Monday Feb 08, 2016

Revamping the Security API in Java EE 8

JAAS, JASPIC, JACC. If those acronyms do not sound familiar, you are in good company. I have been developing with Java EE for almost two decades and I was not terribly familiar with them until I seriously started thinking about revamping Java EE security in the early Java EE 7 time frame. Those are the three main Java EE related standard APIs that have remained largely unchanged since the J2EE era. That is until the Java EE Security API aimed for Java EE 8.

The reason I mostly didn't need to know about these APIs is because of the way Java EE security has evolved over the years. As of Java EE 7 the way applications work is that you do some minimal web.xml configuration declaring what type of authentication you want (basic, form, digest, etc), what application server "realm" (logical link name to application server security configuration) and what roles (security groups) have access to secure parts of the application. Most of the real work is typically actually done in application server admin GUI wizards like configuring what identity store you want to use (database, LDAP, etc) and how underlying groups map to roles (for most of my applications the application roles and identity store groups are exactly the same). There are certainly some benefits to this approach that most other technologies do not have. Most of the heavy lifting for security is just a few mouse clicks as opposed to writing and maintaining code. You can hand off the work of securing the application to an admin where this work often best belongs. Application servers have sophisticated security admin tooling that seems to have everything under the Sun including things like federated security through SAML.

This is not the approach more feature poor runtimes that lack admin GUIs take and the approach also has some downsides. The most significant downside is that beyond learning Java EE APIs as a developer you also need to know about each application server's security administration features. This also means that these features are slightly different from one application server to another, limiting application portability. In a PaaS environment it is a lot easier if all security configuration is done inside the application itself, making the application more self-contained. The last problem is related to the age and focus of the current APIs used in Java EE - JAAS, JASPIC, JACC. These APIs have not gone through a significant revision in a while and their focus is on vendor plug-in writers, not application developers. This becomes a problem when developers need to do things that the application server does not have built-in support for such as using a custom data store (say using a security database with a poorly designed legacy schema) or using a custom authentication mechanism (say your own homegrown HTTP headers for federated security). There are third party frameworks in the Java EE ecosystem such as Shiro and PicketLink that attempt to solve these issues - in particular making application security embedded. These frameworks are of course non-standard and increase the need to add more runtime dependencies in the application.

The new Java EE Security API slated for Java EE 8 aims to solve these problems by simplifying and modernizing security in the platform. The Security API will make it possible to embed security in most common cases in the application in the simplest way possible. It will allow for easy extensibility by providing a much simpler, modernized, developer-focused alternative to JASPIC, JAAS and JACC. In the process it will introduce simple standard terms and interfaces for Java EE security. It will also add some cool new authorization mechanisms in addition to the basic role based security that Java EE offers today.

Specification lead Alex Kosowski described all of this well during his JavaOne 2015 talk embedded below (click here if you can't see the embedded video).

The Java EE Security API is one of the most important and perhaps most awaited parts of Java EE 8. It is not very surprising that it is one of the Java EE 8 JSRs that has seen the most active participation from the community - Alex refers to some of this participation in his talk. You should feel encouraged to participate yourself perhaps starting by viewing the video above.

Monday Feb 01, 2016

HTTP/2 and Servlet 4 in Java EE 8

HTTP is very easily the most important standard in server-side Java. The much awaited HTTP/2 standard is now complete, was fifteen years in the making and promises to radically speed up the entire web through a series of fundamental protocol optimizations. Slated to be a part of Java EE 8, Servlet 4 is the primary vehicle for making HTTP/2 available to the server-side Java ecosystem. In a key JavaOne 2016 session Servlet 4 specification leads Ed Burns and Shing wai Chan discussed Servlet 4 in detail. You can view the video below on the JavaOne 2016 YouTube playlist (click here if you can't see the embedded video). The slide deck for the talk is available here.

In the session they took a detailed look at the changes in HTTP/2 and discussed how these changes will be adopted by the Servlet 4 specification as well as technologies like JSF.

Friday Jan 29, 2016

EJB3 @Lock Annotation for CDI Beans

The EJB 3 @Lock annotation is pretty unique, interesting and useful. It provides an elegant declarative way of controlling concurrency for beans that can be shared across multiple threads such as singletons. As of Java EE 7 the annotation is only available to EJB 3 @Singleton session beans. There is a lot of value to making this bean available to all CDI beans in general. Very recently Stephan Knitelius did exactly that through a pretty simple CDI interceptor. You can read his nice write-up here.

In the longer term this work probably belongs somewhere in the standard such as in an update of the Java EE Concurrency specification or a modular CDI 2 specification. Another good place for Stephen's work is the DeltaSpike project. There are many other cool EJB 3 features that could be similarly made available to CDI beans generally such as @Startup, @Asynchronous and @MaxConcurrency. Some of these issues have long been discussed in the EJB specification JIRA entries.

Wednesday Jan 27, 2016

Java EE @ Oredev

Oredev 2015 was held on 3-6 November in Malmo Sweden. This was my third time at the largest IT conference in the Scania region. The conference is rooted in .NET and development process/methodology but has been trying hard to beef up it's Java content. This year it attracted a decent section of the Java crowd including my fellow Oracle colleagues Bruno Borges and Stephen Chin. Topics covered included .NET, Java SE, Java EE, mobile, methodology, agile, HTML5, JavaScript and NoSQL.

I did talks on Java EE 8 and aligning Java EE with the reactive movement. More details, including slide decks and session videos, posted on my personal blog.

Tuesday Jan 05, 2016

Java EE @ Java Day Mexico

Java Day Mexico 2015 was held on August 29 in historic Guadalajara. I was truly honored to be invited to speak here and this is a very fitting first trip report of the year. Java Day Mexico is the largest Java developer conference in Mexico and it is led primarily by Mexican JUGs. This was another highly successful year for the growing conference. Speakers included Venkat Subramaniam, Pratik Patel, Bruno Borges and Heather VanCura. Topics included Java SE, Java EE, HTML5, JavaScript, architecture, JVM languages, mobile and the cloud.

I had five talks total, essentially back-to-back. I did talks on Java EE 7, Java EE 8, real world microservices with Java EE, aligning Java EE with JavaScript/HTML5 rich clients and open standards. More details, including slide decks and code, posted on my personal blog.

Thursday Dec 03, 2015

EJB and CDI - Alignment and Strategy

We often get questions related to EJB and CDI, to the convergence (or divergence!) between those 2 important Java EE technologies.  That particular topic was discussed a few months ago by Linda De Michiel (Java EE Specification Lead and former JPA Specification Lead) during JavaDay Tokyo 2015.

In her session, Linda first set the stage by discussing the history of both EJB and CDI, and how those 2 technologies have evolved over time. She then discussed the advantages and disadvantages, some of the gaps between those 2 technologies. Linda finally concluded by discussing some strategies to improve things going forward. For example, the @Transactional interceptors was introduced in Java EE 7. In Java EE 8, the idea is to continue on the path of extracting additional container services to make those more widely and more easily available in the platform. Java EE 8's CDI Security Interceptors and the new 'flexible MDB' comes to mind.

This is an interesting talk as it discusses the past, the present and the future of fundamental Java EE technologies. It should be mentioned that David Blevins and Jean-Louis Monteiro (TomEE) gave a similar talk during JavaOne : "EJB/CDI Alignment (What does it Mean?)"

Monday Oct 19, 2015

Servlet 4 Early Draft Now Available

The key Servlet 4 specification slated to be included in Java EE 8 continues to make progress and just released its first early draft review (EDR). You can download and take a look at the draft from the JCP site. Bringing HTTP/2 support to server-side Java is the principal goal of Servlet 4. Specification lead Ed Burns has an excellent slide deck covering HTTP/2 and Servlet 4 at a high level (click here if you can't see the embedded slide deck):

There are many ways for you to get involved or just send feedback as always and this is a great point to do so. You are always welcome to join the expert group proper via the JCP page for the specification. You can always simply join the discussion by subscribing to the Servlet 4 specification user alias. If you would rather participate as a group through your JUG you can do that easily via Adopt-a-JSR.

Monday Oct 12, 2015

Kito Mann's JavaOne 2015 Sessions on JSF, MVC and HTML 5

For the Java EE track at JavaOne 2015 we are highlighting some key sessions and speakers to better inform you of what you can expect, right up until the start of the conference.

To this end we recently interviewed Kito Mann. Kito is a long time JSF advocate, popular author, speaker, consultant and very prolific contributor to the JCP. Just as previous years, Kito has one of the highest number of sessions from a single speaker on the Java EE track. He spoke to us about his accepted session at JavaOne 2015 (click here if you can't see the embedded video).

The following are the sessions we talked about:

  • Advanced PrimeFaces: This informal after-hours BoF is a deep dive into the popular PrimeFaces library. If you are using PrimeFaces this is a great session to really understand how PrimeFaces works.
  • Tuning JavaServer Faces: In this extended tutorial style session Kito offers his deep insight to effectively tuning JSF applications in the real world. I would say this is a must attend for any JSF user.
  • Building Professional JavaServer Faces UI Components: As Kito explains building reusable components is a key value proposition for JSF. In this informal after-hours BoF Kito will cover best practices for effectively building JSF components for real world applications.
  • Modern Web Apps with HTML5 Web Components, Polymer, and Java EE MVC 1.0: This is a very advanced technical session covering a number of very forward-looking topics. HTML5 web components are a key emerging standard for building JSF style components in vanilla HTML. Polymer is an important open source library for HTML 5 web components. In this session Kito shows how Polymer/web components can be used effectively with the upcoming MVC 1.0 standard slated for Java EE 8.

The following sessions are pretty closely related to what Kito is presenting at JavaOne this year:

Besides these sessions, we have a very strong program for the Java EE track and JavaOne overall - just explore the content catalog. If you can't make it, you can be assured that we will make key content available after the conference just as we have always done. If you are coming, do make sure to book your sessions via schedule builder before they fill up.

Friday Oct 09, 2015

MVC 1.0 Second Early Draft Now Available

The MVC 1.0 specification slated to be included in Java EE 8 continues to make progress and just released a second early draft review (EDR). You can download and take a look at the draft from the JCP site. You can also test drive the reference implementation Ozark from it's own site.

Community momentum behind MVC continues to grow as well. Most recently the Bulgarian Java User Group hosted a workshop on the specification via Adopt-a-JSR. The workshop was led by Nayden Gochev and Ivan St. Ivanov. All the details including starter instructions and code for the workshop can be found on the JUG's site.

There are many ways for you to get involved or just send feedback as always. You are always welcome to join the expert group proper via the JCP page for the specification. You can always simply join the discussion by subscribing to the MVC 1.0 specification user alias. If you would rather participate as a group through your JUG you can do that easily via Adopt-a-JSR.

Sunday Sep 06, 2015

Java EE @ Devoxx Poland 2015

Devoxx Poland was held on June 22-25 in historic Krakow. This is one of the largest and most prestigious Polish developer conferences. The conference was completely sold out and chock full of world class speakers/content. Speakers included Adam Bien, Venkat Subramaniam, Ted Neward and Pratik Patel. Topics included Java SE, Java EE, HTML5, JavaScript, DevOps, architecture, methodology, NoSQL and cloud.

I delivered talks on Java EE 8, aligning JavaScript/HTML5 with Java EE 7 as well as the JCP/Adopt-a-JSR. I also delivered two hands-on workshops on Java EE 7 and JMS 2. Adam Bien delivered a vital talk on Java EE and microservices. More details on the sessions and the trip to Poland, including slide decks and code, posted on my personal blog.

Wednesday Aug 26, 2015

JSON-P 1.1/Java EE 8 Webinar at Istanbul JUG

The Istanbul JUG has been spinning up it's participation in Java EE 8 through Adopt-a-JSR. They have already taken an interest in JSON-P 1.1, MVC and JMS 2.1 with many more Java EE 8 JSRs on their radar. The Istanbul JUG is the first Turkish JUG to engage with Adopt-a-JSR and Java EE 8.

Towards this end the JUG is hosting an online webinar on the proposed changes in JSON-P 1.1 to better involve JUG members. These changes include support for JSON Pointer, JSON Patch and JSON Patch-Merge as well as Java SE 8 alignment. They will be using the recently released specification early draft to drive the discussion. The meeting will be hosted online so anyone can participate. The event will be held on September 3rd, 9:00 PM Istanbul time. Details of the meeting can be found here. The linked page also includes a registration form for the webinar. Note the meeting will be in Turkish.

The Adopt-a-JSR program is one the key things we are trying hard to do differently for Java EE 8 with the goal making this version of the platform one of the most community driven technologies ever developed. Here are just some of the things you could help do via the program right now:

The full details for Adopt-a-JSR/Java EE 8 is always available here. Remember that if you have any questions on any of this, you are always welcome to drop me a note.

Monday Aug 24, 2015

Java API for JSON Binding (JSON-B) 1.0 Early Draft Now Available!

The first early draft of the Java API for JSON Binding (JSON-B) 1.0 is now available for you to review: https://jcp.org/aboutJava/communityprocess/edr/jsr367/index.html. As discussed below this is distinct from the Java API for JSON Processing (JSON-P) 1.1, which also recently published it's own first early draft. Like all early drafts for JSRs, the goal is to foster dialog, feedback and participation. Although it is just an early draft the thirty-five page specification document is actually fairly far along so providing useful feedback should be easy.

JSON is increasingly becoming the de-facto data interchange format on the web, be it for mobile, HTML5/JavaScript rich-client or microservices applications. While Jersey, EclipseLink, GlassFish and WebLogic have long provided strong support for JSON via EclipeLink MOXy, it has been a goal in the Java EE platform to make JSON a first class citizen to the degree where it can become just another natural serialization format for Java. Towards that goal Java EE 7 provided simple JSON processing support via JSON-P. That support is being beefed up further in Java EE 8 by supporting more JSON standards in JSON-P such as JSON Pointer, JSON-Patch and the like. As a parallel effort Java EE 8 also plans to provide a much higher level JSON binding API via JSON-B. The idea is to make JSON handling in the platform so ubiquitous and easy-to-use that it is almost invisible akin to JAXB in the XML world.

If these are ideas that interest you, now is the time to get involved with JSON-B and join other folks in the community that are already helping out. The JSON-B early draft gives special thanks to Olena Syrota, Oleg Tsal-Tsalko and the Ukraine JUG for their contributions even at this stage. These folks have helped us with feedback, community building as well as evangelizing.

There are many ways for you to get involved as always. You are always welcome to join the expert group proper via the JCP page for the specification. You can always simply join the discussion by subscribing to the JSON-B specification user alias. If you would rather participate as a group through your JUG you can do that easily via Adopt-a-JSR.

Wednesday Aug 19, 2015

Java EE @ Chicago Coder Conference 2015

The Chicago Coder Conference 2015 was held on May 14-15. The conference is locally organized by the community including the Chicago JUG, which is why it was important for us to support the event. The event is somewhat Java leaning but also has great presence from the web, .NET, database, etc communities.

I delivered talks on JMS 2 and aligning JavaScript/HTML5 with Java EE 7. Chicago based Java EE advocate Josh Juneau covered what's coming in Java EE 8. More details on the sessions and the trip to Turkey, including slide decks and code, posted on my personal blog.

Tuesday Aug 18, 2015

A new CDI scope in Java EE 8 ?

At this stage, it is probably safe to say that a new CDI scope will be introduced in Java EE 8 as the MVC Expert Group (JSR 371) is in the process of introducing a new CDI custom scope (@RedirectScoped) to support redirect. 

The idea is simple; an MCV controller can decide to redirect a client to a specific URL, to a specific controller method. A typical example would be that an anonymous user hits a page that required to be logged; the controller will then redirect the user to a login page. To do this, the controller uses HTTP 302 ('moved temporarily') to invite the client to make a new request to a different URL, to a different controller.  That second request implies a new (and thus different) request-response cycle. And that's the 'raison-d'ĂȘtre' of this new @RedirectScoped scope, i.e. to allow maintaining some state between the 2 request-response cycles of a redirect. Note that this new scope is for the MVC API only. That new scope is sometime referred as the 'Flash scope'. You can see how both redirect and @RedirectScoped works here.

The great thing about this new scope is that it is just a new CDI custom scope. This is a great example on how the Java EE Platform leverages its foundation to evolve. 

And last but not least, make sure to provide feedback as JSR 371 is in Early Draft period review.

Wednesday Aug 12, 2015

Adopt-a-JSR/Java EE 8 at Istanbul JUG

The Istanbul JUG has been spinning up it's participation in Java EE 8 through Adopt-a-JSR. They have already taken an interest in MVC and JMS 2.1 with many more Java EE 8 JSRs on their radar. The Istanbul JUG is the first Turkish JUG to engage with Adopt-a-JSR and Java EE 8.

Towards this end, the JUG is hosting an event on Adopt-a-JSR to better involve JUG members. The intent of the meeting is to introduce the program and how members can participate in various Java EE 8 JSRs. The meeting will be held on August 13th, 7:30 PM at the Koc University Incubation center. Details of the meeting can be found here (the page is in Turkish and geared towards Istanbul residents).

The Adopt-a-JSR program is one the key things we are trying hard to do differently for Java EE 8 with the goal making this version of the platform one of the most community driven technologies ever developed. Here are just some of the things you could help do via the program right now:

The full details for Adopt-a-JSR/Java EE 8 is always available here. Remember that if you have any questions on any of this, you are always welcome to drop me a note.