Upgrade to Pro — share decks privately, control downloads, hide ads and more …

What about Java EE Security?

ivargrimstad
October 15, 2016
Programming
1
1.2k

What about Java EE Security?

In order to secure your Java EE application today, you will most likely have to use some vendor proprietary features or 3rd party frameworks, or both.

The existing set of specifications range from overly complex to non-existent which has resulted in that almost nobody uses standards for security in Java EE applications.

The Java EE Security API (JSR 375), which is targeted for the upcoming Java EE 8 and 9 releases, addresses this issue by standardizing security APIs and establishing a common terminology. Features that are planned for the first version include APIs for authentication, authorization, user context, security context and more.

This demo-driven session will get you up to speed with the current state for this JSR and 'Soteria', the Reference Implementation. The slides will be backed up of live code examples.

ivargrimstad

October 15, 2016
Tweet

More Decks by ivargrimstad

See All by ivargrimstad
Boost Performance and Developer Productivity with Jakarta EE 11
ivargrimstad
0
880
Why Spring Matters to Jakarta EE - and Vice Versa
ivargrimstad
0
1k
Why I Choose NetBeans for Jakarta EE
ivargrimstad
0
1.7k
Jakarta EE as Seen Trough the Lens of the ASF
ivargrimstad
0
1.7k
Integrating AI in Your Enterprise Java Applications
ivargrimstad
0
1.7k
A Journey of Contribution and Collaboration in Open Source
ivargrimstad
0
2k
A Journey of Contribution and Collaboration in Open Source
ivargrimstad
0
1.9k
Increased Performance and Developer Productivity with Jakarta EE 11
ivargrimstad
0
1.7k
Boost Performance and Developer Productivity with Jakarta EE 11
ivargrimstad
0
1.6k

Other Decks in Programming

See All in Programming
Nuxtベースの「WXT」でChrome拡張を作成する | Vue Fes 2024 ランチセッション
moshi1121
1
530
macOS でできる リアルタイム動画像処理
biacco42
7
2k
Java ジェネリクス入門 2024
nagise
0
610
プロジェクト新規参入者のリードタイム短縮の観点から見る、品質の高いコードとアーキテクチャを保つメリット
d_endo
1
1k
Vue3の一歩踏み込んだパフォーマンスチューニング2024
hal_spidernight
3
3.1k
qmuntal/stateless のススメ
sgash708
0
120
Importmapを使ったJavaScriptの 読み込みとブラウザアドオンの影響
swamp09
4
1.3k
デプロイを任されたので、教わった通りにデプロイしたら障害になった件 ~俺のやらかしを越えてゆけ~
techouse
52
32k
GitHub Actionsのキャッシュと手を挙げることの大切さとそれに必要なこと
satoshi256kbyte
5
390
【Kaigi on Rails 2024】YOUTRUST スポンサーLT
krpk1900
1
250
Pinia Colada が実現するスマートな非同期処理
naokihaba
2
160
CPython 인터프리터 구조 파헤치기 - PyCon Korea 24
kennethanceyer
0
250

Featured

See All Featured
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
231
17k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
9
680
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
355
29k
Designing Experiences People Love
moore
138
23k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.6k
Building an army of robots
kneath
302
42k
Why Our Code Smells
bkeepers
PRO
334
57k
Designing on Purpose - Digital PM Summit 2013
jponch
115
6.9k
For a Future-Friendly Web
brad_frost
175
9.4k
Teambox: Starting and Learning
jrom
132
8.7k
[RailsConf 2023] Rails as a piece of cake
palkan
51
4.9k

Transcript

  1. @ivar_grimstad JavaDay Kiev 2016 #JSR375 What about Java EE Security?

    Ivar Grimstad
 Principal Consultant, Cybercom Sweden

  2. @ivar_grimstad JavaDay Kiev 2016 #JSR375 @ivar_grimstad https://github.com/ivargrimstad https://www.linkedin.com/in/ivargrimstad http://lanyrd.com/profile/ivargrimstad/

  3. @ivar_grimstad JavaDay Kiev 2016 #JSR375 JSR 375 - History, Future,

    Status Demo and Samples What’s NEXT?

  4. @ivar_grimstad JavaDay Kiev 2016 #JSR375 JSR 375 - History

  5. @ivar_grimstad JavaDay Kiev 2016 #JSR375 August 2014 First Proposal December

    2014 Approved by JCP Executive Committee March 2015 Expert Group starts discussions November 2015 Passed Renewal Ballot October 2016 Expert Group v2

  6. @ivar_grimstad JavaDay Kiev 2016 #JSR375 JSR 375 - Future

  7. @ivar_grimstad JavaDay Kiev 2016 #JSR375

  8. @ivar_grimstad JavaDay Kiev 2016 #JSR375 The shape of the Enterprise

    app is changing

  9. @ivar_grimstad JavaDay Kiev 2016 #JSR375 A Monolith or collection of

    Microservices

  10. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Standardize Terminology API for Authentication

    Mechanism API for Identity Store API for Security Context API for Password Aliasing API for Role/Permission Assignment API for Authorization Interceptors

  11. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Authentication - OpenIDConnect Authorization Secret

    Management Secure Microservices Packaging, Configuration, Binding Standardize Terminology API for Authentication Mechanism API for Identity Store API for Security Context Java EE 9 Java EE 8

  12. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Authentication

  13. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Authorization

  14. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Secrets

  15. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Secure Microservices

  16. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Packaging

  17. @ivar_grimstad JavaDay Kiev 2016 #JSR375 JSR 375 - Status

  18. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Standardize Terminology API for Authentication

    Mechanism API for Identity Store API for Security Context Java EE 8

  19. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Terminology

  20. @ivar_grimstad JavaDay Kiev 2016 #JSR375 User, or Caller, Something else?

    Group of users, permissions, roles? Authentication mechanism Identity store

  21. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Authentication Mechanism

  22. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Proprietary server support 3rd party

    security frameworks provide authentication JASPIC: Java Authentication Service Provider Interface
 for Containers Authentication Mechanism

  23. @ivar_grimstad JavaDay Kiev 2016 #JSR375

  24. @ivar_grimstad JavaDay Kiev 2016 #JSR375 @BasicAuthenticationMechanismDefinition( realmName="test realm" ) Basic

  25. @ivar_grimstad JavaDay Kiev 2016 #JSR375 @FormAuthenticationMechanismDefinition( loginToContinue = @LoginToContinue( loginPage=

    "/login-servlet", errorPage= "/login-error-servlet" ) ) Form

  26. @ivar_grimstad JavaDay Kiev 2016 #JSR375 @CustomFormAuthenticationMechanismDefinition( loginToContinue = @LoginToContinue( loginPage

    = "/login.jsf", errorPage = "" ) ) Custom

  27. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Identity Store

  28. @ivar_grimstad JavaDay Kiev 2016 #JSR375 No Java EE standard support

    Only proprietary server support 3rd party security frameworks provide user/group APIs Identity Store

  29. @ivar_grimstad JavaDay Kiev 2016 #JSR375

  30. @ivar_grimstad JavaDay Kiev 2016 #JSR375 @EmbeddedIdentityStoreDefinition({ @Credentials(callerName = "reza", password

    = "secret1", groups = { "foo", "bar" }), @Credentials(callerName = "alex", password = "secret2", groups = { "foo", "kaz" }), @Credentials(callerName = "arjan", password = "secret3", groups = { "foo" }) } ) Embedded

  31. @ivar_grimstad JavaDay Kiev 2016 #JSR375 @DataBaseIdentityStoreDefinition( dataSourceLookup="java:global/MyDS", callerQuery="select password from

    caller where name = ?", groupsQuery="select group_name from caller_groups where caller_name = ?" ) Database

  32. @ivar_grimstad JavaDay Kiev 2016 #JSR375 @LdapIdentityStoreDefinition( url = "ldap://localhost:33389/", callerBaseDn

    = "ou=caller,dc=jsr375,dc=net", groupBaseDn = "ou=group,dc=jsr375,dc=net" ) LDAP

  33. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Security Context

  34. @ivar_grimstad JavaDay Kiev 2016 #JSR375 No Java EE standard support

    3rd party security frameworks provide a security context Security Context

  35. @ivar_grimstad JavaDay Kiev 2016 #JSR375

  36. @ivar_grimstad JavaDay Kiev 2016 #JSR375 public interface SecurityContext { AuthStatus

    authenticate(HttpServletRequest request, HttpServletResponse response, AuthenticationParameters parameters); AuthStatus authenticate(HttpServletResponse response, AuthenticationParameters parameters); } Security Context

  37. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Soteria

  38. @ivar_grimstad JavaDay Kiev 2016 #JSR375

  39. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Soteria

  40. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Demo

  41. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Summary

  42. @ivar_grimstad JavaDay Kiev 2016 #JSR375 What’s NEXT?

  43. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Build a foundation for Identity

    with JSR 375 in Java EE 8

  44. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Candidates for Focus in Java

    EE 9 Security in Packaging, Configuration, Build Microservices Security

  45. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Consistent Simple Secure

  46. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Soteria

  47. @ivar_grimstad JavaDay Kiev 2016 #JSR375 @Soteria_RI Soteria @jsr375

  48. @ivar_grimstad JavaDay Kiev 2016 #JSR375 Project Page https://java.net/projects/javaee-security-spec GitHub https://github.com/javaee-security-spec

    Mailing List [email protected]

  49. @ivar_grimstad JavaDay Kiev 2016 #JSR375 http://glassfish.org/survey

  50. @ivar_grimstad JavaDay Kiev 2016 #JSR375 cybercom.com