A closer look at the Java Identity API


Before I jump into the nitty-gritty, let’s take a look at some of the quick facts about Java Identity API JSR 351. This is a still a work in progress . . .

  • When was the JSR initiated?

This JSR passed the Approval Ballot in October 2011 which was followed by Expert Group formation in November 2011.

  • Who is leading this specification?

The Java Identity API is being lead by Ron Monzillo

  • Expert Group?

The EG consists of representatives from Oracle, IBM, RedHat, SAP and GoldmanSachs as well as individuals

  • Specification document?

This is still in a draft phase and is available at https://jcp.org/aboutJava/communityprocess/edr/jsr351/index.html

  • Reference Implementation

Nobis is the RI for the Java Identity API and can be accessed at https://java.net/projects/nobis/pages/Home


If I had to explain the motive behind the Java Identity API in a single line, it would be defined as, a Java standard for Identity Management

On a high level, the primary goals of this standard are,

  • Define a representation for an Identity in Java
  • Facilitate secure usage (creation, exchange, governance) of these ‘identities’  by defining a Standard API and Interaction models between Identity consumers and providers
  • Provide a uniform, high level programming model for application to interact with identity/attribute repositories with heterogeneous domain models


Present Challenges

Currently, the Java Platform does not provide standard interfaces for managing identities. With the increasing use of internet services in day to day applications, adoption of SSO and federation, there is a need to protect network identity. Existing Java objects, such as the X509Certificate and KerberosTicket provide semblance for encapsulating identity attributes, but only to a limited extent. Instead of having disparate and non standard model, there is a requirement for a set of standards to evolve, which can be leveraged by application or identity framework developers to provide rock solid support for propagation and consumption of network identity.


A Simple Analogy

I like to think of it as an API similar to JDBC or JNDI (if not the same). Both these APIs, help developers communicate with underlying data sources or naming services in a loosely coupled fashion through standard interfaces. It allows us to adopt a pluggable architecture wherein different vendor implementations can be leveraged to connect disparate databases (be it Oracle, MySQL, Sybase DB2 . . we really do not care apart from having the vendor JARS in our class path), LDAP servers (AD, OID, Sun Java, Apache etc)


How can the Java Identity API help?

This API will

  • Allow applications to interact with heterogeneous underlying identity repositories in a portable and standard fashion.
  • Allow vendors to develop implementations using the Attribute Service framework to seamlessly interact with attributes in one or more repositories e.g. Facebook, Twitter, Linked in via supported protocols/APIs such as OAUTH, Open ID, FaceBook Connect etc.
  • Enable applications to also act as providers of attributes – this is also a part of the Attribute Service framework
  • Allow the end developers to build applications on top of these implementations.
  • Prevent dependency upon non standard, proprietary implementations to implement identity services within applications

 Salient Features

Some of the key features/highlights of this API have been listed below

  • Compatibility with Java SE 6 and Java EE 6
  • Integration with the Java Security model

The existing objects within the Java Security model like Principal, Subject, Policy etc will be integrated within the API

  • Support for Programmatic as well as Annotation driven programming models
  • Leveraging Contexts and Dependency Injection (CDI)

CDI will render services such as resource injection, life cycle callbacks and of course dependency injection of identity attributes and references within applications via Qualifiers and Producers


Key Terminologies

A brand new specification can often introduce terms or expressions which might sound vague or abstract at first. Here is a list of keywords and concepts which are intimately attached to the Java Identity API. Having a basic understanding of these terminologies is important


Term Description
Entity Nothing but collection of ‘Attributes‘ e.g. A Person can have attributes such as First Name, Last Name, SSN, Email etc.
Attribute It has a name (username, email), value (johndoe, jdoe@test.com) and associated metadata (issuer, expiry)
Entity Reference A secure handle for an entity
Attribute Reference A secure, value independent handle to the Attribute itselfNote: Both Entity and Attribute references facilitate exchange without actually exposing the associated value
Attribute Repository Represents a set of contracts to be implemented in order to integrate with an identity source. Contains the business logic to interact with the end identity repository
Repository Agent It’s bound to a specific Attribute Repository and can be queried to provide a handle to the Attribute Repository it is attached to
Repository Descriptor Describes the relationship b/w a Repository Agent and the Attribute Repository which is bound to the agent
Attribute Provider Interacts with the Repository Agent and acts on its behalf to perform operations requested by the consumer
Attribute Service It’s a service component which is exposed directly to the client application. It provides access to high level interfaces for interacting with and managing identities


 Core API

The Java Identity API is fairly lightweight and compact. The packages which form a part of the core programming interface have been highlighted below

Package Description
javax.security.identity This package contains the identity attribute and reference types
javax.security.identity.annotations Contains annotations which help provide a  portable identity programming model
javax.security.identity.auth Contains identity attribute and reference types for use in a Java Subject or AccessControlContext.
javax.security.identity.client Provide high-level programming interfaces to the identity attribute services.
javax.security.identity.client.expression Contains provider-independent expressions that are used to compose attribute queries.
javax.security.identity.client.qualifiers Defines annotations to be used as qualifiers in CDI injection of Identity attributes.
javax.security.identity.permission Consists of the permission and actions values used to protect the interfaces of the attribute service.
javax.security.identity.provider Contains interfaces that are to be implemented by attribute providers and repository agents.


Some of the important annotations, interfaces and classes of the Java Identity API have been highlighted below


Component API equivalent
Identity javax.security.identity.annotations.IDEntity
Attribute javax.security.identity.annotations.IdentityAttribute
Entity Reference javax.security.identity.annotations.EntityReference


Interfaces and Classes

Component API equivalent
Attribute javax.security.identity.IDAttribute
Entity Reference javax.security.identity.IDEntityReference
Attribute Reference javax.security.identity.IDAttributeReference
Attribute Repository javax.security.identity.provider. AttributeRepository
Attribute Provider javax.security.identity.provider.AttributeProvider
Repository Agent javax.security.identity.provider.RepositoryAgent
Repository Descriptor javax.security.identity.client.RepositoryDescriptor


 High Level Overview of API Usage

Applications need access to underlying repositories to interact with them and perform operations. The below example outlines the sequence of steps highlighting the ways in which an application can leverage the API to obtain handles to the underlying identities and attributes

  1. Concrete implementation of the javax.security.identity.client.LookupService interface. This encapsulates the services of javax.security.identity.client.ProviderLookupService and the javax.security.identity.provider.AttributeLookupService
  1. An instance of the javax.security.identity.client.ProviderLookupContext is obtained as a result of binding the LookupService with an implementation of the javax.security.identity.provider.RepositoryAgent
  1. The ProviderLookupContext is used to get a reference to javax.security.identity.provider.AttributeProvider that is bound to the range of entities contained in the repository identified by the ProviderLookupContext.
  1. The AttributeProvider implementation is the gateway to the underlying identity repository and exposes CRUD like functionality via the javax.security.identity.provider.RepositoryLookupService and javax.security.identity.provider.RepositoryUpdateService



 Code Snippet

Reference Implementation

As with most Java standards, JSR 351 has a reference implementation known as  Nobis. It provides implementations for

  • javax.security.identity.client.LookupService i.e. the ProviderLookupService and AttributeLookupService – to enable search/lookup identity attributes from the repository
  • javax.security.identity.provider.AttributeProvider
  • javax.security.identity.provider.AttributeRepository
  • javax.security.identity.client.IDPredicate – serves as a filtration/search criteria

As a part of the implementation, the Nobis RI also provides

  • Post Construct Interceptors corresponding to the @javax.security.identity.annotations.IDEntityProvider and @javax.security.identity.annotations.IDEntity, which are nothing but Interceptor Bindings.
  • A factory like API equivalent for above mentioned Interceptors
  • A sample implementation of Facebook as an Attribute Provider along with JPA based and in-memory providers.


Some things to look forward to

  • How is the API going to evolve and attain final shape
  • How will it be adopted by the community
  • How would this be implemented and leveraged by products and real world applications

Cheers . . . . ! ! 🙂


About Abhishek

Loves Go, NoSQL DBs and messaging systems
This entry was posted in Java and tagged , , , , . Bookmark the permalink.

1 Response to A closer look at the Java Identity API

  1. Pingback: Articles for 2014-Jun-27 | Readings for a day

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s