Securing apps with joy - With new features in Jakarta EE 11

Transcript

1. Ondro Mihalyi @OndroMih Securing apps with joy With new features

   in Jakarta EE 11

2. Ondro Mihalyi @OndroMih Who am I? Java Champion Czech JUG

   lead (CZJUG) Jakarta EE committer Java developer, trainer & consultant

3. Ondro Mihalyi @OndroMih What is Application Security • Who is

   the user ⇨ Authentication • What the user is allowed to do ⇨ Authorization

4. Ondro Mihalyi @OndroMih Authentication – a lot of options •

   Authorization is easy, just check permissions • Authentication is difficult. We want to:  Protect against attackers stealing identity  Make it easy for valid users to proove identity Options: Username/password, 2-Factor, Email, Hardware keys, Passkey (software wallet), ...

5. Ondro Mihalyi @OndroMih Solution? Delegate authentication OpenId Connect providers 

   Authenticate securely  Support multiple options  Provide a token with identity and roles

6. Ondro Mihalyi @OndroMih How OpenID Connect works? Authorization Code Flow

7. Ondro Mihalyi @OndroMih Multiple providers? • Users want to choose

   • Good old username/password • Different providers for different tenants Can we support all of them? How do we choose?

8. Ondro Mihalyi @OndroMih How Jakarta Security helps? • Security 1.0

   (Java EE 8) Form authentication (user/password) • Security 3.0 (Jakarta EE 10) OpenID Connect - only one mechanism per app • Security 4.0 Handler to choose between mechanisms

9. Ondro Mihalyi @OndroMih New in Jakarta Security 4.0 • Handler

   to choose between mechanisms HttpAuthenticationMechanismHandler • Qulifiers for built-in mechanisms to inject them • Default or custom qualifiers • In-memory identity store (for dev & test)

10. Ondro Mihalyi @OndroMih Multiple mechanisms The idea is simple: 1.

    Provide an alternative handler 2. Inject built-in mechanisms via CDI qualifiers 3. Custom logic to choose the mechanisms 4. Delegate to the chosen mechanism

11. Ondro Mihalyi @OndroMih Code example @OpenIdAuthenticationMechanismDefinition( qualifiers = LocalOpenId.class, ...)

    @CustomFormAuthenticationMechanismDefinition( qualifiers = EmailAuth.class, ...) @Inject @LocalOpenId HttpAuthenticationMechanism localOpenId; @Inject @EmailAuth HttpAuthenticationMechanism emailAuth;

12. Ondro Mihalyi @OndroMih Role of CDI qualifiers Problem: • All

    mechanisms implement the same interface • We need to choose which one to inject Solution: • Qualifier in the definition ⇨ container assigns it to the CDI bean of the mechanism • Inject via qualifier ⇨ uniquely identifies the bean

13. Ondro Mihalyi @OndroMih Alternative handler • A default handler already

    exists – delegates to a single mechanism, gives error otherwise • We replace it with a CDI alternative • We can activate the alternative using @Priority or in beans.xml

14. Ondro Mihalyi @OndroMih Alternative handler – code example @Alternative @Priority(APPLICATION)

    @ApplicationScoped public class MyHandler implements HttpAuthenticationMechanismHandler { }

15. Ondro Mihalyi @OndroMih

16. Ondro Mihalyi @OndroMih

17. Ondro Mihalyi @OndroMih Authentication for REST services? Bearer token –

    JWT token in Authorization header • Provided by MicroProfile JWT • Agreement not to replicate it in Jakarta Security Problem: Integration • Security 4.0: Custom Bearer auth, inject to Handler  new MicroProfile JWT Bridge spec  GlassFish 8 ⇨ inject MicroProfile mechanism

18. Ondro Mihalyi @OndroMih Jakarta Security.Next ? https://jakarta.ee/specifications/security/ • @RolesAllowed anywhere,

    not only in EJBs • Permission stores – simplify advanced Authorization • More auth. mechanisms: DIGEST, CLIENT-CERT Vision: • MicroProfile JWT & JWT Bridge ⇨ Jakarta EE • Security Lite, without Servlet ⇨ MicroProfile

19. Ondro Mihalyi @OndroMih Questions

20. Ondro Mihalyi @OndroMih Thank you! Jakarta EE Consultancy (migrations, tuning)

    Jakarta EE Application Development GlassFish Server Support Jakarta EE Training OmniFish - Jakarta EE Consulting & Support Omnifish.ee @OmniFishEE