What about Java EE Security?

Transcript

1. @ivar_grimstad #JavaEE #JSR375 What about Java EE Security? Ivar Grimstad


   Principal Consultant, Cybercom Sweden

2. @ivar_grimstad #JavaEE #JSR375 @ivar_grimstad https://github.com/ivargrimstad https://www.linkedin.com/in/ivargrimstad http://lanyrd.com/profile/ivargrimstad/

3. @ivar_grimstad #JavaEE #JSR375 JSR 375 - History, Future, Status Demo

   and Samples What’s NEXT?

4. @ivar_grimstad #JavaEE #JSR375 JSR 375 - History

5. @ivar_grimstad #JavaEE #JSR375 August 2014 First Proposal December 2014 Approved

   by JCP Executive Committee March 2015 Expert Group starts discussions November 2015 Passed Renewal Ballot October 2016 Expert Group v2

6. @ivar_grimstad #JavaEE #JSR375

7. @ivar_grimstad #JavaEE #JSR375 JSR 375 - Future

8. @ivar_grimstad #JavaEE #JSR375 Adam Bien David Blevins, Tomitribe Rudy De

   Busscher Ivar Grimstad Les Hazlewood, Stormpath, Inc. Werner Keil Matt Konda, Jemurai Alexander Kosowski, Oracle Darran Lofthouse, Red Hat Jean-Louis Monteiro, Tomitribe Ajay Reddy, IBM Pedro Igor Silva, Red Hat Arjan Tijms, Payara Specification Lead: Will Hopkins, Oracle Elder Moraes Fatih Mutluay Reza Rahman Expert Group Contributors JSR 371 - Expert Group

9. @ivar_grimstad #JavaEE #JSR375 The shape of the Enterprise app is

   changing

10. @ivar_grimstad #JavaEE #JSR375 A Monolith or collection of Microservices

11. @ivar_grimstad #JavaEE #JSR375 Standardize Terminology API for Authentication Mechanism API

    for Identity Store API for Security Context API for Password Aliasing API for Role/Permission Assignment API for Authorization Interceptors

12. @ivar_grimstad #JavaEE #JSR375 Authentication - OpenIDConnect Authorization Secret Management Secure

    Microservices Packaging, Configuration, Binding Standardize Terminology API for Authentication Mechanism API for Identity Store API for Security Context Java EE 9 Java EE 8

13. @ivar_grimstad #JavaEE #JSR375 Authentication

14. @ivar_grimstad #JavaEE #JSR375 Authorization

15. @ivar_grimstad #JavaEE #JSR375 Secrets

16. @ivar_grimstad #JavaEE #JSR375 Secure Microservices

17. @ivar_grimstad #JavaEE #JSR375 Packaging

18. @ivar_grimstad #JavaEE #JSR375 JSR 375 - Status

19. @ivar_grimstad #JavaEE #JSR375 Standardize Terminology API for Authentication Mechanism API

    for Identity Store API for Security Context Java EE 8

20. @ivar_grimstad #JavaEE #JSR375 Terminology

21. @ivar_grimstad #JavaEE #JSR375 User, or Caller, Something else? Group of

    users, permissions, roles? Authentication mechanism Identity store

22. @ivar_grimstad #JavaEE #JSR375 Authentication Mechanism

23. @ivar_grimstad #JavaEE #JSR375 Proprietary server support 3rd party security frameworks

    provide authentication JASPIC: Java Authentication Service Provider Interface
 for Containers Authentication Mechanism

24. @ivar_grimstad #JavaEE #JSR375

25. @ivar_grimstad #JavaEE #JSR375 @BasicAuthenticationMechanismDefinition( realmName="test realm" ) Basic

26. @ivar_grimstad #JavaEE #JSR375 @FormAuthenticationMechanismDefinition( loginToContinue = @LoginToContinue( loginPage= "/login-servlet", errorPage=

    "/login-error-servlet" ) ) Form

27. @ivar_grimstad #JavaEE #JSR375 @CustomFormAuthenticationMechanismDefinition( loginToContinue = @LoginToContinue( loginPage = "/login.jsf",

    errorPage = "" ) ) Custom

28. @ivar_grimstad #JavaEE #JSR375 Identity Store

29. @ivar_grimstad #JavaEE #JSR375 No Java EE standard support Only proprietary

    server support 3rd party security frameworks provide user/group APIs Identity Store

30. @ivar_grimstad #JavaEE #JSR375

31. @ivar_grimstad #JavaEE #JSR375 @EmbeddedIdentityStoreDefinition({ @Credentials(callerName = "reza", password = "secret1",

    groups = { "foo", "bar" }), @Credentials(callerName = "alex", password = "secret2", groups = { "foo", "kaz" }), @Credentials(callerName = "arjan", password = "secret3", groups = { "foo" }) } ) Embedded

32. @ivar_grimstad #JavaEE #JSR375 @DataBaseIdentityStoreDefinition( dataSourceLookup="java:global/MyDS", callerQuery="select password from caller where

    name = ?", groupsQuery="select group_name from caller_groups where caller_name = ?" ) Database

33. @ivar_grimstad #JavaEE #JSR375 @LdapIdentityStoreDefinition( url = "ldap://localhost:33389/", callerBaseDn = "ou=caller,dc=jsr375,dc=net",

    groupBaseDn = "ou=group,dc=jsr375,dc=net" ) LDAP

34. @ivar_grimstad #JavaEE #JSR375 Security Context

35. @ivar_grimstad #JavaEE #JSR375 No Java EE standard support 3rd party

    security frameworks provide a security context Security Context

36. @ivar_grimstad #JavaEE #JSR375

37. @ivar_grimstad #JavaEE #JSR375 Security Context

38. @ivar_grimstad #JavaEE #JSR375 Soteria

39. @ivar_grimstad #JavaEE #JSR375

40. @ivar_grimstad #JavaEE #JSR375 Soteria

41. @ivar_grimstad #JavaEE #JSR375 Demo

42. @ivar_grimstad #JavaEE #JSR375 Summary

43. @ivar_grimstad #JavaEE #JSR375 What’s NEXT?

44. @ivar_grimstad #JavaEE #JSR375 Build a foundation for Identity with JSR

    375 in Java EE 8

45. @ivar_grimstad #JavaEE #JSR375 Candidates for Focus in Java EE 9

    Security in Packaging, Configuration, Build Microservices Security

46. @ivar_grimstad #JavaEE #JSR375 Consistent Simple Secure

47. @ivar_grimstad #JavaEE #JSR375 Soteria

48. @ivar_grimstad #JavaEE #JSR375 @Soteria_RI Soteria @jsr375

49. @ivar_grimstad #JavaEE #JSR375 JSR Page https://jcp.org/en/jsr/detail?id=375 GitHub https://github.com/javaee-security-spec Mailing List

    [email protected]

50. @ivar_grimstad #JavaEE #JSR375 cybercom.com