EclipseCon 2022 Community Day: Jakarta Security - What’s Next

Transcript

1. Werner Keil Jakarta Security - What Next

2. Werner‘s Bio • Consultant – Coach • Creative Cosmopolitan •

   Open Source Evangelist • Software Architect • Author, Speaker • Maintenance Lead – JSR 354, 385 • Jakarta EE Specification Committee Member 2 [www.linkedin.com/in/catmedia]

3. Jakarta EE Security Jakarta Authentication Jakarta Authorization Jakarta Security

4. Common Principles • SIMPLIFY security programming model • Enable DEVELOPERS

   to manage security • Layered APIs DELEGATE to others • Use CDI where appropriate 4

5. Application Security • Declarative vs. Programmatic Jakarta EE supports configuration

   of an application either using standard APIs or those specific to a runtime or server 5

6. Jakarta Authentication • Portable API for Authentication • Abstracts the

   specific Identity Store against which to Authenticate • Simple configuration • Extensible to support protocols like OAuth / OpenID Connect • Produces a Consistent representation of an authenticated Subject • Authentication Events • Evolution of JASPIC (JSR 196) 6

7. Jakarta Authorization • Low-level SPI Authorization Modules • SPI for

   Authorization Policy • SPI for Policy Configuration • Factory to create and retrieve Policy Configurations • SPI for Policy Context 7

8. Jakarta Security • Creating Secure Applications • Standardize Terminology •

   API for Authentication mechanism • API for Identity Store • API for Security Context • API for Role/Permission Assignment 8

9. Jakarta EE 10 Jakarta Authentication 3.0 Jakarta Authorization 2.1 Jakarta

   Security 3.0

10. Jakarta Authentication 3.0 • Add generics to the API •

    Add methods for adding and removing a single server auth module • Servlet Container Lite profile • Clarify PasswordValidationCallback • Deprecate SecurityManager usage in light of JDK 17/JEP 411 10

11. Jakarta Authorization 2.1 • Add getPolicyConfiguration methods without state requirement

    • Add methods to PolicyConfiguation to read permissions • Generic return value for getContext 11

12. Jakarta Security 3.0 • OpenID Connect Authentication Mechanism • CallerPrincipal

    Serializable • Dynamically adding interceptor to a CDI bean 12

13. 13 What Next?

14. Jakarta Authentication Next • New / Updated Profiles • REST

    profile • SOAP profile –> stable 14

15. Jakarta Authorization Next • Register policy provider programmatically for easier

    Cloud Deployments • Authorization Modules 15

16. Jakarta Security Next • Authentication Mechanism per URL • User

    Choice of Authentication Mechanism • Multiple Authentication Mechanisms (fallback) • Additional CDI Support @RolesAllowed alternative • Consolidation with Jakarta REST? 16

17. 17 What Else?

18. Jakarta Security Book We (Arjan, Teo and Werner) wrote a

    book “The Definitive Guide to Security in Jakarta EE (Apress, 2022) link.springer.com/book/10.1007/978-1-4842-7945-8 Twitter Account: @jakartasecbook 18

19. Thank you! Join the conversation: @EclipseCon | #EclipseCon