SlideShare a Scribd company logo

What is tackled in the Java EE Security API (Java EE 8)

Rudy De Busscher
Rudy De Busscher

The Java EE Security API (JSR-375) wants to simplify the implementation of security-related features in your Java EE application. Application server specific configuration changes will be no longer needed and things will be much more app developer friendly. Aligning security with the ease of development we saw in the recent version of Java EE. We will show you the basic goals and concepts behind Java EE Security API. And of course, demos with the current version of the RI, named Soteria, how you can do Authentication and Authorization.

Technology
1 of 43
Download to read offline
What is tackled in the Java EE Security API (Java EE 8)
A G E N D A JAVA EE SECURITY WHY 
 UPDATE? ALREADY
 AVAILABLE? JSR-375
 SOTERIA CONCEPTS DEMO
• C4J • Senior Java Web Developer, Java Coach, Information Security • JSR-375 • Java EE Security API Expert group member • Java EE Believer @rdebusscher http://jsfcorner.blogspot.be http://javaeesquad.blogspot.be W H O A M I RUDY DE BUSSCHER
• Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context W H Y U P D A T E ?
W H Y A N E W J S R ? • Java EE Security is viewed as not portable, abstract/confusing, antiquated • Doesn't fit cloud app developer paradigm: requires app server configuration
T E R M I N O L O G Y ? • What is that "something" where identities are stored? • realm (Tomcat, some hints in Servlet spec) • (auth) repository • (auth) store • login module (JAAS) • identity manager (Undertow) • authenticator (Resin, OmniSecurity, Seam security) • authentication provider (Spring Security) • Identity provider
J A V A E E S E C U R I T Y • No JSR exists to address security overall • Each JSR has his 'own' way • They look at each other, but ...
So what is standardised?
• Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context W H Y U P D A T E ?
J A S P I C Java Authentication Service Provider Interface for Containers • Java EE 6 • For custom logic • BASIC/FORM/DIGEST • Low Level (per request) • Verbose
Java Authorization Service Provider Contract for Containers J A C C • J2EE 1.4 ERA • C.O.M.P.L.E.X.I.T.Y • Application Server Wide • No Role Mapping specified
• Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context G O A L S
J S R - 3 7 5 • EG discussions started March 2015 • EG Members • EE API veterans: many JSRs, many years struggling with Security API • 3rd party security framework creators/developers • EE platform security implementers • October 2016 • EG Updated, switch Spec Lead
G O A L S • Plug the portability holes • Modernize • Context Dependency Injection (CDI) • Intercept at Access Enforcement Points: POJO methods • Expression Language (EL) • Enable Access Enforcement Points with complex rules • App Developer Friendly • Common security configurations not requiring server changes • Annotation defaults not requiring XML
I D E A S • Terminology • API for Authentication Mechanism • API for Identity Store • API for Security Context • API for Password Aliasing • API for Role/Permission Assignment • API for Authorization Interceptors • + ... JAVA EE 8 JAVA EE 9
S O T E R I A • In Greek mythology, Soteria was the goddess of safety and salvation. • RI of JSR-375 • Should work on Java EE 7 • WildFly 10+ • Payara 4.1.1.161+ • TomEE 7.0.2+ • WebSphere Liberty 2016.9+
JASPIC JACC SOTERIA U S I N G Existing blocks for authentication and authorization
OR SHOULD I PUT THE SAFE HARBOUR TEXT ...
• Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
H T T P A U T H E N T I C A T I O N M E C H A N I S M • How are credentials retrieved • BASIC • FORM • classic j_security_check, ... • CustomForm • programmatic • Custom • For JAX-RS endpoints, ...
@CustomFormAuthenticationMechanismDefinition(
 loginToContinue = @LoginToContinue(
 loginPage="/login.xhtml",
 errorPage=""
 )
 )
• Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
I D E N T I T Y S T O R E • Verify credentials • LDAP • DATABASE • with configurable queries • EMBEDDED • Easy for testing with hardcoded values • Custom • Whatever your need is
@LdapIdentityStoreDefinition(
 url = "ldap://localhost:33389/",
 baseDn = "uid=ldap,ou=apps,dc=jsr375,dc=net",
 password = "changeOnInstall",
 searchBase = "dc=jsr375,dc=net",
 searchExpression = "(&(uid=%s)(objectClass=person))",
 groupBaseDn = "ou=group,dc=jsr375,dc=net"
 )
C D I • Context and Dependency Injection
 concepts used for many artefacts. • Extension to read the annotations and create required beans.
• CDI -> beans.xml • HttpAuthenticationMechanism required to activate Soteria
Demo BASIC
 IN MEMORY
Demo FORM IN JSF WITH LDAP
• Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
T R I P L E A • Authentication • Verifying that a user is who she says she is. • Authorisation • He can execute the allowed actions within their privilege. • Accounting • Audit
M U L T I S T O R E • Authentication / Authorisation • From multiple sources! • Examples • Scenario 1 • Authentication : LDAP • Authorisation : Database
M U L T I S T O R E ( 2 ) • Scenario 2 • Authentication : OAuth2 • Authentication : Limited to certain email Domain • Authorization : ... • Scenario 3 • Authentication : ... • Authorisation : Database • Authorisation (In Test) : Extra roles/permissions
I D E N T I T Y S T O R E H A N D L E R • IdentityStoreHandler • Handles multiple defined Identity Stores • ValidationType on IdentityStore • BOTH • AUTHENTICATION • AUTHORIZATION
@LdapIdentityStoreDefinition(
 url = "ldap://localhost:33389/",
 baseDn = "uid=ldap,ou=apps,dc=jsr375,dc=net",
 password = "changeOnInstall",
 searchBase = "dc=jsr375,dc=net",
 searchExpression = "(&(uid=%s)(objectClass=person))",
 groupBaseDn = "ou=group,dc=jsr375,dc=net", authenticateOnly = true
 )
Demo MULTI STORE
• Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
E X T E N S I B I L I T Y interface HttpAuthenticationMechanism interface IdentityStore interface IdentityStoreHandler
• Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
S E C U R I T Y C O N T E X T Security
 Context Authentication
 Mechanism Identity
 Store Principal
 Info for
 Request Authorization
 Interceptors U S E S D A T A
Project page The starting point to all resources https://java.net/projects/javaee-security-spec Users List Subscribe and contribute users@javaee-security-spec.java.net Github Soteria repository Fork and play! https://github.com/javaee-security-spec/soteria G E T I N V O L V E D
Q & A

Recommended

Microservices with Java, Spring Boot and Spring Cloud
Microservices with Java, Spring Boot and Spring CloudMicroservices with Java, Spring Boot and Spring Cloud
Microservices with Java, Spring Boot and Spring CloudEberhard Wolff
 
RESTful API In Node Js using Express
RESTful API In Node Js using Express RESTful API In Node Js using Express
RESTful API In Node Js using Express Jeetendra singh
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5Jesus Perez Franco
 
Sling Models Overview
Sling Models OverviewSling Models Overview
Sling Models OverviewJustin Edelson
 
Getting started with Spring Security
Getting started with Spring SecurityGetting started with Spring Security
Getting started with Spring SecurityKnoldus Inc.
 
Java Persistence API (JPA) Step By Step
Java Persistence API (JPA) Step By StepJava Persistence API (JPA) Step By Step
Java Persistence API (JPA) Step By StepGuo Albert
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Hibernate architecture
Hibernate architectureHibernate architecture
Hibernate architectureAnurag
 

Recommended

Microservices with Java, Spring Boot and Spring Cloud
Microservices with Java, Spring Boot and Spring CloudMicroservices with Java, Spring Boot and Spring Cloud
Microservices with Java, Spring Boot and Spring CloudEberhard Wolff
 
RESTful API In Node Js using Express
RESTful API In Node Js using Express RESTful API In Node Js using Express
RESTful API In Node Js using Express Jeetendra singh
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5Jesus Perez Franco
 
Sling Models Overview
Sling Models OverviewSling Models Overview
Sling Models OverviewJustin Edelson
 
Getting started with Spring Security
Getting started with Spring SecurityGetting started with Spring Security
Getting started with Spring SecurityKnoldus Inc.
 
Java Persistence API (JPA) Step By Step
Java Persistence API (JPA) Step By StepJava Persistence API (JPA) Step By Step
Java Persistence API (JPA) Step By StepGuo Albert
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Hibernate architecture
Hibernate architectureHibernate architecture
Hibernate architectureAnurag
 
Rest in flask
Rest in flaskRest in flask
Rest in flaskHamid Feizabadi
 
Spring Boot
Spring BootSpring Boot
Spring BootJiayun Zhou
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3Jason Ferguson
 
Asp.net
Asp.net Asp.net
Asp.netDinesh kumar
 
Java persistence api 2.1
Java persistence api 2.1Java persistence api 2.1
Java persistence api 2.1Rakesh K. Cherukuri
 
Spring Boot
Spring BootSpring Boot
Spring BootPei-Tang Huang
 
JPA For Beginner's
JPA For Beginner'sJPA For Beginner's
JPA For Beginner'sNarayanaMurthy Ganashree
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
 
Asynchronous javascript
Asynchronous javascript Asynchronous javascript
Asynchronous javascriptEman Mohamed
 
JavaScript Fetch API
JavaScript Fetch APIJavaScript Fetch API
JavaScript Fetch APIXcat Liu
 
Unit 1 - TypeScript & Introduction to Angular CLI.pptx
Unit 1 - TypeScript & Introduction to Angular CLI.pptxUnit 1 - TypeScript & Introduction to Angular CLI.pptx
Unit 1 - TypeScript & Introduction to Angular CLI.pptxMalla Reddy University
 
Introduction to java 8 stream api
Introduction to java 8 stream apiIntroduction to java 8 stream api
Introduction to java 8 stream apiVladislav sidlyarevich
 
Apache tomcat
Apache tomcatApache tomcat
Apache tomcatShashwat Shriparv
 
Learn react-js
Learn react-jsLearn react-js
Learn react-jsC...L, NESPRESSO, WAFAASSURANCE, SOFRECOM ORANGE
 
NodeJS
NodeJSNodeJS
NodeJSAlok Guha
 
ASP.NET Web API
ASP.NET Web APIASP.NET Web API
ASP.NET Web APIhabib_786
 
JCR, Sling or AEM? Which API should I use and when?
JCR, Sling or AEM? Which API should I use and when?JCR, Sling or AEM? Which API should I use and when?
JCR, Sling or AEM? Which API should I use and when?connectwebex
 
JPA and Hibernate
JPA and HibernateJPA and Hibernate
JPA and Hibernateelliando dias
 
REST APIs with Spring
REST APIs with SpringREST APIs with Spring
REST APIs with SpringJoshua Long
 
Tomcat
TomcatTomcat
TomcatVenkat Pinagadi
 
Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started Rudy De Busscher
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overviewRudy De Busscher
 

More Related Content

What's hot

OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
 
Asynchronous javascript
Asynchronous javascript Asynchronous javascript
Asynchronous javascriptEman Mohamed
 
JavaScript Fetch API
JavaScript Fetch APIJavaScript Fetch API
JavaScript Fetch APIXcat Liu
 
Unit 1 - TypeScript & Introduction to Angular CLI.pptx
Unit 1 - TypeScript & Introduction to Angular CLI.pptxUnit 1 - TypeScript & Introduction to Angular CLI.pptx
Unit 1 - TypeScript & Introduction to Angular CLI.pptxMalla Reddy University
 
ASP.NET Web API
ASP.NET Web APIASP.NET Web API
ASP.NET Web APIhabib_786
 
JCR, Sling or AEM? Which API should I use and when?
JCR, Sling or AEM? Which API should I use and when?JCR, Sling or AEM? Which API should I use and when?
JCR, Sling or AEM? Which API should I use and when?connectwebex
 
REST APIs with Spring
REST APIs with SpringREST APIs with Spring
REST APIs with SpringJoshua Long
 

What's hot (20)

Rest in flask
Rest in flaskRest in flask
Rest in flask
 
Spring Boot
Spring BootSpring Boot
Spring Boot
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3
 
Asp.net
Asp.net Asp.net
Asp.net
 
Java persistence api 2.1
Java persistence api 2.1Java persistence api 2.1
Java persistence api 2.1
 
Spring Boot
Spring BootSpring Boot
Spring Boot
 
JPA For Beginner's
JPA For Beginner'sJPA For Beginner's
JPA For Beginner's
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
 
Asynchronous javascript
Asynchronous javascript Asynchronous javascript
Asynchronous javascript
 
JavaScript Fetch API
JavaScript Fetch APIJavaScript Fetch API
JavaScript Fetch API
 
Unit 1 - TypeScript & Introduction to Angular CLI.pptx
Unit 1 - TypeScript & Introduction to Angular CLI.pptxUnit 1 - TypeScript & Introduction to Angular CLI.pptx
Unit 1 - TypeScript & Introduction to Angular CLI.pptx
 
Introduction to java 8 stream api
Introduction to java 8 stream apiIntroduction to java 8 stream api
Introduction to java 8 stream api
 
Apache tomcat
Apache tomcatApache tomcat
Apache tomcat
 
Learn react-js
Learn react-jsLearn react-js
Learn react-js
 
NodeJS
NodeJSNodeJS
NodeJS
 
ASP.NET Web API
ASP.NET Web APIASP.NET Web API
ASP.NET Web API
 
JCR, Sling or AEM? Which API should I use and when?
JCR, Sling or AEM? Which API should I use and when?JCR, Sling or AEM? Which API should I use and when?
JCR, Sling or AEM? Which API should I use and when?
 
JPA and Hibernate
JPA and HibernateJPA and Hibernate
JPA and Hibernate
 
REST APIs with Spring
REST APIs with SpringREST APIs with Spring
REST APIs with Spring
 
Tomcat
TomcatTomcat
Tomcat
 

Similar to What is tackled in the Java EE Security API (Java EE 8)

Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started Rudy De Busscher
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overviewRudy De Busscher
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Valerii Moisieienko
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
WebLogic authentication debugging
WebLogic authentication debuggingWebLogic authentication debugging
WebLogic authentication debuggingMaarten Smeets
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva
 
STATE OF THE ART AUTHENTICATION MIT JAVA EE 8
STATE OF THE ART AUTHENTICATION MIT JAVA EE 8STATE OF THE ART AUTHENTICATION MIT JAVA EE 8
STATE OF THE ART AUTHENTICATION MIT JAVA EE 8OPEN KNOWLEDGE GmbH
 
Don't Loose Sleep - Secure Your Rest - php[tek] 2017
Don't Loose Sleep - Secure Your Rest - php[tek] 2017Don't Loose Sleep - Secure Your Rest - php[tek] 2017
Don't Loose Sleep - Secure Your Rest - php[tek] 2017Adam Englander
 
Enterprise-class security with PostgreSQL - 1
Enterprise-class security with PostgreSQL - 1Enterprise-class security with PostgreSQL - 1
Enterprise-class security with PostgreSQL - 1Ashnikbiz
 
State of the art authentication mit Java EE 8
State of the art authentication mit Java EE 8State of the art authentication mit Java EE 8
State of the art authentication mit Java EE 8OPEN KNOWLEDGE GmbH
 
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTCon Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTAdam Englander
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environmentTaswar Bhatti
 
7.1. SDLC try me to implenment
7.1. SDLC try me to implenment7.1. SDLC try me to implenment
7.1. SDLC try me to implenmentdefconmoscow
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RSPayara
 
Passwordless Development using Azure Identity
Passwordless Development using Azure IdentityPasswordless Development using Azure Identity
Passwordless Development using Azure IdentitySarah Dutkiewicz
 
Isaca sql server 2008 r2 security & auditing
Isaca sql server 2008 r2 security & auditingIsaca sql server 2008 r2 security & auditing
Isaca sql server 2008 r2 security & auditingAntonios Chatzipavlis
 

Similar to What is tackled in the Java EE Security API (Java EE 8) (20)

Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overview
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
WebLogic authentication debugging
WebLogic authentication debuggingWebLogic authentication debugging
WebLogic authentication debugging
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
 
STATE OF THE ART AUTHENTICATION MIT JAVA EE 8
STATE OF THE ART AUTHENTICATION MIT JAVA EE 8STATE OF THE ART AUTHENTICATION MIT JAVA EE 8
STATE OF THE ART AUTHENTICATION MIT JAVA EE 8
 
Don't Loose Sleep - Secure Your Rest - php[tek] 2017
Don't Loose Sleep - Secure Your Rest - php[tek] 2017Don't Loose Sleep - Secure Your Rest - php[tek] 2017
Don't Loose Sleep - Secure Your Rest - php[tek] 2017
 
Enterprise-class security with PostgreSQL - 1
Enterprise-class security with PostgreSQL - 1Enterprise-class security with PostgreSQL - 1
Enterprise-class security with PostgreSQL - 1
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache Shiro
 
State of the art authentication mit Java EE 8
State of the art authentication mit Java EE 8State of the art authentication mit Java EE 8
State of the art authentication mit Java EE 8
 
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTCon Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
 
SSL Everywhere!
SSL Everywhere!SSL Everywhere!
SSL Everywhere!
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
 
7.1. SDLC try me to implenment
7.1. SDLC try me to implenment7.1. SDLC try me to implenment
7.1. SDLC try me to implenment
 
Secure all things with CBSecurity 3
Secure all things with CBSecurity 3Secure all things with CBSecurity 3
Secure all things with CBSecurity 3
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RS
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Passwordless Development using Azure Identity
Passwordless Development using Azure IdentityPasswordless Development using Azure Identity
Passwordless Development using Azure Identity
 
Isaca sql server 2008 r2 security & auditing
Isaca sql server 2008 r2 security & auditingIsaca sql server 2008 r2 security & auditing
Isaca sql server 2008 r2 security & auditing
 

More from Rudy De Busscher

jakarta-integration-testing.pdf
jakarta-integration-testing.pdfjakarta-integration-testing.pdf
jakarta-integration-testing.pdfRudy De Busscher
 
core-profile_jakartaOne2022.pdf
core-profile_jakartaOne2022.pdfcore-profile_jakartaOne2022.pdf
core-profile_jakartaOne2022.pdfRudy De Busscher
 
MicroStream-WithoutDatabase.pdf
MicroStream-WithoutDatabase.pdfMicroStream-WithoutDatabase.pdf
MicroStream-WithoutDatabase.pdfRudy De Busscher
 
How Class Data Sharing Can Speed up Your Jakarta EE Application Startup
How Class Data Sharing Can Speed up Your Jakarta EE Application StartupHow Class Data Sharing Can Speed up Your Jakarta EE Application Startup
How Class Data Sharing Can Speed up Your Jakarta EE Application StartupRudy De Busscher
 
Creating a Kubernetes Operator in Java
Creating a Kubernetes Operator in JavaCreating a Kubernetes Operator in Java
Creating a Kubernetes Operator in JavaRudy De Busscher
 
Finally, easy integration testing with Testcontainers
Finally, easy integration testing with TestcontainersFinally, easy integration testing with Testcontainers
Finally, easy integration testing with TestcontainersRudy De Busscher
 
Control and monitor_microservices_with_microprofile
Control and monitor_microservices_with_microprofileControl and monitor_microservices_with_microprofile
Control and monitor_microservices_with_microprofileRudy De Busscher
 
Transactions in micro-services (fall 2019)
Transactions in micro-services (fall 2019)Transactions in micro-services (fall 2019)
Transactions in micro-services (fall 2019)Rudy De Busscher
 
Transactions in micro-services (summer 2019)
Transactions in micro-services (summer 2019)Transactions in micro-services (summer 2019)
Transactions in micro-services (summer 2019)Rudy De Busscher
 
Monitor Micro-service with MicroProfile metrics
Monitor Micro-service with MicroProfile metricsMonitor Micro-service with MicroProfile metrics
Monitor Micro-service with MicroProfile metricsRudy De Busscher
 
Gradual migration to MicroProfile
Gradual migration to MicroProfileGradual migration to MicroProfile
Gradual migration to MicroProfileRudy De Busscher
 
From Monolith to micro-services and back : The Self Contained Systems
From Monolith to micro-services and back : The Self Contained SystemsFrom Monolith to micro-services and back : The Self Contained Systems
From Monolith to micro-services and back : The Self Contained SystemsRudy De Busscher
 
Extending Arquillian graphene
Extending Arquillian graphene Extending Arquillian graphene
Extending Arquillian graphene Rudy De Busscher
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 

More from Rudy De Busscher (16)

jakarta-integration-testing.pdf
jakarta-integration-testing.pdfjakarta-integration-testing.pdf
jakarta-integration-testing.pdf
 
core-profile_jakartaOne2022.pdf
core-profile_jakartaOne2022.pdfcore-profile_jakartaOne2022.pdf
core-profile_jakartaOne2022.pdf
 
MicroStream-WithoutDatabase.pdf
MicroStream-WithoutDatabase.pdfMicroStream-WithoutDatabase.pdf
MicroStream-WithoutDatabase.pdf
 
Jakarta EE 8 on JDK17
Jakarta EE 8 on JDK17Jakarta EE 8 on JDK17
Jakarta EE 8 on JDK17
 
How Class Data Sharing Can Speed up Your Jakarta EE Application Startup
How Class Data Sharing Can Speed up Your Jakarta EE Application StartupHow Class Data Sharing Can Speed up Your Jakarta EE Application Startup
How Class Data Sharing Can Speed up Your Jakarta EE Application Startup
 
Creating a Kubernetes Operator in Java
Creating a Kubernetes Operator in JavaCreating a Kubernetes Operator in Java
Creating a Kubernetes Operator in Java
 
Finally, easy integration testing with Testcontainers
Finally, easy integration testing with TestcontainersFinally, easy integration testing with Testcontainers
Finally, easy integration testing with Testcontainers
 
Control and monitor_microservices_with_microprofile
Control and monitor_microservices_with_microprofileControl and monitor_microservices_with_microprofile
Control and monitor_microservices_with_microprofile
 
Transactions in micro-services (fall 2019)
Transactions in micro-services (fall 2019)Transactions in micro-services (fall 2019)
Transactions in micro-services (fall 2019)
 
Transactions in micro-services (summer 2019)
Transactions in micro-services (summer 2019)Transactions in micro-services (summer 2019)
Transactions in micro-services (summer 2019)
 
Monitor Micro-service with MicroProfile metrics
Monitor Micro-service with MicroProfile metricsMonitor Micro-service with MicroProfile metrics
Monitor Micro-service with MicroProfile metrics
 
Gradual migration to MicroProfile
Gradual migration to MicroProfileGradual migration to MicroProfile
Gradual migration to MicroProfile
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RS
 
From Monolith to micro-services and back : The Self Contained Systems
From Monolith to micro-services and back : The Self Contained SystemsFrom Monolith to micro-services and back : The Self Contained Systems
From Monolith to micro-services and back : The Self Contained Systems
 
Extending Arquillian graphene
Extending Arquillian graphene Extending Arquillian graphene
Extending Arquillian graphene
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
 

Recently uploaded

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 

Recently uploaded (20)

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 

What is tackled in the Java EE Security API (Java EE 8)

  • 1.
  • 2. What is tackled in the Java EE Security API (Java EE 8)
  • 3. A G E N D A JAVA EE SECURITY WHY 
 UPDATE? ALREADY
 AVAILABLE? JSR-375
 SOTERIA CONCEPTS DEMO
  • 4. • C4J • Senior Java Web Developer, Java Coach, Information Security • JSR-375 • Java EE Security API Expert group member • Java EE Believer @rdebusscher http://jsfcorner.blogspot.be http://javaeesquad.blogspot.be W H O A M I RUDY DE BUSSCHER
  • 5. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context W H Y U P D A T E ?
  • 6. W H Y A N E W J S R ? • Java EE Security is viewed as not portable, abstract/confusing, antiquated • Doesn't fit cloud app developer paradigm: requires app server configuration
  • 7. T E R M I N O L O G Y ? • What is that "something" where identities are stored? • realm (Tomcat, some hints in Servlet spec) • (auth) repository • (auth) store • login module (JAAS) • identity manager (Undertow) • authenticator (Resin, OmniSecurity, Seam security) • authentication provider (Spring Security) • Identity provider
  • 8. J A V A E E S E C U R I T Y • No JSR exists to address security overall • Each JSR has his 'own' way • They look at each other, but ...
  • 9. So what is standardised?
  • 10. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context W H Y U P D A T E ?
  • 11. J A S P I C Java Authentication Service Provider Interface for Containers • Java EE 6 • For custom logic • BASIC/FORM/DIGEST • Low Level (per request) • Verbose
  • 12.
  • 13. Java Authorization Service Provider Contract for Containers J A C C • J2EE 1.4 ERA • C.O.M.P.L.E.X.I.T.Y • Application Server Wide • No Role Mapping specified
  • 14. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context G O A L S
  • 15. J S R - 3 7 5 • EG discussions started March 2015 • EG Members • EE API veterans: many JSRs, many years struggling with Security API • 3rd party security framework creators/developers • EE platform security implementers • October 2016 • EG Updated, switch Spec Lead
  • 16. G O A L S • Plug the portability holes • Modernize • Context Dependency Injection (CDI) • Intercept at Access Enforcement Points: POJO methods • Expression Language (EL) • Enable Access Enforcement Points with complex rules • App Developer Friendly • Common security configurations not requiring server changes • Annotation defaults not requiring XML
  • 17. I D E A S • Terminology • API for Authentication Mechanism • API for Identity Store • API for Security Context • API for Password Aliasing • API for Role/Permission Assignment • API for Authorization Interceptors • + ... JAVA EE 8 JAVA EE 9
  • 18. S O T E R I A • In Greek mythology, Soteria was the goddess of safety and salvation. • RI of JSR-375 • Should work on Java EE 7 • WildFly 10+ • Payara 4.1.1.161+ • TomEE 7.0.2+ • WebSphere Liberty 2016.9+
  • 19. JASPIC JACC SOTERIA U S I N G Existing blocks for authentication and authorization
  • 20. OR SHOULD I PUT THE SAFE HARBOUR TEXT ...
  • 21. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
  • 22. H T T P A U T H E N T I C A T I O N M E C H A N I S M • How are credentials retrieved • BASIC • FORM • classic j_security_check, ... • CustomForm • programmatic • Custom • For JAX-RS endpoints, ...
  • 24. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
  • 25. I D E N T I T Y S T O R E • Verify credentials • LDAP • DATABASE • with configurable queries • EMBEDDED • Easy for testing with hardcoded values • Custom • Whatever your need is
  • 26. @LdapIdentityStoreDefinition(
 url = "ldap://localhost:33389/",
 baseDn = "uid=ldap,ou=apps,dc=jsr375,dc=net",
 password = "changeOnInstall",
 searchBase = "dc=jsr375,dc=net",
 searchExpression = "(&(uid=%s)(objectClass=person))",
 groupBaseDn = "ou=group,dc=jsr375,dc=net"
 )
  • 27. C D I • Context and Dependency Injection
 concepts used for many artefacts. • Extension to read the annotations and create required beans.
  • 28. • CDI -> beans.xml • HttpAuthenticationMechanism required to activate Soteria
  • 31. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
  • 32. T R I P L E A • Authentication • Verifying that a user is who she says she is. • Authorisation • He can execute the allowed actions within their privilege. • Accounting • Audit
  • 33. M U L T I S T O R E • Authentication / Authorisation • From multiple sources! • Examples • Scenario 1 • Authentication : LDAP • Authorisation : Database
  • 34. M U L T I S T O R E ( 2 ) • Scenario 2 • Authentication : OAuth2 • Authentication : Limited to certain email Domain • Authorization : ... • Scenario 3 • Authentication : ... • Authorisation : Database • Authorisation (In Test) : Extra roles/permissions
  • 35. I D E N T I T Y S T O R E H A N D L E R • IdentityStoreHandler • Handles multiple defined Identity Stores • ValidationType on IdentityStore • BOTH • AUTHENTICATION • AUTHORIZATION
  • 36. @LdapIdentityStoreDefinition(
 url = "ldap://localhost:33389/",
 baseDn = "uid=ldap,ou=apps,dc=jsr375,dc=net",
 password = "changeOnInstall",
 searchBase = "dc=jsr375,dc=net",
 searchExpression = "(&(uid=%s)(objectClass=person))",
 groupBaseDn = "ou=group,dc=jsr375,dc=net", authenticateOnly = true
 )
  • 38. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
  • 39. E X T E N S I B I L I T Y interface HttpAuthenticationMechanism interface IdentityStore interface IdentityStoreHandler
  • 40. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
  • 41. S E C U R I T Y C O N T E X T Security
 Context Authentication
 Mechanism Identity
 Store Principal
 Info for
 Request Authorization
 Interceptors U S E S D A T A
  • 42. Project page The starting point to all resources https://java.net/projects/javaee-security-spec Users List Subscribe and contribute users@javaee-security-spec.java.net Github Soteria repository Fork and play! https://github.com/javaee-security-spec/soteria G E T I N V O L V E D
  • 43. Q & A