Tweet
Tweet

Slide 1

Slide 1 text

@ivar_grimstad #CodeMash New Security APIs for Java EE Ivar Grimstad
 Principal Consultant, Cybercom Sweden JSR 375 JCP Award Winner 2017

Slide 2

Slide 2 text

@ivar_grimstad https://github.com/ivargrimstad https://www.linkedin.com/in/ivargrimstad

Slide 3

Slide 3 text

@ivar_grimstad #CodeMash JSR 375 Java EE Security API 1.0 Demo

Slide 4

Slide 4 text

@ivar_grimstad #CodeMash JSR 375

Slide 5

Slide 5 text

@ivar_grimstad #CodeMash The Expert Group

Slide 6

Slide 6 text

@ivar_grimstad #CodeMash Adam Bien David Blevins (Tomitribe) Rudy De Bussher Ivar Grimstad Les Hazlewood (Stormpath, Inc.) Will Hopkins (Oracle) Werner Keil Matt Konda (Jemurai) Alexander Kosowski (Oracle) Darran Lofthouse (Red Hat) Jean-Louis Monteiro (Tomitribe Ajay Reddy (IBM) Pedro Igor Silva (Red Hat Arjan Tijms

Slide 7

Slide 7 text

@ivar_grimstad #CodeMash Contributors

Slide 8

Slide 8 text

@ivar_grimstad #CodeMash Guillermo Gonzáles de Agüero John Hogan Elder Morales Faith Mutluay Reza Rahman Ashley Richardson

Slide 9

Slide 9 text

@ivar_grimstad #CodeMash Special Credits

Slide 10

Slide 10 text

@ivar_grimstad #CodeMash Arjan Tijms

Slide 11

Slide 11 text

@ivar_grimstad #CodeMash Common Principles

Slide 12

Slide 12 text

@ivar_grimstad #CodeMash Simplify security programming model Enable developers to manage security Layered APIs delegate to others Use CDI where appropriate

Slide 13

Slide 13 text

@ivar_grimstad #CodeMash Terminology

Slide 14

Slide 14 text

@ivar_grimstad #CodeMash Authentication Mechanism

Slide 15

Slide 15 text

@ivar_grimstad #CodeMash Caller Caller Principal

Slide 16

Slide 16 text

@ivar_grimstad #CodeMash Identity Store

Slide 17

Slide 17 text

@ivar_grimstad #CodeMash General Concepts

Slide 18

Slide 18 text

@ivar_grimstad #CodeMash Group-To-Role-Mapping

Slide 19

Slide 19 text

@ivar_grimstad #CodeMash Caller Principal Types

Slide 20

Slide 20 text

@ivar_grimstad #CodeMash Expression Language Support

Slide 21

Slide 21 text

@ivar_grimstad #CodeMash Authentication Mechanism

Slide 22

Slide 22 text

@ivar_grimstad #CodeMash HttpAuthenticationMechanism

Slide 23

Slide 23 text

@ivar_grimstad #CodeMash package javax.security.enterprise.authentication.mechanism.http; AuthenticationStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext ) throws AuthenticationException; AuthenticationStatus secureResponse(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext ) throws AuthenticationException; void cleanSubject(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext); }

Slide 24

Slide 24 text

@ivar_grimstad #CodeMash package javax.security.enterprise.authentication.mechanism.http; AuthenticationStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext ) throws AuthenticationException; AuthenticationStatus secureResponse(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext ) throws AuthenticationException; void cleanSubject(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext); }

Slide 25

Slide 25 text

@ivar_grimstad #CodeMash package javax.security.enterprise.authentication.mechanism.http; AuthenticationStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext ) throws AuthenticationException; AuthenticationStatus secureResponse(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext ) throws AuthenticationException; void cleanSubject(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext); }

Slide 26

Slide 26 text

@ivar_grimstad #CodeMash package javax.security.enterprise.authentication.mechanism.http; AuthenticationStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext ) throws AuthenticationException; AuthenticationStatus secureResponse(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext ) throws AuthenticationException; void cleanSubject(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext); }

Slide 27

Slide 27 text

@ivar_grimstad #CodeMash package javax.security.enterprise.authentication.mechanism.http; AuthenticationStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext ) throws AuthenticationException; AuthenticationStatus secureResponse(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext ) throws AuthenticationException; void cleanSubject(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext); }

Slide 28

Slide 28 text

@ivar_grimstad #CodeMash HttpAuthenticationMechanisms

Slide 29

Slide 29 text

@ivar_grimstad #CodeMash @BasicAuthenticationMechanismDefinition @FormAuthenticationMechanismDefinition @CustomFormAuthenticationMechanismDefinition

Slide 30

Slide 30 text

@ivar_grimstad #CodeMash @LoginToContinue

Slide 31

Slide 31 text

@ivar_grimstad #CodeMash @RememberMe

Slide 32

Slide 32 text

@ivar_grimstad #CodeMash @AutoApplySession

Slide 33

Slide 33 text

@ivar_grimstad #CodeMash Identity Store

Slide 34

Slide 34 text

@ivar_grimstad #CodeMash package javax.enterprise.security.identitystore; public interface IdentityStore { enum ValidationType { VALIDATE, PROVIDE_GROUPS } CredentialValidationResult validate(Credential credential); Set getCallerGroups(CredentialValidationResult validationResult); int priority(); Set validationTypes(); }

Slide 35

Slide 35 text

@ivar_grimstad #CodeMash package javax.enterprise.security.identitystore; public interface IdentityStore { enum ValidationType { VALIDATE, PROVIDE_GROUPS } CredentialValidationResult validate(Credential credential); Set getCallerGroups(CredentialValidationResult validationResult); int priority(); Set validationTypes(); }

Slide 36

Slide 36 text

@ivar_grimstad #CodeMash package javax.enterprise.security.identitystore; public interface IdentityStore { enum ValidationType { VALIDATE, PROVIDE_GROUPS } CredentialValidationResult validate(Credential credential); Set getCallerGroups(CredentialValidationResult validationResult); int priority(); Set validationTypes(); }

Slide 37

Slide 37 text

@ivar_grimstad #CodeMash package javax.enterprise.security.identitystore; public interface IdentityStore { enum ValidationType { VALIDATE, PROVIDE_GROUPS } CredentialValidationResult validate(Credential credential); Set getCallerGroups(CredentialValidationResult validationResult); int priority(); Set validationTypes(); }

Slide 38

Slide 38 text

@ivar_grimstad #CodeMash package javax.enterprise.security.identitystore; public interface IdentityStore { enum ValidationType { VALIDATE, PROVIDE_GROUPS } CredentialValidationResult validate(Credential credential); Set getCallerGroups(CredentialValidationResult validationResult); int priority(); Set validationTypes(); }

Slide 39

Slide 39 text

@ivar_grimstad #CodeMash package javax.enterprise.security.identitystore; public interface IdentityStore { enum ValidationType { VALIDATE, PROVIDE_GROUPS } CredentialValidationResult validate(Credential credential); Set getCallerGroups(CredentialValidationResult validationResult); int priority(); Set validationTypes(); }

Slide 40

Slide 40 text

@ivar_grimstad #CodeMash Built-In IdentityStores

Slide 41

Slide 41 text

@ivar_grimstad #CodeMash @LdapIdentityStoreDefinition @DatabaseIdentityStoreDefinition

Slide 42

Slide 42 text

@ivar_grimstad #CodeMash Security Context

Slide 43

Slide 43 text

@ivar_grimstad #CodeMash package javax.security.enterprise; public interface SecurityContext { Principal getCallerPrincipal(); Set getPrincipalsByType(Class pType); boolean isCallerInRole(String role); boolean hasAccessToWebResource(String resource, String... methods); AuthenticationStatus authenticate(HttpServletRequest request HttpServletResponse response, AuthenticationParameters parameters); }

Slide 44

Slide 44 text

@ivar_grimstad #CodeMash package javax.security.enterprise; public interface SecurityContext { Principal getCallerPrincipal(); Set getPrincipalsByType(Class pType); boolean isCallerInRole(String role); boolean hasAccessToWebResource(String resource, String... methods); AuthenticationStatus authenticate(HttpServletRequest request HttpServletResponse response, AuthenticationParameters parameters); }

Slide 45

Slide 45 text

@ivar_grimstad #CodeMash package javax.security.enterprise; public interface SecurityContext { Principal getCallerPrincipal(); Set getPrincipalsByType(Class pType); boolean isCallerInRole(String role); boolean hasAccessToWebResource(String resource, String... methods); AuthenticationStatus authenticate(HttpServletRequest request HttpServletResponse response, AuthenticationParameters parameters); }

Slide 46

Slide 46 text

@ivar_grimstad #CodeMash package javax.security.enterprise; public interface SecurityContext { Principal getCallerPrincipal(); Set getPrincipalsByType(Class pType); boolean isCallerInRole(String role); boolean hasAccessToWebResource(String resource, String... methods); AuthenticationStatus authenticate(HttpServletRequest request HttpServletResponse response, AuthenticationParameters parameters); }

Slide 47

Slide 47 text

@ivar_grimstad #CodeMash package javax.security.enterprise; public interface SecurityContext { Principal getCallerPrincipal(); Set getPrincipalsByType(Class pType); boolean isCallerInRole(String role); boolean hasAccessToWebResource(String resource, String... methods); AuthenticationStatus authenticate(HttpServletRequest request HttpServletResponse response, AuthenticationParameters parameters); }

Slide 48

Slide 48 text

@ivar_grimstad #CodeMash package javax.security.enterprise; public interface SecurityContext { Principal getCallerPrincipal(); Set getPrincipalsByType(Class pType); boolean isCallerInRole(String role); boolean hasAccessToWebResource(String resource, String... methods); AuthenticationStatus authenticate(HttpServletRequest request HttpServletResponse response, AuthenticationParameters parameters); }

Slide 49

Slide 49 text

@ivar_grimstad #CodeMash package javax.security.enterprise; public interface SecurityContext { Principal getCallerPrincipal(); Set getPrincipalsByType(Class pType); boolean isCallerInRole(String role); boolean hasAccessToWebResource(String resource, String... methods); AuthenticationStatus authenticate(HttpServletRequest request HttpServletResponse response, AuthenticationParameters parameters); }

Slide 50

Slide 50 text

@ivar_grimstad #CodeMash @WebServlet(“/protectedServlet") @ServletSecurity(@HttpConstraint(rolesAllowed = "foo")) public class ProtectedServlet extends HttpServlet { ... } securityContext.hasAccessToWebResource("/protectedServlet", GET);

Slide 51

Slide 51 text

@ivar_grimstad #CodeMash Demo !

Slide 52

Slide 52 text

@ivar_grimstad #CodeMash Summary

Slide 53

Slide 53 text

@ivar_grimstad #CodeMash javax javaee-web-api 8.0 provided

Slide 54

Slide 54 text

@ivar_grimstad #CodeMash What’s NEXT?

Slide 55

Slide 55 text

@ivar_grimstad #CodeMash Candidates for Focus in future versions Security in Packaging, Configuration, Build Microservices Security

Slide 56

Slide 56 text

@ivar_grimstad #CodeMash

Slide 57

Slide 57 text

@ivar_grimstad #CodeMash JSR Page https://jcp.org/en/jsr/detail?id=375 Java EE https://github.com/javaee/security-api https://github.com/javaee/security-spec https://github.com/javaee/security-soteria

Slide 58

Slide 58 text

@ivar_grimstad #CodeMash Samples https://github.com/javaee/security-examples https://github.com/ivargrimstad/security-samples https://github.com/payara/Payara-Examples/tree/ master/Java-EE/security-jwt-example

Slide 59

Slide 59 text

@ivar_grimstad #CodeMash

Slide 60

Slide 60 text

@ivar_grimstad #CodeMash cybercom.com