Warum es Java noch immer gibt oder was nicht schiefging Wolfgang Weigend Sen. Leitender Systemberater Java Technologie und Architektur Warum es Java noch immer gibt Wolfgang Weigend 1
Warum es Java noch immer gibt oder was nicht schiefging Wolfgang Weigend Sen. Leitender Systemberater Java Technologie und Architektur 1 Copyright 2012, Oracle and/or its affiliates. All rights
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle. 2 Copyright 2012, Oracle and/or its affiliates. All rights
5 Copyright 2012, Oracle and/or its affiliates. All rights Wie es began
Der Blick in den Rückspiegel.. Java EE 5 J2EE 1.3 Java EJB 1.0 Servlet 2.1 1995 6 Copyright 2012, Oracle and/or its affiliates. All rights J2EE 1.4 2010 J2EE 1.2 2005 2000 Java EE 6
.. zeigt den evolutionären Pfad 1998 2000 2002 2004 2006 J2EE 1.2 J2EE 1.3 J2EE 1.4 Servlet, EJB, JSP, JMS, Mail, JCA, JAAS, XML, CMP, WebSvcs, JMX, JPA, EJB3, Deployment, Annotations, Faces, J2SE 1.3 HotSpot, JNDI, JPDA, Sound, 7 Java EE 5 2008 2010 Java EE 6 More POJOs, Web Profile, EJBLite, Restful WS, Injection, J2SE 1.4 J2SE 5.0 Java SE 6 Java SE 7 NIO, JAXP, Crypto, SSL, Logging, Generics Annotations Performance, Scripting, JAX-WS, JAXB, StAX, Coin, Invokedynamic, NIO2, Copyright 2012, Oracle and/or its affiliates. All rights Autoboxing, Concurrent,
Java EE 6 Technologie Java EE 6: Flexibilität, Erweiterbarkeit und Entwicklereffizienz Presentation Dependency Injection JSF 2 Context & Dependency Injection Business Services EJB 3.1 Basic Component Persistence 8 Copyright 2012, Oracle and/or its affiliates. All rights Managed Beans JPA 2 JAX-RS REST JAX-WS SOAP
27 th of January 2010 Java is going to grow
Die Java Plattform Servers Desktop Embedded TV Mobile Card BD-J Key APIs Plattform Java EE JavaFX Java SE Language Java TV Java ME Java Language Java Plattform 10 Copyright 2012, Oracle and/or its affiliates. All rights MSA Java Card
JDK 7 Funktionsumfang Coin Kleine Sprachverbesserungen Dynamic Language Support Concurrency und Collections Updates Netzwerk und File System Internationalisierung JVM Konvergenz Sicherheit 11 Copyright 2012, Oracle and/or its affiliates. All rights
Sprachen die auf der JVM laufen Groovy JRuby Scala Clojure 12 Copyright 2012, Oracle and/or its affiliates. All rights JavaScript
Java Security Probleme (1) Oracle security vulnerabilities communication: highest priority is to get security fixes as fast as possible in production Extensive tests with respect to dependencies and side effects Security alerts are often inacurate and has to be verified Comments on security alerts can be used by hackers Reporting security vulnerabilities Customers with Java support file the issue through support.oracle.com Others should report to secalert_us@oracle.com See http://www.oracle.com/us/support/assurance/reporting/index.html 13 Copyright 2012, Oracle and/or its affiliates. All rights
Java Security Probleme (2) Java is designed with security built-in Platform: Strong data typing, automatic memory management, bytecode verification, secure class loading Authentication and access control, PKI, Cryptography,... http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136007.html Fact of life: there is no bug-free software Quarterly Critical Patch Updates and security alerts for all products http://www.oracle.com/technetwork/topics/security/alerts-086861.html#criticalpatchupdates 14 Copyright 2012, Oracle and/or its affiliates. All rights
Java Security Bestandsaufnahme Java in the browser has become a popular means to deliver exploits Warum? Old releases: Many users are not on the current security baseline, or have multiple releases of Java installed Silent exploits: Traditionally, sandboxed apps would run without any indication to the user. This was a popular way to deliver malware Insecure sandbox: The Java sandbox is expected to protect users, but too many exploits have been identified for that to be believable. Vulnerability backlog: clear the backlog 15 Copyright 2012, Oracle and/or its affiliates. All rights 15
Bisher ausgelieferte Java Releases im Zeitraum Oktober 2012 März 2013 Release Vuln. Fixed External CVSS 9+ Comment JavaCPUOct2012 GA 10/16/2012 7u10 GA 12/11/2012 39 18 12 Fixed 10 issues reported by Gowdiak -- -- -- Security feature release: Option to disable accessing Java through the browser Hardcoded best before date on JRE Security dialogs/settings for Java in Browser CVE-2013-0422 (SecAlert 2 2 2 Zero-day vulnerability reported in JSR-292/invokedynamic area on 01/09/2013 Jan2013) POC's were discovered in the wild (including Metasploit) GA 01/13/2013 Impacted Java 7 only Alert shipped within 3 days on 01/13/2013 JavaCPUFeb2013_1 GA 02/01/2013 69 16 29 Triggered by a zero day vulnerability reported by Facebook Shipped JavaFebCPU2013 almost 3 weeks prior to its planned ship date JavaCPUFeb2013_2 GA 02/19/2013 7 5 3 2 nd Feb CPU release addressed fixes that were originally planned for Feb 19 but could not be included in the Feb 1 release Addresses JSR 292 InvokeDynamic, JMX, TLS and 2 bugs raised by Department of Homeland Security CVE-2013-1493 (SecAlert Mar2013) GA 03/03/2013 16 Copyright 2012, Oracle and/or its affiliates. All rights 2 2 2 FireFly Zero-day vulnerability reported in Java2D area on 02/28/2013 Impacted Java 7, 6, 5 releases Alert shipped within 3 days on 01/13/2013 16
Java SE 7u10 und Java SE 7u11 Änderungen JRE Expiration Date Disable Java in the browser Security Slider 7u11 increased slider to high 17 Copyright 2012, Oracle and/or its affiliates. All rights
Java SE 7u21 Details vom 16. April 2013 60 new vulnerability fixes (also fixed in JDK 6u45) New deployment features Removed Low and Custom from the security slider (and removed support from deployment properties) Added certificate & root certificate blacklisting Added daily updates of blacklist and baseline data Old release removal tool [1] Server JRE Warning improvements Require signing for browser apps [1] http://www.java.com/en/download/uninstallapplet.jsp 18 Copyright 2012, Oracle and/or its affiliates. All rights 18
Low und Custom vom Security- Slider entfernt Scope: These settings allowed users to configure silent execution of unsigned sandboxed applications Customer Impact: no longer possible to run any applet without some sort of warning dialog Recommendation: Sign all apps using a trusted certificate do not sign with a self-generated certificate Mitigation: In August we will introduce a new feature to manage run time policies that will eliminate dialogs in managed Java environments 19 Copyright 2012, Oracle and/or its affiliates. All rights 19
Certificate & Root Certificate Blacklisting, Daily Security Data Updates Background: Moving to mandatory signing for all apps may lead to hackers using illicit certificates to sign exploits. These may be stolen certificates or certificates obtained under false pretenses. Scope: The JRE will, daily, download a list of blacklisted certificates and root certificates before running an applet/jws. If the certificate or CA is blacklisted the app will not be allowed to run. At the same time, the security baseline data and jar blacklist data will be updated. https://javadl-esd-secure.oracle.com/update/baseline.version https://javadl-esd-secure.oracle.com/update/blacklist https://javadl-esd-secure.oracle.com/update/blacklist_certs Customer Impact: None expected. If customer firewalls/proxy servers block HTTPS access to java.com they will not have this protection 20 Copyright 2012, Oracle and/or its affiliates. All rights 20
Alte Versionen entfernen Old Release Removal Tool Background: Old releases of Java are inherently insecure. Users often have multiple old releases installed. Scope: At the end of the installation of 7u21 the user will be re- directed to an applet on java.com that will examine their system and guide them through removing older releases. The (Windowsonly) tool is live at http://www.java.com/en/download/uninstallapplet.jsp Customer Impact: Customers that have a dependence on old releases of Java will not want their users to use this tool. Customers can avoid sending their users to this tool by using the silent install option. 21 Copyright 2012, Oracle and/or its affiliates. All rights 21
Server JRE - Die abgespeckte Variante Background: Provide a Java distribution targeted to server environments. The goal is to reduce the exposure to security exploits by only providing tools and libraries that are required in a server environment. Scope: With 7u21 the server JRE is based on the 7u21 JDK with the deployment stack stripped out. Note that the base bundle is the JDK, not the JRE as most server deployments require JDK tools and the server hotspot JVM Future: In future updates the server JRE will be further refined, stripping out JavaFX and other client libraries and JDK tools not essential in that environment Availability: There is no support cost or contract needed to get this. 22 Copyright 2012, Oracle and/or its affiliates. All rights 22
Bessere Warnmeldungen Scope: Warning dialogs for anything considered unsafe practices were modified to emphasize the risk. Generally, this is when running unsigned or self-signed apps. 23 Copyright 2012, Oracle and/or its affiliates. All rights 23
Wozu braucht man Signierung? The signature provides traceability to author of the application Having a verifiable individual or business associated with the application provides a basis for the user to make a trust decision before running the application The need to obtain a certificate and the additional prompting makes Java a less likely vehicle for malicious attacks In the event of signed exploits we can now quickly (within 24 hours) block the app by blacklisting the signed jar or the certificate 24 Copyright 2012, Oracle and/or its affiliates. All rights 24
Auswirkung der geänderten Anwendungssignierung Completely eliminates unauthenticated attacks Makes Java unattractive for malicious attackers This is a disruptive change Existing sandboxed and self-signedapps will not run at the default High security level [1] until they have been signed with a trusted certificate All current consumer, government & business applications using applets or web start must sign their applications or re-write them using another technology Oracleproductsand internal apps need to be signed using the Oracle signing service [2] Extensive internal communicationsto all Oracle product teams and PDIT/GIT External communicationsunderway CAP members and licensees already notified Docs updated, tech post on java.com [3] Press and analyst briefings under way [1] Soft-blocked in 7u21, will be fully blocked in October [2] http://stdevtools.us.oracle.com:7777/twiki/pub/integteam/codesigninguserdoc/user_doc_for_code_sign.htm [3] http://www.oracle.com/technetwork/java/javase/tech/java-code-signing-1915323.html 25 Copyright 2012, Oracle and/or its affiliates. All rights
26 Copyright 2012, Oracle and/or its affiliates. All rights
JDK 8 geplant für 2014 Innovation Java for Everyone Client Lambda JSR 335 Profiles for constrained devices Deployment enhancements Language Interoperability JSR 310 Date & Time API s JavaFX 8 Nashorn Non-Gregorian calendars Public UI Control API Unicode 6.1 Java SE Embedded support ResourceBundle Enhanced HTML5 support BCP47 locale matching 3D shapes and attributes Globalization & Accessibility Printing Tools Security Compiler control & logging Limited dopriviledge Core Libraries Parallel operations for core collections API s Improvements in functionality Improved type inference General Goodness JVM enhancements No PermGen limitations Performance Improvements 27 Copyright 2012, Oracle and/or its affiliates. All rights JSR 308 Annotations on Java Type NSA Suite B algorithm support Native app bundling SNI Server Side support App Store Bundling tools DSA update to FIPS186-3 AEAD JSSE CipherSuites
Java 8: Secure the train und die Alternativen Drop Lambda from the release in order to maintain the current schedule, with a GA release in early September Retain Lambda but reduce the time available for feedback and testing in order to maintain the schedule Slip the schedule by a year or more so that we can include Project Jigsaw, which was previously dropped Slip the schedule just enough to finish Lambda, and ship the release after it s thoroughly reviewed and tested 28 Copyright 2012, Oracle and/or its affiliates. All rights
Was ins JDK 9 verschoben wurde Modularisierung im JDK Projekt Jigsaw Java Module System OpenJDK Projekt Penrose Vereinte Modularisierung 29 Copyright 2012, Oracle and/or its affiliates. All rights
Java ME / Embedded Introduced Java Embedded Suite middleware stack for embedded Introduced Java ME Embedded for Java on microcontrollers Java ME/SE alignment planned for ME/SE 8 in CY 2013 Java ME 8 JSR submission being prepared in JCP Move towards single platform JSR Subset of Java SE, merge ME/SE tool and API ecosystem Generic small footprint platform for small embedded devices Enable Java in the Internet of Things 30 Copyright 2012, Oracle and/or its affiliates. All rights
Java SE 8 Compact-Profile mit Speicherbedarf 31 Copyright 2012, Oracle and/or its affiliates. All rights
Java SE 8 Compact-Profile mit Packages Compact1 Profil Compact2 Profil Compact3 Profil Vollständige JRE java.lang java.sql java.lang.management java.applet java.io jvax.sql javax.management java.awt java.nio javax.xml javax.naming java.beans java.text org.w3c.dom java.sql.rowset javax.activity java.math org.xml.sax javax.security.auth.kerberos javax.rmi java.net java.rmi org.ietf.jgss javax.rmi.corba javax.net javax.rmi javax.script org.omg java.util javax.transaction javax.xml.crypto javax.accessibility java.util.logging java.util.prefs javax.imagio java.security javax.security.sasl javax.print javax.crypto javax.security.acl javax.sound javax.security javax.lang.instrument javax.swing javax.annotation.processing javax.lang.model javax.lang.model.element javax.lang.model.type javax.lang.model.util javax.tools javax.activation javax.jws javax.xml.bind javax.xml.soap javax.xml.ws javax.annotation 32 Copyright 2012, Oracle and/or its affiliates. All rights
JavaFX Anwendung auf dem Raspberry Pi Computer Java SE Embedded auf dem Raspberry Pi Computer build 1.7.0_04-ea-b20, headless JavaFX für Embedded Devices JavaFX Developer Preview for ARM (JDK 7) JavaFX.profile.embedded@8-ea Java-Module der Java SE Embedded Runtime Environment Version (build 1.8.0-ea-b00, headless) mit einem Jigsaw-Prototypen für Raspberry Pi Computer erstellt Konferenzplaneranwendung j1_2012_scheduler 33 Copyright 2012, Oracle and/or its affiliates. All rights
JavaFX ist die strategische Java-UI- Technologie für Rich-Client-Anwendungen Einheitliche Applikationsentwicklung für Java- und Web-Anwendungen Browser Plug-in, Web Start, Native Executables Hardware Accelerated Graphics (DirectX, OpenGL) JavaFX wird mit HTML-DOM ausgestattet JavaFX mit WebView für HTML5 Features (Web Sockets, offline Browsing, lokale Datenbank) Leistungsfähige JavaScript Engine JavaFX als Applet eingebettet in einer Web-Seite lauffähig JavaFX 2.0 Plattform Sprachwechsel Java als native Sprache - anstatt JavaFX Script JavaFX APIs in Java implementiert Vorteile bei Verwendung von Generics, Annotations und Multithreading für JavaFX JavaFX 2.2.21 verfügbar und mit NetBeans 7.3 unterstützt Migrationspfad für Swing- und SWT-basierte Anwendungen JFXPanel Komponente ermöglicht das Einbinden von JavaFX Anwendungen in Swing Open Source mit OpenJFX und im JCP standardisiert JavaFX Scene Builder 1.1 Developer Preview 34 Copyright 2012, Oracle and/or its affiliates. All rights
JavaFX via Open Source auf dem Weg ins JDK 8 Open Source OpenJFX Project under OpenJDK First phase to focus on UI Controls Konvergenz Common license with Java SE (in place) JavaFX to be included in Java SE by JDK 8 JavaFX for Java SE Embedded (ARM) Standardisierung Oracle committed to JavaFX standardization JSR to be submitted through JCP 35 Copyright 2012, Oracle and/or its affiliates. All rights
Java EE Past, Present, & Future 19 Implementations Lightweight Ease of Development Web Services Enterprise Java Platform Robustness J2EE 1.3 J2EE 1.2 Servlet, JSP, EJB, JMS, RMI/IIOP CMP, Connector Architecture Dec 1999 10 specs Sep 2001 13 specs 36 Copyright 2012, Oracle and/or its affiliates. All rights J2EE 1.4 Java EE 5 Java EE 6 Pruning, Extensibility Ease of Dev, CDI, JAX-RS Productivity & HTML5 Java EE 7 JMS 2.0, Batch, Caching, TX Interceptor, WebSocket, JSON JAX-RPC, CMP/ BMP, JSR 88 Web Services Mgmt, Deployment, Async Connector Ease of Development, Annotations, EJB 3.0, JPA, JSF, JAXB, JAX-WS, StAX, SAAJ Web Profile Servlet 3.0, EJB 3.1 Lite JAX-RS 2.0 Nov 2003 20 specs May 2006 23 specs Dec 2009 28 specs Q2 2013 32+ specs Web Profile
Java EE 7 Candidate JSR s JSP 2.3 JSF 2.2 JAX-RS 2.0 Servlet 3.1 Interceptors 1.1 WS-Metadata 2.1 Common Annotations 1.1 Managed Beans 1.0 Connector 1.7 un-modified 37 modified Copyright 2012, Oracle and/or its affiliates. All rights CDI 1.1 EJB 3.2 JPA 2.1 JTA 1.2 substantially modified JMS 2.0 New Concurrency (JSR 236) EL 3.0 Bean Validation 1.1 CDI Extensions Web Container Extensions Java Caching API (JSR 107) Batch Processing 1.0 (JSR 352) JSON 1.0 (JSR 353) WebSockets 1.0 (JSR 356)
Java EE 7 Zeitplan (1) Schwerpunkte für PaaS-Fähigkeit und Mandantenfähigkeit als Plattform-Dienst werden in Java EE 8 enthalten sein Java EE hat den Weg in die Cloud bereits eingeschlagen, jedoch ist es noch zu früh für eine Standardisierung in Java EE 7 Auch ohne Java EE 7 haben einige Hersteller wie Oracle, Red Hat, IBM und CloudBees begonnen, Java EE Anwendungen in der Cloud ablaufen zu lassen und Erfahrungen zu sammeln Es gibt vereinzelt Infrastruktur-Cloud-Support in Java EE 7, beispielsweise Ressourcen Definition Metadaten, verbesserte Security Konfiguration, JPA Schema Generation, etc. Planung der PaaS-Umsetzung im Java EE 8 Plattform Release für Frühjahr 2015 vorgesehen 38 Copyright 2012, Oracle and/or its affiliates. All rights
Java EE 7 Zeitplan (2) Die Schwerpunktverschiebung bei Java EE 7 ermöglicht die Konzentration auf wesentliche Funktionsmerkmale für Entwickler Support für HTML 5 mit Web Sockets und JSON-P Vereinfachte JMS 2.0 API s JAX-RS 2.0 Client API Weitere Verbesserungen 39 Copyright 2012, Oracle and/or its affiliates. All rights
Java EE 7 Zeitplan (3) Q3 2011 Early Draft Java EE 7 JSR-342 Q3 2012 Public Review Q4 2012 Proposed Final Draft Sommer 2013 Final Release 40 Copyright 2012, Oracle and/or its affiliates. All rights
Zusammenfassung Java SE 7 Java SE 9 Modularisierung: Jigsaw Inkrementelle Änderungen Evolutionär, nicht revolutionär Solides Feature-Set für Entwicklungsarbeit Java Browser Anwendungen (Applet & Webstart) benötigen Signierung Anwendern wird die aktuelle Version von Java 7 empfohlen Java SE 8 Funktionale Programmierung: Lambda Secure the Train 41 Copyright 2012, Oracle and/or its affiliates. All rights Java ME Konvergenz mit Java SE Java EE 7 Neue API s Java als Plattform nutzt Innovationen im Ökosystem und paßt sich dem Änderungprozess der IT an
Vielen Dank für Ihre Aufmerksamkeit! Wolfgang.Weigend@oracle.com 42 Copyright 2012, Oracle and/or its affiliates. All rights