Security in Jakarta EE 11 - JakartaOne 2024

Transcript

1. COPYRIGHT (C) 2024, ECLIPSE FOUNDATION COPYRIGHT (C) 2024, ECLIPSE FOUNDATION

   1 Security in Jakarta EE 11 Werner Keil December 3, 2024 [email protected]

2. COPYRIGHT (C) 2024, ECLIPSE FOUNDATION Werner‘s Bio • Consultant –

   Coach • Creative Cosmopolitan • Open Source Evangelist • Software Architect • Author, Speaker • Maintenance Lead – JSR 354, 385 • Jakarta EE Specification Committee Member [www.linkedin.com/in/catmedia]

3. COPYRIGHT (C) 2024, ECLIPSE FOUNDATION Jakarta EE 11 Status •

   All individual or component specs are complete! • The community has decided to focus on long overdue TCK modernizing and restructuring, and we are at the final stages of that work. • Jakarta EE 11 Core Profile is in ballot and we expect to have the release announced just n time for JakaratOne Liverstream Dec 3rd or shortly after. • The release of Web profile and Platform specs is pending on the TCK work - we hope for resolution of in early CY2025.

4. COPYRIGHT (C) 2024, ECLIPSE FOUNDATION 4 Jakarta EE Security Jakarta

   Security Jakarta Authentication Jakarta Authorization

5. COPYRIGHT (C) 2024, ECLIPSE FOUNDATION 5 Common Principles • SIMPLIFY

   security programming model • Enable DEVELOPERS to manage security • Layered APIs DELEGATE to others • Use CDI where appropriate

6. COPYRIGHT (C) 2024, ECLIPSE FOUNDATION 6 Application Security • Declarative

   vs. Programmatic Jakarta EE supports configuration of an application either using standard APIs or those specific to a runtime or server

7. COPYRIGHT (C) 2024, ECLIPSE FOUNDATION 7 Jakarta Security • Creating

   Secure Applications • Standardize Terminology • API for Authentication mechanism • API for Identity Store • API for Security Context • API for Role/Permission Assignment

8. COPYRIGHT (C) 2024, ECLIPSE FOUNDATION 8 Jakarta Authentication • Portable

   SPI for Authentication • Abstracts the specific Identity Store against which to Authenticate • Simple configuration • Extensible to support protocols like OAuth / OpenID Connect • Produces a Consistent representation of an authenticated Subject • Authentication Events • Evolution of JASPIC (JSR 196)

9. COPYRIGHT (C) 2024, ECLIPSE FOUNDATION 9 Jakarta Authorization • Low-level

   SPI Authorization Modules • SPI for Authorization Policy • SPI for Policy Configuration • Factory to create and retrieve Policy Configurations • SPI for Policy Context

10. COPYRIGHT (C) 2024, ECLIPSE FOUNDATION 10 Jakarta EE 11 Jakarta

    Security 4.0 Jakarta Authentication 3.1 Jakarta Authorization 3.0

11. COPYRIGHT (C) 2024, ECLIPSE FOUNDATION Cross-Cutting Concerns

12. COPYRIGHT (C) 2024, ECLIPSE FOUNDATION 12 Managed Beans Managed Beans

    2.0 Removed Removed Replaced by CDI

13. COPYRIGHT (C) 2024, ECLIPSE FOUNDATION 13 SecurityManager Removed JEP 411:

    Deprecate the Security Manager for Removal

14. COPYRIGHT (C) 2024, ECLIPSE FOUNDATION 14 Jakarta Security 4.0 •

    Basic API (handler) for Multiple authentication mechanisms • Qualifiers for built-in authentication mechanisms • In-memory IdentityStore • Remove SecurityManager references

15. COPYRIGHT (C) 2024, ECLIPSE FOUNDATION 15 Jakarta Security 4.0 Multiple

    authentication mechanisms Authentication Handler Form Authentication Mechanism JWT Authentication Mechanism /ui/* /service/*

16. COPYRIGHT (C) 2024, ECLIPSE FOUNDATION 16 Jakarta Security 4.0 JWT

    Bridge Jakarta Security MicroProfile JWT Bridge MicroProfile JWT

17. COPYRIGHT (C) 2024, ECLIPSE FOUNDATION 17 Jakarta Security 4.0 @InMemoryIdentityStoreDefinition({

    @Credentials(callerName = "peter", password = "secret1", groups = { "foo", "bar" }), @Credentials(callerName = "john", password = “secret2", groups = { "foo", "kaz" }) }) In-memory IdentityStore

18. COPYRIGHT (C) 2024, ECLIPSE FOUNDATION 18 Jakarta Authentication 3.1 •

    Remove references to SecurityManager • Small API changes, the TCK has all ANT/Javatest code removed and replaced by Maven/Junit

19. COPYRIGHT (C) 2024, ECLIPSE FOUNDATION 19 Jakarta Authorization 3.0 •

    Java SE Policy replaced by Jakarta EE Policy • Register Policy programmatically per application • Convenience methods to make the API easier to use • Remove SecurityManager references

20. COPYRIGHT (C) 2024, ECLIPSE FOUNDATION 20 Jakarta Authorization 3.0 public

    boolean implies(Permission permission, Subject subject) { // add custom policy programmatically return originalPolicy.implies(permission, subject); } @RolesAllowed(“foo”)

21. COPYRIGHT (C) 2024, ECLIPSE FOUNDATION 21 Jakarta Authorization 3.0 public

    boolean implies(Permission permission, Subject subject) { // add custom policy programmatically if (permission instanceof RoleRefPermission role) { if (role().equals(“foo”) && !isWorkingHours()) { return false; } } return originalPolicy.implies(permission, subject); } @RolesAllowed(“foo”)

22. COPYRIGHT (C) 2024, ECLIPSE FOUNDATION Links Jakarta EE Security Specs

    https://jakarta.ee/specifications/authentication/3.1/ https://jakarta.ee/specifications/authorization/3.0/ https://jakarta.ee/specifications/security/4.0/ MicroProfile JWT and Bridge https://microprofile.io/specifications/jwt/ https://github.com/eclipse/microprofile-jwt-bridge/

23. COPYRIGHT (C) 2024, ECLIPSE FOUNDATION Jakarta Security Book We (Arjan,

    Teo and Werner) wrote a book “The Definitive Guide to Jakarta EE Security” (Apress, 2022) Examples on GitHub: github.com/Apress/definitive-guide-jakarta-ee-security X Account: @jakartasecbook

24. COPYRIGHT (C) 2024, ECLIPSE FOUNDATION Java Enterprise Social Book Werner’s

    second book “Enterprise Social for the Java Platform” (Apress, 2024) also covers Jakarta Security in chapter 5 Examples on GitHub: https://github.com/Apress/enterprise-social-java-platform Mastodon Account: @[email protected]

25. COPYRIGHT (C) 2024, ECLIPSE FOUNDATION COPYRIGHT (C) 2024, ECLIPSE FOUNDATION

    25 Thank you! Questions? Werner Keil <[email protected]> Bsky: @wernerkeil.bsky.social | Threads: werner_keil| X: @wernerwedge