - style
sheets, jsps, error pages etc
* Customized DataSources and other resource-refs per tenant
* session related configuration (timeout, tracking mode,
isHttpOnly, security setting etc)
* security roles constraints per tenant (should we allow every
tenant to change this for the application)
* keystores, certs for an application (can we even do this per
tenant)

What else am I missing here?

[1] http://java.net/downloads/javaee-spec/PaaS.pdf

- Rajiv