Tweet
Tweet

Slide 1

Slide 1 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 What about Java EE Security? Ivar Grimstad
 Principal Consultant, Cybercom Sweden

Slide 2

Slide 2 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 @ivar_grimstad https://github.com/ivargrimstad https://www.linkedin.com/in/ivargrimstad http://lanyrd.com/profile/ivargrimstad/

Slide 3

Slide 3 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 JSR 375 - History, Future, Status Demo and Samples What’s NEXT?

Slide 4

Slide 4 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 JSR 375 - History

Slide 5

Slide 5 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 August 2014 First Proposal December 2014 Approved by JCP Executive Committee March 2015 Expert Group starts discussions November 2015 Passed Renewal Ballot October 2016 Expert Group v2

Slide 6

Slide 6 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 JSR 375 - Future

Slide 7

Slide 7 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375

Slide 8

Slide 8 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 The shape of the Enterprise app is changing

Slide 9

Slide 9 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 A Monolith or collection of Microservices

Slide 10

Slide 10 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 Standardize Terminology API for Authentication Mechanism API for Identity Store API for Security Context API for Password Aliasing API for Role/Permission Assignment API for Authorization Interceptors

Slide 11

Slide 11 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 Authentication - OpenIDConnect Authorization Secret Management Secure Microservices Packaging, Configuration, Binding Standardize Terminology API for Authentication Mechanism API for Identity Store API for Security Context Java EE 9 Java EE 8

Slide 12

Slide 12 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 Authentication

Slide 13

Slide 13 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 Authorization

Slide 14

Slide 14 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 Secrets

Slide 15

Slide 15 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 Secure Microservices

Slide 16

Slide 16 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 Packaging

Slide 17

Slide 17 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 JSR 375 - Status

Slide 18

Slide 18 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 Standardize Terminology API for Authentication Mechanism API for Identity Store API for Security Context Java EE 8

Slide 19

Slide 19 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 Terminology

Slide 20

Slide 20 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 User, or Caller, Something else? Group of users, permissions, roles? Authentication mechanism Identity store

Slide 21

Slide 21 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 Authentication Mechanism

Slide 22

Slide 22 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 Proprietary server support 3rd party security frameworks provide authentication JASPIC: Java Authentication Service Provider Interface
 for Containers Authentication Mechanism

Slide 23

Slide 23 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375

Slide 24

Slide 24 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 @BasicAuthenticationMechanismDefinition( realmName="test realm" ) Basic

Slide 25

Slide 25 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 @FormAuthenticationMechanismDefinition( loginToContinue = @LoginToContinue( loginPage= "/login-servlet", errorPage= "/login-error-servlet" ) ) Form

Slide 26

Slide 26 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 @CustomFormAuthenticationMechanismDefinition( loginToContinue = @LoginToContinue( loginPage = "/login.jsf", errorPage = "" ) ) Custom

Slide 27

Slide 27 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 Identity Store

Slide 28

Slide 28 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 No Java EE standard support Only proprietary server support 3rd party security frameworks provide user/group APIs Identity Store

Slide 29

Slide 29 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375

Slide 30

Slide 30 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 @EmbeddedIdentityStoreDefinition({ @Credentials(callerName = "reza", password = "secret1", groups = { "foo", "bar" }), @Credentials(callerName = "alex", password = "secret2", groups = { "foo", "kaz" }), @Credentials(callerName = "arjan", password = "secret3", groups = { "foo" }) } ) Embedded

Slide 31

Slide 31 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 @DataBaseIdentityStoreDefinition( dataSourceLookup="java:global/MyDS", callerQuery="select password from caller where name = ?", groupsQuery="select group_name from caller_groups where caller_name = ?" ) Database

Slide 32

Slide 32 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 @LdapIdentityStoreDefinition( url = "ldap://localhost:33389/", callerBaseDn = "ou=caller,dc=jsr375,dc=net", groupBaseDn = "ou=group,dc=jsr375,dc=net" ) LDAP

Slide 33

Slide 33 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 Security Context

Slide 34

Slide 34 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 No Java EE standard support 3rd party security frameworks provide a security context Security Context

Slide 35

Slide 35 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375

Slide 36

Slide 36 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 public interface SecurityContext { AuthStatus authenticate(HttpServletRequest request, HttpServletResponse response, AuthenticationParameters parameters); AuthStatus authenticate(HttpServletResponse response, AuthenticationParameters parameters); } Security Context

Slide 37

Slide 37 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 Soteria

Slide 38

Slide 38 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375

Slide 39

Slide 39 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 Soteria

Slide 40

Slide 40 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 Demo

Slide 41

Slide 41 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 Summary

Slide 42

Slide 42 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 What’s NEXT?

Slide 43

Slide 43 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 Build a foundation for Identity with JSR 375 in Java EE 8

Slide 44

Slide 44 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 Candidates for Focus in Java EE 9 Security in Packaging, Configuration, Build Microservices Security

Slide 45

Slide 45 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 Consistent Simple Secure

Slide 46

Slide 46 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 Soteria

Slide 47

Slide 47 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 @Soteria_RI Soteria @jsr375

Slide 48

Slide 48 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 Project Page https://java.net/projects/javaee-security-spec GitHub https://github.com/javaee-security-spec Mailing List users@javaee-security-spec.java.net

Slide 49

Slide 49 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 http://glassfish.org/survey

Slide 50

Slide 50 text

@ivar_grimstad JavaDay Kiev 2016 #JSR375 cybercom.com