Upgrade to Pro — share decks privately, control downloads, hide ads and more …

What about Java EE Security?

ivargrimstad
October 15, 2016
Programming
1
1.2k

What about Java EE Security?

In order to secure your Java EE application today, you will most likely have to use some vendor proprietary features or 3rd party frameworks, or both.

The existing set of specifications range from overly complex to non-existent which has resulted in that almost nobody uses standards for security in Java EE applications.

The Java EE Security API (JSR 375), which is targeted for the upcoming Java EE 8 and 9 releases, addresses this issue by standardizing security APIs and establishing a common terminology. Features that are planned for the first version include APIs for authentication, authorization, user context, security context and more.

This demo-driven session will get you up to speed with the current state for this JSR and 'Soteria', the Reference Implementation. The slides will be backed up of live code examples.

ivargrimstad

October 15, 2016
Tweet

More Decks by ivargrimstad

See All by ivargrimstad
Jakarta EE meets AI
ivargrimstad
0
100
Jakarta EE meets AI
ivargrimstad
0
190
Jakarta EE meets AI
ivargrimstad
0
580
Jakarta EE meets AI
ivargrimstad
0
650
A Journey of Contribution and Collaboration in Open Source
ivargrimstad
0
950
Nurturing OpenJDK distribution: Eclipse Temurin Success History and plan
ivargrimstad
0
940
Why Jakarta EE Matters to Spring - and Vice Versa
ivargrimstad
0
1.1k
Boost Performance and Developer Productivity with Jakarta EE 11
ivargrimstad
0
1.9k
Why Spring Matters to Jakarta EE - and Vice Versa
ivargrimstad
0
1.8k

Other Decks in Programming

See All in Programming
Ethereum_.pdf
nekomatu
0
460
Snowflake x dbtで作るセキュアでアジャイルなデータ基盤
tsoshiro
2
520
Amazon Qを使ってIaCを触ろう!
maruto
0
410
受け取る人から提供する人になるということ
little_rubyist
0
230
Contemporary Test Cases
maaretp
0
140
型付き API リクエストを実現するいくつかの手法とその選択 / Typed API Request
euxn23
8
2.2k
役立つログに取り組もう
irof
28
9.6k
初めてDefinitelyTypedにPRを出した話
syumai
0
420
TypeScript Graph でコードレビューの心理的障壁を乗り越える
ysk8hori
2
1.1k
Webの技術スタックで マルチプラットフォームアプリ開発を可能にするElixirDesktopの紹介
thehaigo
2
1k
レガシーシステムにどう立ち向かうか 複雑さと理想と現実/vs-legacy
suzukihoge
14
2.2k
Compose 1.7のTextFieldはPOBox Plusで日本語変換できない
tomoya0x00
0
190

Featured

See All Featured
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k
RailsConf 2023
tenderlove
29
900
It's Worth the Effort
3n
183
27k
Done Done
chrislema
181
16k
Into the Great Unknown - MozCon
thekraken
32
1.5k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
93
16k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
What's in a price? How to price your products and services
michaelherold
243
12k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
Become a Pro
speakerdeck
PRO
25
5k

Transcript

  1. @ivar_grimstad JavaDay Kiev 2016 #JSR375 What about Java EE Security?

    Ivar Grimstad
 Principal Consultant, Cybercom Sweden

  2. @ivar_grimstad JavaDay Kiev 2016 #JSR375 @ivar_grimstad https://github.com/ivargrimstad https://www.linkedin.com/in/ivargrimstad http://lanyrd.com/profile/ivargrimstad/

  3. @ivar_grimstad JavaDay Kiev 2016 #JSR375 JSR 375 - History, Future,

    Status Demo and Samples What’s NEXT?

  4. @ivar_grimstad JavaDay Kiev 2016 #JSR375 JSR 375 - History

  5. @ivar_grimstad JavaDay Kiev 2016 #JSR375 August 2014 First Proposal December

    2014 Approved by JCP Executive Committee March 2015 Expert Group starts discussions November 2015 Passed Renewal Ballot October 2016 Expert Group v2

  6. @ivar_grimstad JavaDay Kiev 2016 #JSR375 JSR 375 - Future

  7. @ivar_grimstad JavaDay Kiev 2016 #JSR375

  8. @ivar_grimstad JavaDay Kiev 2016 #JSR375 The shape of the Enterprise

    app is changing

  9. @ivar_grimstad JavaDay Kiev 2016 #JSR375 A Monolith or collection of

    Microservices

  10. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Standardize Terminology API for Authentication

    Mechanism API for Identity Store API for Security Context API for Password Aliasing API for Role/Permission Assignment API for Authorization Interceptors

  11. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Authentication - OpenIDConnect Authorization Secret

    Management Secure Microservices Packaging, Configuration, Binding Standardize Terminology API for Authentication Mechanism API for Identity Store API for Security Context Java EE 9 Java EE 8

  12. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Authentication

  13. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Authorization

  14. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Secrets

  15. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Secure Microservices

  16. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Packaging

  17. @ivar_grimstad JavaDay Kiev 2016 #JSR375 JSR 375 - Status

  18. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Standardize Terminology API for Authentication

    Mechanism API for Identity Store API for Security Context Java EE 8

  19. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Terminology

  20. @ivar_grimstad JavaDay Kiev 2016 #JSR375 User, or Caller, Something else?

    Group of users, permissions, roles? Authentication mechanism Identity store

  21. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Authentication Mechanism

  22. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Proprietary server support 3rd party

    security frameworks provide authentication JASPIC: Java Authentication Service Provider Interface
 for Containers Authentication Mechanism

  23. @ivar_grimstad JavaDay Kiev 2016 #JSR375

  24. @ivar_grimstad JavaDay Kiev 2016 #JSR375 @BasicAuthenticationMechanismDefinition( realmName="test realm" ) Basic

  25. @ivar_grimstad JavaDay Kiev 2016 #JSR375 @FormAuthenticationMechanismDefinition( loginToContinue = @LoginToContinue( loginPage=

    "/login-servlet", errorPage= "/login-error-servlet" ) ) Form

  26. @ivar_grimstad JavaDay Kiev 2016 #JSR375 @CustomFormAuthenticationMechanismDefinition( loginToContinue = @LoginToContinue( loginPage

    = "/login.jsf", errorPage = "" ) ) Custom

  27. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Identity Store

  28. @ivar_grimstad JavaDay Kiev 2016 #JSR375 No Java EE standard support

    Only proprietary server support 3rd party security frameworks provide user/group APIs Identity Store

  29. @ivar_grimstad JavaDay Kiev 2016 #JSR375

  30. @ivar_grimstad JavaDay Kiev 2016 #JSR375 @EmbeddedIdentityStoreDefinition({ @Credentials(callerName = "reza", password

    = "secret1", groups = { "foo", "bar" }), @Credentials(callerName = "alex", password = "secret2", groups = { "foo", "kaz" }), @Credentials(callerName = "arjan", password = "secret3", groups = { "foo" }) } ) Embedded

  31. @ivar_grimstad JavaDay Kiev 2016 #JSR375 @DataBaseIdentityStoreDefinition( dataSourceLookup="java:global/MyDS", callerQuery="select password from

    caller where name = ?", groupsQuery="select group_name from caller_groups where caller_name = ?" ) Database

  32. @ivar_grimstad JavaDay Kiev 2016 #JSR375 @LdapIdentityStoreDefinition( url = "ldap://localhost:33389/", callerBaseDn

    = "ou=caller,dc=jsr375,dc=net", groupBaseDn = "ou=group,dc=jsr375,dc=net" ) LDAP

  33. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Security Context

  34. @ivar_grimstad JavaDay Kiev 2016 #JSR375 No Java EE standard support

    3rd party security frameworks provide a security context Security Context

  35. @ivar_grimstad JavaDay Kiev 2016 #JSR375

  36. @ivar_grimstad JavaDay Kiev 2016 #JSR375 public interface SecurityContext { AuthStatus

    authenticate(HttpServletRequest request, HttpServletResponse response, AuthenticationParameters parameters); AuthStatus authenticate(HttpServletResponse response, AuthenticationParameters parameters); } Security Context

  37. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Soteria

  38. @ivar_grimstad JavaDay Kiev 2016 #JSR375

  39. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Soteria

  40. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Demo

  41. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Summary

  42. @ivar_grimstad JavaDay Kiev 2016 #JSR375 What’s NEXT?

  43. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Build a foundation for Identity

    with JSR 375 in Java EE 8

  44. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Candidates for Focus in Java

    EE 9 Security in Packaging, Configuration, Build Microservices Security

  45. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Consistent Simple Secure

  46. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Soteria

  47. @ivar_grimstad JavaDay Kiev 2016 #JSR375 @Soteria_RI Soteria @jsr375

  48. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Project Page https://java.net/projects/javaee-security-spec GitHub https://github.com/javaee-security-spec

    Mailing List [email protected]

  49. @ivar_grimstad JavaDay Kiev 2016 #JSR375 http://glassfish.org/survey

  50. @ivar_grimstad JavaDay Kiev 2016 #JSR375 cybercom.com