Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SR 375: New Security APIs for Java EE

SR 375: New Security APIs for Java EE

The Java EE Security API 1.0, JSR 375, is part of the Java EE 8 platform. New functionality includes authentication mechanisms, identity store access, and a new security context. This session describes the new APIs, takes a detailed look at each API’s syntax and semantics, and provides examples of how they can be used by applications.

ivargrimstad

January 12, 2018
Tweet

More Decks by ivargrimstad

Other Decks in Programming

Transcript

  1. @ivar_grimstad #CodeMash New Security APIs for Java EE Ivar Grimstad


    Principal Consultant, Cybercom Sweden JSR 375 JCP Award Winner 2017
  2. @ivar_grimstad #CodeMash Adam Bien David Blevins (Tomitribe) Rudy De Bussher

    Ivar Grimstad Les Hazlewood (Stormpath, Inc.) Will Hopkins (Oracle) Werner Keil Matt Konda (Jemurai) Alexander Kosowski (Oracle) Darran Lofthouse (Red Hat) Jean-Louis Monteiro (Tomitribe Ajay Reddy (IBM) Pedro Igor Silva (Red Hat Arjan Tijms
  3. @ivar_grimstad #CodeMash Simplify security programming model Enable developers to manage

    security Layered APIs delegate to others Use CDI where appropriate
  4. @ivar_grimstad #CodeMash package javax.security.enterprise.authentication.mechanism.http; AuthenticationStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext

    httpMessageContext ) throws AuthenticationException; AuthenticationStatus secureResponse(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext ) throws AuthenticationException; void cleanSubject(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext); }
  5. @ivar_grimstad #CodeMash package javax.security.enterprise.authentication.mechanism.http; AuthenticationStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext

    httpMessageContext ) throws AuthenticationException; AuthenticationStatus secureResponse(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext ) throws AuthenticationException; void cleanSubject(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext); }
  6. @ivar_grimstad #CodeMash package javax.security.enterprise.authentication.mechanism.http; AuthenticationStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext

    httpMessageContext ) throws AuthenticationException; AuthenticationStatus secureResponse(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext ) throws AuthenticationException; void cleanSubject(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext); }
  7. @ivar_grimstad #CodeMash package javax.security.enterprise.authentication.mechanism.http; AuthenticationStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext

    httpMessageContext ) throws AuthenticationException; AuthenticationStatus secureResponse(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext ) throws AuthenticationException; void cleanSubject(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext); }
  8. @ivar_grimstad #CodeMash package javax.security.enterprise.authentication.mechanism.http; AuthenticationStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext

    httpMessageContext ) throws AuthenticationException; AuthenticationStatus secureResponse(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext ) throws AuthenticationException; void cleanSubject(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext); }
  9. @ivar_grimstad #CodeMash package javax.enterprise.security.identitystore; public interface IdentityStore { enum ValidationType

    { VALIDATE, PROVIDE_GROUPS } CredentialValidationResult validate(Credential credential); Set getCallerGroups(CredentialValidationResult validationResult); int priority(); Set validationTypes(); }
  10. @ivar_grimstad #CodeMash package javax.enterprise.security.identitystore; public interface IdentityStore { enum ValidationType

    { VALIDATE, PROVIDE_GROUPS } CredentialValidationResult validate(Credential credential); Set getCallerGroups(CredentialValidationResult validationResult); int priority(); Set validationTypes(); }
  11. @ivar_grimstad #CodeMash package javax.enterprise.security.identitystore; public interface IdentityStore { enum ValidationType

    { VALIDATE, PROVIDE_GROUPS } CredentialValidationResult validate(Credential credential); Set getCallerGroups(CredentialValidationResult validationResult); int priority(); Set validationTypes(); }
  12. @ivar_grimstad #CodeMash package javax.enterprise.security.identitystore; public interface IdentityStore { enum ValidationType

    { VALIDATE, PROVIDE_GROUPS } CredentialValidationResult validate(Credential credential); Set getCallerGroups(CredentialValidationResult validationResult); int priority(); Set validationTypes(); }
  13. @ivar_grimstad #CodeMash package javax.enterprise.security.identitystore; public interface IdentityStore { enum ValidationType

    { VALIDATE, PROVIDE_GROUPS } CredentialValidationResult validate(Credential credential); Set getCallerGroups(CredentialValidationResult validationResult); int priority(); Set validationTypes(); }
  14. @ivar_grimstad #CodeMash package javax.enterprise.security.identitystore; public interface IdentityStore { enum ValidationType

    { VALIDATE, PROVIDE_GROUPS } CredentialValidationResult validate(Credential credential); Set getCallerGroups(CredentialValidationResult validationResult); int priority(); Set validationTypes(); }
  15. @ivar_grimstad #CodeMash package javax.security.enterprise; public interface SecurityContext { Principal getCallerPrincipal();

    Set getPrincipalsByType(Class pType); boolean isCallerInRole(String role); boolean hasAccessToWebResource(String resource, String... methods); AuthenticationStatus authenticate(HttpServletRequest request HttpServletResponse response, AuthenticationParameters parameters); }
  16. @ivar_grimstad #CodeMash package javax.security.enterprise; public interface SecurityContext { Principal getCallerPrincipal();

    Set getPrincipalsByType(Class pType); boolean isCallerInRole(String role); boolean hasAccessToWebResource(String resource, String... methods); AuthenticationStatus authenticate(HttpServletRequest request HttpServletResponse response, AuthenticationParameters parameters); }
  17. @ivar_grimstad #CodeMash package javax.security.enterprise; public interface SecurityContext { Principal getCallerPrincipal();

    Set getPrincipalsByType(Class pType); boolean isCallerInRole(String role); boolean hasAccessToWebResource(String resource, String... methods); AuthenticationStatus authenticate(HttpServletRequest request HttpServletResponse response, AuthenticationParameters parameters); }
  18. @ivar_grimstad #CodeMash package javax.security.enterprise; public interface SecurityContext { Principal getCallerPrincipal();

    Set getPrincipalsByType(Class pType); boolean isCallerInRole(String role); boolean hasAccessToWebResource(String resource, String... methods); AuthenticationStatus authenticate(HttpServletRequest request HttpServletResponse response, AuthenticationParameters parameters); }
  19. @ivar_grimstad #CodeMash package javax.security.enterprise; public interface SecurityContext { Principal getCallerPrincipal();

    Set getPrincipalsByType(Class pType); boolean isCallerInRole(String role); boolean hasAccessToWebResource(String resource, String... methods); AuthenticationStatus authenticate(HttpServletRequest request HttpServletResponse response, AuthenticationParameters parameters); }
  20. @ivar_grimstad #CodeMash package javax.security.enterprise; public interface SecurityContext { Principal getCallerPrincipal();

    Set getPrincipalsByType(Class pType); boolean isCallerInRole(String role); boolean hasAccessToWebResource(String resource, String... methods); AuthenticationStatus authenticate(HttpServletRequest request HttpServletResponse response, AuthenticationParameters parameters); }
  21. @ivar_grimstad #CodeMash package javax.security.enterprise; public interface SecurityContext { Principal getCallerPrincipal();

    Set getPrincipalsByType(Class pType); boolean isCallerInRole(String role); boolean hasAccessToWebResource(String resource, String... methods); AuthenticationStatus authenticate(HttpServletRequest request HttpServletResponse response, AuthenticationParameters parameters); }
  22. @ivar_grimstad #CodeMash Candidates for Focus in future versions Security in

    Packaging, Configuration, Build Microservices Security