The Java EE Security API (JSR-375) wants to simplify the implementation of security-related features in your Java EE application. Application server specific configuration changes will be no longer needed and things will be much more app developer friendly. Aligning security with the ease of development we saw in the recent version of Java EE. We will show you the basic goals and concepts behind Java EE Security API. And of course, demos with the current version of the RI, named Soteria, how you can do Authentication and Authorization.
3. A G E N D A
JAVA EE
SECURITY
WHY
UPDATE?
ALREADY
AVAILABLE?
JSR-375
SOTERIA
CONCEPTS
DEMO
4. • C4J
• Senior Java Web Developer, Java Coach, Information Security
• JSR-375
• Java EE Security API Expert group member
• Java EE Believer
@rdebusscher
http://jsfcorner.blogspot.be
http://javaeesquad.blogspot.be
W H O A M I
RUDY DE BUSSCHER
5. • Why Update?
• What is available?
• JSR-375
• Concepts
• Authentication Mechanism
• IdentityStore
• Authentication - Authorization
• Custom integration
• Security Context
W H Y U P D A T E ?
6. W H Y A N E W J S R ?
• Java EE Security is viewed as not portable,
abstract/confusing, antiquated
• Doesn't fit cloud app developer paradigm:
requires app server configuration
7. T E R M I N O L O G Y ?
• What is that "something" where identities are
stored?
• realm (Tomcat, some hints in Servlet spec)
• (auth) repository
• (auth) store
• login module (JAAS)
• identity manager (Undertow)
• authenticator (Resin, OmniSecurity, Seam security)
• authentication provider (Spring Security)
• Identity provider
8. J A V A E E S E C U R I T Y
• No JSR exists to address security overall
• Each JSR has his 'own' way
• They look at each other, but ...
10. • Why Update?
• What is available?
• JSR-375
• Concepts
• Authentication Mechanism
• IdentityStore
• Authentication - Authorization
• Custom integration
• Security Context
W H Y U P D A T E ?
11. J A S P I C
Java Authentication Service
Provider Interface for
Containers
• Java EE 6
• For custom logic
• BASIC/FORM/DIGEST
• Low Level (per request)
• Verbose
14. • Why Update?
• What is available?
• JSR-375
• Concepts
• Authentication Mechanism
• IdentityStore
• Authentication - Authorization
• Custom integration
• Security Context
G O A L S
15. J S R - 3 7 5
• EG discussions started March 2015
• EG Members
• EE API veterans: many JSRs, many years struggling with
Security API
• 3rd party security framework creators/developers
• EE platform security implementers
• October 2016
• EG Updated, switch Spec Lead
16. G O A L S
• Plug the portability holes
• Modernize
• Context Dependency Injection (CDI)
• Intercept at Access Enforcement Points: POJO methods
• Expression Language (EL)
• Enable Access Enforcement Points with complex rules
• App Developer Friendly
• Common security configurations not requiring server changes
• Annotation defaults not requiring XML
17. I D E A S
• Terminology
• API for Authentication Mechanism
• API for Identity Store
• API for Security Context
• API for Password Aliasing
• API for Role/Permission Assignment
• API for Authorization Interceptors
• + ...
JAVA EE 8
JAVA EE 9
18. S O T E R I A
• In Greek mythology, Soteria was the goddess of
safety and salvation.
• RI of JSR-375
• Should work on Java EE 7
• WildFly 10+
• Payara 4.1.1.161+
• TomEE 7.0.2+
• WebSphere Liberty 2016.9+
21. • Why Update?
• What is available?
• JSR-375
• Concepts
• Authentication Mechanism
• IdentityStore
• Authentication - Authorization
• Custom integration
• Security Context
C O N C E P T S
22. H T T P A U T H E N T I C A T I O N M E C H A N I S M
• How are credentials retrieved
• BASIC
• FORM
• classic j_security_check, ...
• CustomForm
• programmatic
• Custom
• For JAX-RS endpoints, ...
24. • Why Update?
• What is available?
• JSR-375
• Concepts
• Authentication Mechanism
• IdentityStore
• Authentication - Authorization
• Custom integration
• Security Context
C O N C E P T S
25. I D E N T I T Y S T O R E
• Verify credentials
• LDAP
• DATABASE
• with configurable queries
• EMBEDDED
• Easy for testing with hardcoded values
• Custom
• Whatever your need is
31. • Why Update?
• What is available?
• JSR-375
• Concepts
• Authentication Mechanism
• IdentityStore
• Authentication - Authorization
• Custom integration
• Security Context
C O N C E P T S
32. T R I P L E A
• Authentication
• Verifying that a user is who she says she is.
• Authorisation
• He can execute the allowed actions within their privilege.
• Accounting
• Audit
33. M U L T I S T O R E
• Authentication / Authorisation
• From multiple sources!
• Examples
• Scenario 1
• Authentication : LDAP
• Authorisation : Database
34. M U L T I S T O R E ( 2 )
• Scenario 2
• Authentication : OAuth2
• Authentication : Limited to certain email Domain
• Authorization : ...
• Scenario 3
• Authentication : ...
• Authorisation : Database
• Authorisation (In Test) : Extra roles/permissions
35. I D E N T I T Y S T O R E H A N D L E R
• IdentityStoreHandler
• Handles multiple defined Identity Stores
• ValidationType on IdentityStore
• BOTH
• AUTHENTICATION
• AUTHORIZATION
38. • Why Update?
• What is available?
• JSR-375
• Concepts
• Authentication Mechanism
• IdentityStore
• Authentication - Authorization
• Custom integration
• Security Context
C O N C E P T S
39. E X T E N S I B I L I T Y
interface HttpAuthenticationMechanism
interface IdentityStore
interface IdentityStoreHandler
40. • Why Update?
• What is available?
• JSR-375
• Concepts
• Authentication Mechanism
• IdentityStore
• Authentication - Authorization
• Custom integration
• Security Context
C O N C E P T S
41. S E C U R I T Y C O N T E X T
Security
Context
Authentication
Mechanism
Identity
Store
Principal
Info for
Request
Authorization
Interceptors
U S E S D A T A
42. Project page
The starting point to all resources
https://java.net/projects/javaee-security-spec
Users List
Subscribe and contribute
users@javaee-security-spec.java.net
Github Soteria repository
Fork and play!
https://github.com/javaee-security-spec/soteria
G E T I N V O L V E D