Upgrade to Pro — share decks privately, control downloads, hide ads and more …

What about Java EE Security?

ivargrimstad
October 15, 2016

What about Java EE Security?

In order to secure your Java EE application today, you will most likely have to use some vendor proprietary features or 3rd party frameworks, or both.

The existing set of specifications range from overly complex to non-existent which has resulted in that almost nobody uses standards for security in Java EE applications.

The Java EE Security API (JSR 375), which is targeted for the upcoming Java EE 8 and 9 releases, addresses this issue by standardizing security APIs and establishing a common terminology. Features that are planned for the first version include APIs for authentication, authorization, user context, security context and more.

This demo-driven session will get you up to speed with the current state for this JSR and 'Soteria', the Reference Implementation. The slides will be backed up of live code examples.

ivargrimstad

October 15, 2016
Tweet

More Decks by ivargrimstad

Other Decks in Programming

Transcript

  1. @ivar_grimstad JavaDay Kiev 2016 #JSR375 What about Java EE Security?

    Ivar Grimstad
 Principal Consultant, Cybercom Sweden
  2. @ivar_grimstad JavaDay Kiev 2016 #JSR375 August 2014 First Proposal December

    2014 Approved by JCP Executive Committee March 2015 Expert Group starts discussions November 2015 Passed Renewal Ballot October 2016 Expert Group v2
  3. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Standardize Terminology API for Authentication

    Mechanism API for Identity Store API for Security Context API for Password Aliasing API for Role/Permission Assignment API for Authorization Interceptors
  4. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Authentication - OpenIDConnect Authorization Secret

    Management Secure Microservices Packaging, Configuration, Binding Standardize Terminology API for Authentication Mechanism API for Identity Store API for Security Context Java EE 9 Java EE 8
  5. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Standardize Terminology API for Authentication

    Mechanism API for Identity Store API for Security Context Java EE 8
  6. @ivar_grimstad JavaDay Kiev 2016 #JSR375 User, or Caller, Something else?

    Group of users, permissions, roles? Authentication mechanism Identity store
  7. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Proprietary server support 3rd party

    security frameworks provide authentication JASPIC: Java Authentication Service Provider Interface
 for Containers Authentication Mechanism
  8. @ivar_grimstad JavaDay Kiev 2016 #JSR375 No Java EE standard support

    Only proprietary server support 3rd party security frameworks provide user/group APIs Identity Store
  9. @ivar_grimstad JavaDay Kiev 2016 #JSR375 @EmbeddedIdentityStoreDefinition({ @Credentials(callerName = "reza", password

    = "secret1", groups = { "foo", "bar" }), @Credentials(callerName = "alex", password = "secret2", groups = { "foo", "kaz" }), @Credentials(callerName = "arjan", password = "secret3", groups = { "foo" }) } ) Embedded
  10. @ivar_grimstad JavaDay Kiev 2016 #JSR375 @DataBaseIdentityStoreDefinition( dataSourceLookup="java:global/MyDS", callerQuery="select password from

    caller where name = ?", groupsQuery="select group_name from caller_groups where caller_name = ?" ) Database
  11. @ivar_grimstad JavaDay Kiev 2016 #JSR375 @LdapIdentityStoreDefinition( url = "ldap://localhost:33389/", callerBaseDn

    = "ou=caller,dc=jsr375,dc=net", groupBaseDn = "ou=group,dc=jsr375,dc=net" ) LDAP
  12. @ivar_grimstad JavaDay Kiev 2016 #JSR375 No Java EE standard support

    3rd party security frameworks provide a security context Security Context
  13. @ivar_grimstad JavaDay Kiev 2016 #JSR375 public interface SecurityContext { AuthStatus

    authenticate(HttpServletRequest request, HttpServletResponse response, AuthenticationParameters parameters); AuthStatus authenticate(HttpServletResponse response, AuthenticationParameters parameters); } Security Context
  14. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Candidates for Focus in Java

    EE 9 Security in Packaging, Configuration, Build Microservices Security