Java EE Security in a PaaS World
By lmccay on Apr 20, 2012
Welcome to the SecuritEE blog!
We will be using this space to discuss interesting developments and thinking within the Java EE Security space. These topics will be relevant to what is going on within the JCP for Java EE 7 and beyond for security. Some of them will be discussed at JavaOne 2012, some will be developed into and evolve into solutions to interesting problems in cloud computing for Java EE and may find their way into our favorite programming models and tooling.
Some of the more interesting topics relate to the differences between deploying a Java EE application to the cloud and deploying one to a standalone Java EE application server that is administered by yourself or an in-house IT organization.
In the traditional standalone server deployment, we are accustomed to the fact that the development model and the server's management/configuration aspects are very independent things. In fact, the Java EE platform has typically stayed away from defining how management and configuration of the server is accomplished. This has left room for rich management environments and toolsets that provide a great way for implementations to differentiate themselves in the market place. The fact that the management aspects of the server vary from implementation to implementation has been fine as administrators and developers have developed skill sets for their particular platform choice.
Enter cloud computing and the ability to deploy Java EE applications to a given PaaS provider!
How do we communicate the needs of an application that we are deploying for things such as:
- access to the filesystem
- ability to make socket connections to other servers
- SSL configuration - ie trust, identity, certificate/key aliases
- domain names
- password indirection for backend resources
These security related tasks may require the application deployer to suddenly need to learn the management facilities of all of the PaaS providers that they use in their cloud computing strategy.
Perhaps, we can include some of this information as part of the application deployment process and automate the provisioning of these concerns!
With the inclusion of additional metadata and artifacts bundled with an application at deployment time, we can provide a fundamental level of portability across PaaS providers and get our applications deployed and up and running as quickly and painlessly as possible!
What we will do to address the isolation, protection and integrity of business critical and sensitive data in our Java EE applications? What options are available to developers and PaaS providers for accomplishing these goals?
What questions do developers and managers need to have answered when evaluating what platforms and technologies to employ in their cloud computing strategies?
How does Web SSO fit into the Java EE programming and deployment models?
These sorts of questions will spawn topics of discussion in this blog space.
I hope that it will be a thought provoking, interesting and compelling tool to drive our security needs and solutions in the EE platform!