Monday, August 13, 2018

Thorntail Goes Total JOSE

JOSE is a set of modern security specifications developed by the best security experts in the industry. It has not always had the best press, with some weaknesses being identified. But it is still evolving, the JOSE libraries become more robust and it is always worth remembering that no ideal security specification exists, a given security mechanism always needs to be applied very carefully, with the support from the experts.

You may or may not be surprised but JOSE is nearly everywhere now. Many of  the current leading SSO providers use OIDC. They use ID and access tokens which are JOSE instances, JWT tokens, typically signed or even encrypted using the JOSE JWS and/or JOSE JWE mechanisms.

Thorntail has been OIDC/JOSE aware for a while. For a start it offers a comprehensive Keycloak integration which not only lets users easily secure their HTTP endpoints with the Keycloak adapters but also offers a pretty unique Keycloak Server integration which will be the topic of one of the next posts.

Next, Thorntail provided an integration with Microprofile JWT, the effort led by Red Hat. It offers an easy access to the individual claims inside a validated JWT token - often it is not enough for the endpoint to validate the token, it may need to make some application specific decisions based on the token content.

Finally, to complete the picture, Thorntail master now offers a support for the generic JOSE, for the users be able to experiment with protecting their data using all that JOSE offers today: signing and/or encrypting the arbitrary data, complete payloads or only their specific parts, using the Java JKS or JOSE JWK key stores.

The application code will be able to inject Jose and configure its properties in YAML files like this one. Currently both Apache CXF JOSE and Jose4J are being tested as Jose implementations. The CXF implementation is currently offered by default - it has proven itself in the production and it also supports JWS and JWE JSON formats , but please do not be concerned if you prefer a quality Jose4J library - we hope the users will show the interest in this feature over time and then we can easily offer a Jose4J option out of the box as well. 

Have a look at the demo please. It shows how JOSE can be used to sign the data in the detached mode. It is actually a very cool feature which is not well known due to JOSE being primarily used in the OIDC/OAuth2 space for now, as opposed to in the regular HTTP service communications. It allows to create a custom envelope where the data to be protected go alongside the signature. Yes, no need to come up with yet another specification to standardize on the envelope format, just choose whatever bean format you prefer, choose the data to be signed, and where the signature in this bean has to be collocated, it is so good.

So, here you go. Are you interested in the modern security ? If yes - see what Thorntail can do.

Enjoy!

Thursday, May 10, 2018

Thorntail Bird Brings New Day in Container Development

WildFly Swarm team started thinking about renaming the project awhile back, with the first message to the community coming in February.

Ken and Bob have put a lot of effort into finalizing the process, with the announcements starting coming this week, the week of Red Hat Summit.

The most exciting part is the fact that a new Thorntail Project GitHub organization has been created with the main concepts of this new 4.x line being captured here.

It is going to be a very cool project. For a start, many tests run in Docker Machine. The new project already ships and will add the best and proven components, ready to run in the micro services and Cloud centric environments. It is expected to be light-weight and easy to work with. I hope you are already forking the repository while you are reading this post :-).

Here Comes Another New Day. New Day in the application container development. Start enjoying it now !

Tuesday, February 13, 2018

Adieu Talend, Hello Red Hat !

Seems it was nearly yesterday when I joined Talend seven years ago. Time has flown so fast... Next week I will be returning to Red Hat but first I will talk a bit about my years with Talend.

I'd like to believe that working for Talend has helped me become a better engineer, grow in confidence.  And what about those unforgettable Talend R&D events :-) ? No doubt, it has been an interesting and exciting journey.

It has not been easy to find a link to a piece of music which would associate well with the company, but I think I've got it in the end. The text there is a bit sombre, but the music reflects well what I'd like to remember about Talend, the energy and the style: enjoy Ave Cesaria By Stromae. Thank you Talend, Goodbye.

And now I'll be heading back to Red Hat :-). I will be joining a WildFly Swarm team and I look forward to and optimistic about it and the new challenge. I'll have to learn new things. I will enjoy it too. And in time, after I settle well, I will return to this blog and talk about WildFly Swarm and other related projects.

Stay Tuned !

Thursday, February 8, 2018

Apache CXF Story Will Continue

When I started working on Apache CXF full time it was already a well established project, shipping a production quality JAX-WS and an early JAX-RS implementations.

During the next N years, with some short breaks, all of us did put a lot of effort into supporting the CXF community,  keeping enhancing the JAX-RS, various security features, fixing lots and lots of bugs, and trying to support the idea that "CXF was more than just a library" :-).

I'm curious, how many SOAP or pure HTTP calls have been made over the years with the help of CXF ? Sometimes one can read: "This product supports thousands of transactions per minute". Would be fun to read somewhere that "CXF has supported several millions of service calls over 10 years" :-). Or how many downloads have been made ? Who knows...

It is satisfying to see that today the users keep coming to CXF and ask questions and open new issues. No doubt it has helped many users, helped to completely mainstream JAX-WS and then JAX-RS, alongside its Jersey and RestEasy 'colleague' frameworks.

No doubt the Apache CXF story will continue and I've been happy to be part of this story. Thank You !