jsr340-experts@servlet-spec.java.net

[jsr340-experts] Re: Multi-tenancy and web container

From: Rajiv Mordani <rajiv.mordani_at_oracle.com>
Date: Tue, 15 Nov 2011 22:42:46 -0800

Hi Jeff,
     There have been internal discussions around some of the security
aspects but there is nothing that I can share just yet. When I do have
anything I will forward to the group. AFAIK there is no plan to restrict
APis (as in white listing) per say but possibly by restrictions via
SecurityManager.

- Rajiv

On 11/15/2011 07:26 AM, Jeff Williams wrote:
>
> Rajiv,
>
> I'm interested in how this will work from a security perspective.
> Could you point me to the plan for keeping the various tenants from
> affecting (either inadvertently or maliciously) each other? Will
> certain Java APIs be removed or restricted (like Google AppEngine)?
> Thanks,
>
> --Jeff
>
> Jeff Williams, CEO
>
> Aspect Security
>
> 410-707-1487
>
> *From:*Rajiv Mordani [mailto:rajiv.mordani_at_oracle.com]
> *Sent:* Friday, November 11, 2011 9:33 PM
> *To:* jsr340-experts_at_servlet-spec.java.net
> *Subject:* [jsr340-experts] Multi-tenancy and web container
>
> As part of Java EE 7 one of the areas of focus is - multi-tenancy /
> PaaS style deployments of applications. As I have sent previously to
> the EG the current proposal for Java EE Platform as for PaaS as it
> stands today is described at [1].
>
> I would like to start the discussion around the requirements for what
> it means for the Web Container. In particular for the multi-tenancy
> aspect in a PaaS environment, what are the customizations that each
> tenant can provide and how they will be reflected in the spec. Some
> initial thoughts that I had are listed below -
>
> * URL mapping
> * init-params
> * Customization of resources to be loaded per tenant - style sheets,
> jsps, error pages etc
> * Customized DataSources and other resource-refs per tenant
> * session related configuration (timeout, tracking mode, isHttpOnly,
> security setting etc)
> * security roles constraints per tenant (should we allow every
> tenant to change this for the application)
> * keystores, certs for an application (can we even do this per tenant)
>
> What else am I missing here?
>
> [1] http://java.net/downloads/javaee-spec/PaaS.pdf
>
> - Rajiv
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.