SlideShare une entreprise Scribd logo

ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS

elliando dias
elliando dias
Technologie
1  sur  30
Télécharger pour lire hors ligne
ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS Ben Alex, Principal Software Engineer TS-6348 Speaker’s logo here (optional)
Learn what's coming in enterprise application security, and how to achieve it easily today. 2008 JavaOneSM Conference | java.com.sun/javaone | 2
Agenda A Quick Landscape Review Simple Web Application Security Beyond Simple Web Application Security Adding Method Authorization Enterprise Connectivity AJAX Clients and Web 2.0 Final Thoughts 2008 JavaOneSM Conference | java.com.sun/javaone | 3
Approaching AAAA Security considerations revolve around AAAA • Authentication: who are they? • Authorization: what can they do? • Accounting: what resources did they consume in doing it? • Auditing: what exactly did they do? Java™ Servlets and JAAS Third party products Build your own 2008 JavaOneSM Conference | java.com.sun/javaone | 4
Java™ Servlet Security Solid foundation provided by the Servlet API HttpServletRequest methods • boolean isUserInRole(String role) • String getRemoteUser() • Principal getUserPrincipal() Configured in web.xml • <security-constraint> • <login-config> • <security-role> Self registration requirements being considered in JSR 315 2008 JavaOneSM Conference | java.com.sun/javaone | 5
JAAS Java Authentication and Authorization Service (JAAS) Optional in Java™ 1.3, and included in SDK from Java™ 1.4 LoginContext CallbackHandler LoginModule Subject Principal Configured in policy files Many Java™ servers use JAAS 2008 JavaOneSM Conference | java.com.sun/javaone | 6
Agenda A Quick Landscape Review Simple Web Application Security Beyond Simple Web Application Security Adding Method Authorization Enterprise Connectivity AJAX Clients and Web 2.0 Final Thoughts 2008 JavaOneSM Conference | java.com.sun/javaone | 7
What Are “Simple Requirements”? Login form Authentication against common backends Web URL authorization Determining who is logged in Programmatic authorization Logout mechanism Externalization of deployment configuration Transport-level protection Maintaining authentication scope during a session 2008 JavaOneSM Conference | java.com.sun/javaone | 8
Demonstration Software My demos today will use Spring Security 2 • Open source project from SpringSource, the company behind Spring • Formerly known as “Acegi Security”, and publicly available since 2003 Builds upon the Java™ platform • Integrates with Java™ Servlet Security container authentication • Integrates with JAAS login modules • External porting efforts underway to .Net, Python and other platforms Spring Security supports all technologies discussed today Widely used in global banking, defense, government etc 2008 JavaOneSM Conference | java.com.sun/javaone | 9
Implementing Simple Requirements (in 10 minutes or less) 2008 JavaOneSM Conference | java.com.sun/javaone | 10
Agenda A Quick Landscape Review Simple Web Application Security Beyond Simple Web Application Security Adding Method Authorization Enterprise Connectivity AJAX Clients and Web 2.0 Final Thoughts 2008 JavaOneSM Conference | java.com.sun/javaone | 11
Component, State and Transition Security We're moving towards component-based web frameworks • For example, Java™ Server Faces • Reducing development time, and increasing modularity Spring Web Flow provides a JSF model and authorization of • States • Flows • Transitions Spring Web Flow unifies JSF and Spring Security 2008 JavaOneSM Conference | java.com.sun/javaone | 12
CAPTCHA Overview Completely Automated Public Test to tell Computers and Humans Apart Useful for mitigating denial of service and IP infringement Popular Java™ solutions include JCaptcha and reCAPTCHA Consider accessibility issues • http://tinyurl.com/3ypzck (Matt May, “Escape from Captcha”, 2004) Captchas are often machine decipherable • http://www.cs.sfu.ca/~mori/research/gimpy/ 2008 JavaOneSM Conference | java.com.sun/javaone | 13
Single Sign On and Federated Identity NTLM for Microsoft® Windows® intranet apps • Works with Mozilla® Firefox® and Microsoft® Internet Explorer® • Implement using Samba JCIFS JA-SIG Central Authentication Service (CAS) for intranet apps • Java™ (for both client and server, plus full Spring Security support) • Other clients include .Net, PHP, Perl, Apache etc OpenID for Internet apps • Sun®, IBM®, Microsoft®, Google®, Yahoo®, AOL®, Yahoo®, Blogger™ • Implement using OpenID4Java 2008 JavaOneSM Conference | java.com.sun/javaone | 14
Agenda A Quick Landscape Review Simple Web Application Security Beyond Simple Web Application Security Adding Method Authorization Enterprise Connectivity AJAX Clients and Web 2.0 Final Thoughts 2008 JavaOneSM Conference | java.com.sun/javaone | 15
Protecting Methods Strongly recommended in preference to web authorization • Can still be used concurrently with web URL authorization Before a method invocation • Is the user authorized in view of the signature and arguments? After a method invocation • Was the user authorized in view of the returned object? • Should the returned object be modified in some manner? Typically used on the services or domain layer • Thus all client layers are secured (web, rich client, JMS etc) • Of course, proper encapsulation and layering should remain a priority 2008 JavaOneSM Conference | java.com.sun/javaone | 16
JSR 250 Method Security Metadata JSR 250: “Common Annotations for the Java™ Platform™” Annotate classes • @RunAs(“someRole”) • @RolesAllowed(“someRole”) • @PermitAll() • @DenyAll() • @DeclareRoles(“someRole”) Annotation interaction defined in JSR 250, Section 2.11 Spring Security supports JSR-250, plus @Secured, <protect- pointcut>, <protect-method> and custom strategies 2008 JavaOneSM Conference | java.com.sun/javaone | 17
Domain Access Control Domain access control considers • Who the user is • Which method they are invoking on which Java™ type • Which domain object instance they are invoking the method on Major considerations • Performance and normalization level of the ACL database • Appropriate tier to perform filtering (eg database-side or Java™) • Potential propagation of user identity from Java™ to database 2008 JavaOneSM Conference | java.com.sun/javaone | 18
Method Authorization 2008 JavaOneSM Conference | java.com.sun/javaone | 19
Agenda A Quick Landscape Review Simple Web Application Security Beyond Simple Web Application Security Adding Method Authorization Enterprise Connectivity AJAX Clients and Web 2.0 Final Thoughts 2008 JavaOneSM Conference | java.com.sun/javaone | 20
Basic Authentication Great for RESTful paradigms and remote clients RFC 1945, Section 11.1 Stateless HTTP header based • Header name: “Authorization” • Header value: “Basic” + “ “ + Base64(username + “:” + password) • Some SSO solutions permit session tokens to be presented over Basic Recommended, but only if used with HTTPS • Consider Digest authentication if only HTTP is available • See RFC 2617 Section 4 for a comparison of Basic and Digest • Be aware of cross-site request forgery risks 2008 JavaOneSM Conference | java.com.sun/javaone | 21
WSS (formerly WS-Security) and REST POX WSS provides key security functionality for SOAP Use XWSS for Java™ WSS • Visit https://xwss.dev.java.net/ • XWSS version 2.0 implements OASIS WSS Specification 1.0 • XWSS version 3.0 implements OASIS WSS Specification 1.1 • Part of Project Metro (https://metro.dev.java.net/) and Glassfish™ Spring Web Services integrates XWSS and Spring Security Securing Plain Old XML using the RESTful paradigm • Option 1: Use HTTP Basic authentication • Option 2: Use XPath to extract username/password from XML payload 2008 JavaOneSM Conference | java.com.sun/javaone | 22
Securing JMS and ESBs JMS 1.1 does not provide message integrity or privacy • Refer to JMS 1.1 Specification (JSR 914) Section 2.7 • Implementations are expected to provide such features Destination authorization may be provided (eg ActiveMQ) • Read from destination; write to destination; admin destination ESBs may provide implementation-specific capabilities • Endpoint authorization; channel authorization; security translation Spring Integration addresses security in its Q2 2008 roadmap 2008 JavaOneSM Conference | java.com.sun/javaone | 23
Enterprise Connectivity 2008 JavaOneSM Conference | java.com.sun/javaone | 24
Agenda A Quick Landscape Review Simple Web Application Security Beyond Simple Web Application Security Adding Method Authorization Enterprise Connectivity AJAX Clients and Web 2.0 Final Thoughts 2008 JavaOneSM Conference | java.com.sun/javaone | 25
Securing GWT GWT offers no authentication-specific features • Option 1: ServiceDefTarget.setServiceEndPoint(...) with jsessionid • Option 2: Establish a token, then present it as a cookie and in RPC calls Key considerations • Session and/or token timeout issues • How to robustly logout • Cross-site request forgery • Transition of existing server-side authentication to GWT client Useful GWT security advice • http://tinyurl.com/3akc6y (GWT wiki) offers GWT security advice • http://tinyurl.com/2ynd26 (GWT incubator) includes Spring Security 2008 JavaOneSM Conference | java.com.sun/javaone | 26
AJAX Clients and Web 2.0 2008 JavaOneSM Conference | java.com.sun/javaone | 27
Agenda A Quick Landscape Review Simple Web Application Security Beyond Simple Web Application Security Adding Method Authorization Enterprise Connectivity Remote Clients and Web 2.0 Final Thoughts 2008 JavaOneSM Conference | java.com.sun/javaone | 28
Enterprise Application Security Tips Use a proven security framework; don't roll your own Start simply, and add complexity incrementally Consider user registration requirements Plan for federated identity, particularly involving OpenID For in-house applications, consider NTLM and CAS Employ Captcha techniques to mitigate DoS attacks Favor method authorization over web authorization Annotations-based authorization metadata is quick and easy Very carefully consider any domain object instance security Prefer Basic authentication for RESTful, HTTPS interactions Leverage WSS for transport-independent SOAP 2008 JavaOneSM Conference | java.com.sun/javaone | 29
Ben Alex, Principal Software Engineer TS-6348 Speaker’s logo here (optional) 2008 JavaOneSM Conference | java.com.sun/javaone | 30

Recommandé

Asec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedAsec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedDinis Cruz
 
Data power v7 update - Ravi Katikala
Data power v7 update - Ravi KatikalaData power v7 update - Ravi Katikala
Data power v7 update - Ravi Katikalafloridawusergroup
 
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?Tobias Koprowski
 
Microservice Architecture JavaCro 2015
Microservice Architecture JavaCro 2015Microservice Architecture JavaCro 2015
Microservice Architecture JavaCro 2015Nenad Pecanac
 
Why Security Teams should care about VMware
Why Security Teams should care about VMwareWhy Security Teams should care about VMware
Why Security Teams should care about VMwareJJDiGeronimo
 
Virtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesVirtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesJason Chan
 
What is tackled in the Java EE Security API (Java EE 8)
What is tackled in the Java EE Security API (Java EE 8)What is tackled in the Java EE Security API (Java EE 8)
What is tackled in the Java EE Security API (Java EE 8)Rudy De Busscher
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld
 

Recommandé

Asec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedAsec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedDinis Cruz
 
Data power v7 update - Ravi Katikala
Data power v7 update - Ravi KatikalaData power v7 update - Ravi Katikala
Data power v7 update - Ravi Katikalafloridawusergroup
 
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?Tobias Koprowski
 
Microservice Architecture JavaCro 2015
Microservice Architecture JavaCro 2015Microservice Architecture JavaCro 2015
Microservice Architecture JavaCro 2015Nenad Pecanac
 
Why Security Teams should care about VMware
Why Security Teams should care about VMwareWhy Security Teams should care about VMware
Why Security Teams should care about VMwareJJDiGeronimo
 
Virtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesVirtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesJason Chan
 
What is tackled in the Java EE Security API (Java EE 8)
What is tackled in the Java EE Security API (Java EE 8)What is tackled in the Java EE Security API (Java EE 8)
What is tackled in the Java EE Security API (Java EE 8)Rudy De Busscher
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overviewRudy De Busscher
 
VMworld 2013: Security Automation Workflows with NSX
VMworld 2013: Security Automation Workflows with NSX VMworld 2013: Security Automation Workflows with NSX
VMworld 2013: Security Automation Workflows with NSX VMworld
 
Case Study: University of California, Berkeley and San Francisco
Case Study: University of California, Berkeley and San FranciscoCase Study: University of California, Berkeley and San Francisco
Case Study: University of California, Berkeley and San FranciscoForgeRock
 
Community and Java EE @ DevConf.CZ
Community and Java EE @ DevConf.CZCommunity and Java EE @ DevConf.CZ
Community and Java EE @ DevConf.CZMarkus Eisele
 
Barracuda web application_firewall_wp_advantage
Barracuda web application_firewall_wp_advantageBarracuda web application_firewall_wp_advantage
Barracuda web application_firewall_wp_advantageINSPIRIT BRASIL
 
WSO2 Charon
WSO2 CharonWSO2 Charon
WSO2 CharonHasiniG
 
JavaCro'15 - Oracle Java Cloud Service Java PaaS - Duško Vukmanović
JavaCro'15 - Oracle Java Cloud Service Java PaaS - Duško VukmanovićJavaCro'15 - Oracle Java Cloud Service Java PaaS - Duško Vukmanović
JavaCro'15 - Oracle Java Cloud Service Java PaaS - Duško VukmanovićHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishMarkus Eisele
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themMasoud Kalali
 
Windows Azure Security Features And Functionality
Windows Azure Security Features And FunctionalityWindows Azure Security Features And Functionality
Windows Azure Security Features And Functionalityvivekbhat
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security ArchitecturesOWASP
 
The Top 10 Things Oracle UCM Users Need To Know About WebLogic
The Top 10 Things Oracle UCM Users Need To Know About WebLogicThe Top 10 Things Oracle UCM Users Need To Know About WebLogic
The Top 10 Things Oracle UCM Users Need To Know About WebLogicBrian Huff
 
Java Security
Java SecurityJava Security
Java Securityelliando dias
 
vCenter Orchestrator APIs
vCenter Orchestrator APIsvCenter Orchestrator APIs
vCenter Orchestrator APIsPablo Roesch
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework'sMohammed Fazuluddin
 
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...VMworld
 
Scim overview
Scim overviewScim overview
Scim overviewMorteza Ansari
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld
 
Master IAM in the Cloud with SCIM v2.0
Master IAM in the Cloud with SCIM v2.0Master IAM in the Cloud with SCIM v2.0
Master IAM in the Cloud with SCIM v2.0Kelly Grizzle
 
Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Deivid Toledo
 
Coordenação de Informática - 2011
Coordenação de Informática - 2011Coordenação de Informática - 2011
Coordenação de Informática - 2011Aislan Rafael
 
Aula 01 - POO - Bem Vindo a Objetolândia!
Aula 01 - POO - Bem Vindo a Objetolândia!Aula 01 - POO - Bem Vindo a Objetolândia!
Aula 01 - POO - Bem Vindo a Objetolândia!Aislan Rafael
 

Contenu connexe

Tendances

Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overviewRudy De Busscher
 
VMworld 2013: Security Automation Workflows with NSX
VMworld 2013: Security Automation Workflows with NSX VMworld 2013: Security Automation Workflows with NSX
VMworld 2013: Security Automation Workflows with NSX VMworld
 
Case Study: University of California, Berkeley and San Francisco
Case Study: University of California, Berkeley and San FranciscoCase Study: University of California, Berkeley and San Francisco
Case Study: University of California, Berkeley and San FranciscoForgeRock
 
Community and Java EE @ DevConf.CZ
Community and Java EE @ DevConf.CZCommunity and Java EE @ DevConf.CZ
Community and Java EE @ DevConf.CZMarkus Eisele
 
Barracuda web application_firewall_wp_advantage
Barracuda web application_firewall_wp_advantageBarracuda web application_firewall_wp_advantage
Barracuda web application_firewall_wp_advantageINSPIRIT BRASIL
 
WSO2 Charon
WSO2 CharonWSO2 Charon
WSO2 CharonHasiniG
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishMarkus Eisele
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themMasoud Kalali
 
Windows Azure Security Features And Functionality
Windows Azure Security Features And FunctionalityWindows Azure Security Features And Functionality
Windows Azure Security Features And Functionalityvivekbhat
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security ArchitecturesOWASP
 
The Top 10 Things Oracle UCM Users Need To Know About WebLogic
The Top 10 Things Oracle UCM Users Need To Know About WebLogicThe Top 10 Things Oracle UCM Users Need To Know About WebLogic
The Top 10 Things Oracle UCM Users Need To Know About WebLogicBrian Huff
 
vCenter Orchestrator APIs
vCenter Orchestrator APIsvCenter Orchestrator APIs
vCenter Orchestrator APIsPablo Roesch
 
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...VMworld
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld
 
Master IAM in the Cloud with SCIM v2.0
Master IAM in the Cloud with SCIM v2.0Master IAM in the Cloud with SCIM v2.0
Master IAM in the Cloud with SCIM v2.0Kelly Grizzle
 
Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Deivid Toledo
 

Tendances (20)

Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overview
 
VMworld 2013: Security Automation Workflows with NSX
VMworld 2013: Security Automation Workflows with NSX VMworld 2013: Security Automation Workflows with NSX
VMworld 2013: Security Automation Workflows with NSX
 
Case Study: University of California, Berkeley and San Francisco
Case Study: University of California, Berkeley and San FranciscoCase Study: University of California, Berkeley and San Francisco
Case Study: University of California, Berkeley and San Francisco
 
Community and Java EE @ DevConf.CZ
Community and Java EE @ DevConf.CZCommunity and Java EE @ DevConf.CZ
Community and Java EE @ DevConf.CZ
 
Barracuda web application_firewall_wp_advantage
Barracuda web application_firewall_wp_advantageBarracuda web application_firewall_wp_advantage
Barracuda web application_firewall_wp_advantage
 
WSO2 Charon
WSO2 CharonWSO2 Charon
WSO2 Charon
 
JavaCro'15 - Oracle Java Cloud Service Java PaaS - Duško Vukmanović
JavaCro'15 - Oracle Java Cloud Service Java PaaS - Duško VukmanovićJavaCro'15 - Oracle Java Cloud Service Java PaaS - Duško Vukmanović
JavaCro'15 - Oracle Java Cloud Service Java PaaS - Duško Vukmanović
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFish
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid them
 
Windows Azure Security Features And Functionality
Windows Azure Security Features And FunctionalityWindows Azure Security Features And Functionality
Windows Azure Security Features And Functionality
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures
 
The Top 10 Things Oracle UCM Users Need To Know About WebLogic
The Top 10 Things Oracle UCM Users Need To Know About WebLogicThe Top 10 Things Oracle UCM Users Need To Know About WebLogic
The Top 10 Things Oracle UCM Users Need To Know About WebLogic
 
Java Security
Java SecurityJava Security
Java Security
 
vCenter Orchestrator APIs
vCenter Orchestrator APIsvCenter Orchestrator APIs
vCenter Orchestrator APIs
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework's
 
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...
 
Scim overview
Scim overviewScim overview
Scim overview
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
 
Master IAM in the Cloud with SCIM v2.0
Master IAM in the Cloud with SCIM v2.0Master IAM in the Cloud with SCIM v2.0
Master IAM in the Cloud with SCIM v2.0
 
Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)
 

En vedette

Coordenação de Informática - 2011
Coordenação de Informática - 2011Coordenação de Informática - 2011
Coordenação de Informática - 2011Aislan Rafael
 
Aula 01 - POO - Bem Vindo a Objetolândia!
Aula 01 - POO - Bem Vindo a Objetolândia!Aula 01 - POO - Bem Vindo a Objetolândia!
Aula 01 - POO - Bem Vindo a Objetolândia!Aislan Rafael
 
Tratamento de exceções com PHP
Tratamento de exceções com PHPTratamento de exceções com PHP
Tratamento de exceções com PHPLeonardo Soares
 
Aula 02 POO - Meu Primeiro Código
Aula 02 POO - Meu Primeiro CódigoAula 02 POO - Meu Primeiro Código
Aula 02 POO - Meu Primeiro CódigoAislan Rafael
 
Aula 03 - POO - Um pouco mais sobre variáveis
Aula 03 - POO - Um pouco mais sobre variáveisAula 03 - POO - Um pouco mais sobre variáveis
Aula 03 - POO - Um pouco mais sobre variáveisAislan Rafael
 
Aula 04 - POO - Estruturas de Controle e Repetição
Aula 04 - POO - Estruturas de Controle e Repetição Aula 04 - POO - Estruturas de Controle e Repetição
Aula 04 - POO - Estruturas de Controle e Repetição Aislan Rafael
 
Banco de dadados MySQL com PHP
Banco de dadados MySQL com PHPBanco de dadados MySQL com PHP
Banco de dadados MySQL com PHPLeonardo Soares
 
PHP 5.3 - Classes e Objetos
PHP 5.3 - Classes e ObjetosPHP 5.3 - Classes e Objetos
PHP 5.3 - Classes e ObjetosGeorge Mendonça
 
Programação Orientada a Objetos (POO) com PHP - Parte 1
Programação Orientada a Objetos (POO) com PHP - Parte 1Programação Orientada a Objetos (POO) com PHP - Parte 1
Programação Orientada a Objetos (POO) com PHP - Parte 1Israel Messias
 
Programação Orientada a Objetos (POO) com PHP - Parte 2
Programação Orientada a Objetos (POO) com PHP - Parte 2Programação Orientada a Objetos (POO) com PHP - Parte 2
Programação Orientada a Objetos (POO) com PHP - Parte 2Israel Messias
 
Concurso de Pitch - EDIFPI
Concurso de Pitch - EDIFPIConcurso de Pitch - EDIFPI
Concurso de Pitch - EDIFPIAislan Rafael
 
Hackeando sua aplicaçao php na pratica
Hackeando sua aplicaçao php na pratica Hackeando sua aplicaçao php na pratica
Hackeando sua aplicaçao php na pratica Cyrille Grandval
 
Curso Desenvolvimento WEB com PHP - PHP (parte 1)
Curso Desenvolvimento WEB com PHP - PHP (parte 1)Curso Desenvolvimento WEB com PHP - PHP (parte 1)
Curso Desenvolvimento WEB com PHP - PHP (parte 1)Willian Magalhães
 
Desenvolvimento web: PHP orientado a objetos
Desenvolvimento web: PHP orientado a objetosDesenvolvimento web: PHP orientado a objetos
Desenvolvimento web: PHP orientado a objetosLucas Vegi
 
Uma Abordagem Prática de Orientação a Objetos com PHP (FLISOL DF 2011)
Uma Abordagem Prática de Orientação a Objetos com PHP (FLISOL DF 2011)Uma Abordagem Prática de Orientação a Objetos com PHP (FLISOL DF 2011)
Uma Abordagem Prática de Orientação a Objetos com PHP (FLISOL DF 2011)George Mendonça
 
CURSO DE PHP PARA INICIANTES - AULA 1
CURSO DE PHP PARA INICIANTES - AULA 1CURSO DE PHP PARA INICIANTES - AULA 1
CURSO DE PHP PARA INICIANTES - AULA 1Norivan Oliveira
 

En vedette (19)

Coordenação de Informática - 2011
Coordenação de Informática - 2011Coordenação de Informática - 2011
Coordenação de Informática - 2011
 
Aula 01 - POO - Bem Vindo a Objetolândia!
Aula 01 - POO - Bem Vindo a Objetolândia!Aula 01 - POO - Bem Vindo a Objetolândia!
Aula 01 - POO - Bem Vindo a Objetolândia!
 
Tratamento de exceções com PHP
Tratamento de exceções com PHPTratamento de exceções com PHP
Tratamento de exceções com PHP
 
Aula 02 POO - Meu Primeiro Código
Aula 02 POO - Meu Primeiro CódigoAula 02 POO - Meu Primeiro Código
Aula 02 POO - Meu Primeiro Código
 
Ferramentas Case E Oo
Ferramentas Case E OoFerramentas Case E Oo
Ferramentas Case E Oo
 
Aula 03 - POO - Um pouco mais sobre variáveis
Aula 03 - POO - Um pouco mais sobre variáveisAula 03 - POO - Um pouco mais sobre variáveis
Aula 03 - POO - Um pouco mais sobre variáveis
 
Aula 04 - POO - Estruturas de Controle e Repetição
Aula 04 - POO - Estruturas de Controle e Repetição Aula 04 - POO - Estruturas de Controle e Repetição
Aula 04 - POO - Estruturas de Controle e Repetição
 
Banco de dadados MySQL com PHP
Banco de dadados MySQL com PHPBanco de dadados MySQL com PHP
Banco de dadados MySQL com PHP
 
PHP 5.3 - Classes e Objetos
PHP 5.3 - Classes e ObjetosPHP 5.3 - Classes e Objetos
PHP 5.3 - Classes e Objetos
 
Design Patterns com PHP
Design Patterns com PHPDesign Patterns com PHP
Design Patterns com PHP
 
Programação Orientada a Objetos (POO) com PHP - Parte 1
Programação Orientada a Objetos (POO) com PHP - Parte 1Programação Orientada a Objetos (POO) com PHP - Parte 1
Programação Orientada a Objetos (POO) com PHP - Parte 1
 
Programação Orientada a Objetos (POO) com PHP - Parte 2
Programação Orientada a Objetos (POO) com PHP - Parte 2Programação Orientada a Objetos (POO) com PHP - Parte 2
Programação Orientada a Objetos (POO) com PHP - Parte 2
 
Aplicando SOLID com PHP7
Aplicando SOLID com PHP7Aplicando SOLID com PHP7
Aplicando SOLID com PHP7
 
Concurso de Pitch - EDIFPI
Concurso de Pitch - EDIFPIConcurso de Pitch - EDIFPI
Concurso de Pitch - EDIFPI
 
Hackeando sua aplicaçao php na pratica
Hackeando sua aplicaçao php na pratica Hackeando sua aplicaçao php na pratica
Hackeando sua aplicaçao php na pratica
 
Curso Desenvolvimento WEB com PHP - PHP (parte 1)
Curso Desenvolvimento WEB com PHP - PHP (parte 1)Curso Desenvolvimento WEB com PHP - PHP (parte 1)
Curso Desenvolvimento WEB com PHP - PHP (parte 1)
 
Desenvolvimento web: PHP orientado a objetos
Desenvolvimento web: PHP orientado a objetosDesenvolvimento web: PHP orientado a objetos
Desenvolvimento web: PHP orientado a objetos
 
Uma Abordagem Prática de Orientação a Objetos com PHP (FLISOL DF 2011)
Uma Abordagem Prática de Orientação a Objetos com PHP (FLISOL DF 2011)Uma Abordagem Prática de Orientação a Objetos com PHP (FLISOL DF 2011)
Uma Abordagem Prática de Orientação a Objetos com PHP (FLISOL DF 2011)
 
CURSO DE PHP PARA INICIANTES - AULA 1
CURSO DE PHP PARA INICIANTES - AULA 1CURSO DE PHP PARA INICIANTES - AULA 1
CURSO DE PHP PARA INICIANTES - AULA 1
 

Similaire à ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS

Framework adoption for java enterprise application development
Framework adoption for java enterprise application developmentFramework adoption for java enterprise application development
Framework adoption for java enterprise application developmentClarence Ho
 
Session 41 - Struts 2 Introduction
Session 41 - Struts 2 IntroductionSession 41 - Struts 2 Introduction
Session 41 - Struts 2 IntroductionPawanMM
 
Struts 2 - Introduction
Struts 2 - Introduction Struts 2 - Introduction
Struts 2 - Introduction Hitesh-Java
 
Cloud compiler - Minor Project by students of CBPGEC
Cloud compiler - Minor Project by students of CBPGEC Cloud compiler - Minor Project by students of CBPGEC
Cloud compiler - Minor Project by students of CBPGEC vipin kumar
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-OnFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-Onelliando dias
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onCraig Dickson
 
SevillaJUG - Unleash the power of your applications with Micronaut® ,GraalVM...
SevillaJUG - Unleash the power of your applications with Micronaut® ,GraalVM...SevillaJUG - Unleash the power of your applications with Micronaut® ,GraalVM...
SevillaJUG - Unleash the power of your applications with Micronaut® ,GraalVM...Juarez Junior
 
GeeCon Prague 2023 - Unleash the power of your applications with Micronaut®, ...
GeeCon Prague 2023 - Unleash the power of your applications with Micronaut®, ...GeeCon Prague 2023 - Unleash the power of your applications with Micronaut®, ...
GeeCon Prague 2023 - Unleash the power of your applications with Micronaut®, ...Juarez Junior
 
Datasheet weblogicpluginforrd
Datasheet weblogicpluginforrdDatasheet weblogicpluginforrd
Datasheet weblogicpluginforrdMidVision
 
Java EE 與 雲端運算的展望
Java EE 與 雲端運算的展望 Java EE 與 雲端運算的展望
Java EE 與 雲端運算的展望 javatwo2011
 
JavaOne Conference, 2008
JavaOne Conference, 2008JavaOne Conference, 2008
JavaOne Conference, 2008Sean Dawson
 
SPEC INDIA Java Case Study
SPEC INDIA Java Case StudySPEC INDIA Java Case Study
SPEC INDIA Java Case StudySPEC INDIA
 
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONSMarkus Eisele
 
InterConnect 2016 Java EE 7 Overview (PEJ-5296)
InterConnect 2016 Java EE 7 Overview (PEJ-5296)InterConnect 2016 Java EE 7 Overview (PEJ-5296)
InterConnect 2016 Java EE 7 Overview (PEJ-5296)Kevin Sutter
 
Glassfish JEE Server Administration - JEE Introduction
Glassfish JEE Server Administration - JEE IntroductionGlassfish JEE Server Administration - JEE Introduction
Glassfish JEE Server Administration - JEE IntroductionDanairat Thanabodithammachari
 
Micronaut Deep Dive - Devoxx Belgium 2019
Micronaut Deep Dive - Devoxx Belgium 2019Micronaut Deep Dive - Devoxx Belgium 2019
Micronaut Deep Dive - Devoxx Belgium 2019graemerocher
 
Java EE8 - by Kito Mann
Java EE8 - by Kito Mann Java EE8 - by Kito Mann
Java EE8 - by Kito Mann Kile Niklawski
 

Similaire à ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS (20)

Framework adoption for java enterprise application development
Framework adoption for java enterprise application developmentFramework adoption for java enterprise application development
Framework adoption for java enterprise application development
 
Session 41 - Struts 2 Introduction
Session 41 - Struts 2 IntroductionSession 41 - Struts 2 Introduction
Session 41 - Struts 2 Introduction
 
Struts 2 - Introduction
Struts 2 - Introduction Struts 2 - Introduction
Struts 2 - Introduction
 
Iplanet
IplanetIplanet
Iplanet
 
TS-5358
TS-5358TS-5358
TS-5358
 
TS-5358
TS-5358TS-5358
TS-5358
 
Cloud compiler - Minor Project by students of CBPGEC
Cloud compiler - Minor Project by students of CBPGEC Cloud compiler - Minor Project by students of CBPGEC
Cloud compiler - Minor Project by students of CBPGEC
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-OnFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
 
SevillaJUG - Unleash the power of your applications with Micronaut® ,GraalVM...
SevillaJUG - Unleash the power of your applications with Micronaut® ,GraalVM...SevillaJUG - Unleash the power of your applications with Micronaut® ,GraalVM...
SevillaJUG - Unleash the power of your applications with Micronaut® ,GraalVM...
 
GeeCon Prague 2023 - Unleash the power of your applications with Micronaut®, ...
GeeCon Prague 2023 - Unleash the power of your applications with Micronaut®, ...GeeCon Prague 2023 - Unleash the power of your applications with Micronaut®, ...
GeeCon Prague 2023 - Unleash the power of your applications with Micronaut®, ...
 
Datasheet weblogicpluginforrd
Datasheet weblogicpluginforrdDatasheet weblogicpluginforrd
Datasheet weblogicpluginforrd
 
Java EE 與 雲端運算的展望
Java EE 與 雲端運算的展望 Java EE 與 雲端運算的展望
Java EE 與 雲端運算的展望
 
JavaOne Conference, 2008
JavaOne Conference, 2008JavaOne Conference, 2008
JavaOne Conference, 2008
 
SPEC INDIA Java Case Study
SPEC INDIA Java Case StudySPEC INDIA Java Case Study
SPEC INDIA Java Case Study
 
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
 
InterConnect 2016 Java EE 7 Overview (PEJ-5296)
InterConnect 2016 Java EE 7 Overview (PEJ-5296)InterConnect 2016 Java EE 7 Overview (PEJ-5296)
InterConnect 2016 Java EE 7 Overview (PEJ-5296)
 
Glassfish JEE Server Administration - JEE Introduction
Glassfish JEE Server Administration - JEE IntroductionGlassfish JEE Server Administration - JEE Introduction
Glassfish JEE Server Administration - JEE Introduction
 
Micronaut Deep Dive - Devoxx Belgium 2019
Micronaut Deep Dive - Devoxx Belgium 2019Micronaut Deep Dive - Devoxx Belgium 2019
Micronaut Deep Dive - Devoxx Belgium 2019
 
Java EE8 - by Kito Mann
Java EE8 - by Kito Mann Java EE8 - by Kito Mann
Java EE8 - by Kito Mann
 

Plus de elliando dias

Clojurescript slides
Clojurescript slidesClojurescript slides
Clojurescript slideselliando dias
 
Why you should be excited about ClojureScript
Why you should be excited about ClojureScriptWhy you should be excited about ClojureScript
Why you should be excited about ClojureScriptelliando dias
 
Functional Programming with Immutable Data Structures
Functional Programming with Immutable Data StructuresFunctional Programming with Immutable Data Structures
Functional Programming with Immutable Data Structureselliando dias
 
Nomenclatura e peças de container
Nomenclatura e peças de containerNomenclatura e peças de container
Nomenclatura e peças de containerelliando dias
 
Polyglot and Poly-paradigm Programming for Better Agility
Polyglot and Poly-paradigm Programming for Better AgilityPolyglot and Poly-paradigm Programming for Better Agility
Polyglot and Poly-paradigm Programming for Better Agilityelliando dias
 
Javascript Libraries
Javascript LibrariesJavascript Libraries
Javascript Librarieselliando dias
 
How to Make an Eight Bit Computer and Save the World!
How to Make an Eight Bit Computer and Save the World!How to Make an Eight Bit Computer and Save the World!
How to Make an Eight Bit Computer and Save the World!elliando dias
 
A Practical Guide to Connecting Hardware to the Web
A Practical Guide to Connecting Hardware to the WebA Practical Guide to Connecting Hardware to the Web
A Practical Guide to Connecting Hardware to the Webelliando dias
 
Introdução ao Arduino
Introdução ao ArduinoIntrodução ao Arduino
Introdução ao Arduinoelliando dias
 
Incanter Data Sorcery
Incanter Data SorceryIncanter Data Sorcery
Incanter Data Sorceryelliando dias
 
Fab.in.a.box - Fab Academy: Machine Design
Fab.in.a.box - Fab Academy: Machine DesignFab.in.a.box - Fab Academy: Machine Design
Fab.in.a.box - Fab Academy: Machine Designelliando dias
 
The Digital Revolution: Machines that makes
The Digital Revolution: Machines that makesThe Digital Revolution: Machines that makes
The Digital Revolution: Machines that makeselliando dias
 
Hadoop - Simple. Scalable.
Hadoop - Simple. Scalable.Hadoop - Simple. Scalable.
Hadoop - Simple. Scalable.elliando dias
 
Hadoop and Hive Development at Facebook
Hadoop and Hive Development at FacebookHadoop and Hive Development at Facebook
Hadoop and Hive Development at Facebookelliando dias
 
Multi-core Parallelization in Clojure - a Case Study
Multi-core Parallelization in Clojure - a Case StudyMulti-core Parallelization in Clojure - a Case Study
Multi-core Parallelization in Clojure - a Case Studyelliando dias
 

Plus de elliando dias (20)

Clojurescript slides
Clojurescript slidesClojurescript slides
Clojurescript slides
 
Why you should be excited about ClojureScript
Why you should be excited about ClojureScriptWhy you should be excited about ClojureScript
Why you should be excited about ClojureScript
 
Functional Programming with Immutable Data Structures
Functional Programming with Immutable Data StructuresFunctional Programming with Immutable Data Structures
Functional Programming with Immutable Data Structures
 
Nomenclatura e peças de container
Nomenclatura e peças de containerNomenclatura e peças de container
Nomenclatura e peças de container
 
Geometria Projetiva
Geometria ProjetivaGeometria Projetiva
Geometria Projetiva
 
Polyglot and Poly-paradigm Programming for Better Agility
Polyglot and Poly-paradigm Programming for Better AgilityPolyglot and Poly-paradigm Programming for Better Agility
Polyglot and Poly-paradigm Programming for Better Agility
 
Javascript Libraries
Javascript LibrariesJavascript Libraries
Javascript Libraries
 
How to Make an Eight Bit Computer and Save the World!
How to Make an Eight Bit Computer and Save the World!How to Make an Eight Bit Computer and Save the World!
How to Make an Eight Bit Computer and Save the World!
 
Ragel talk
Ragel talkRagel talk
Ragel talk
 
A Practical Guide to Connecting Hardware to the Web
A Practical Guide to Connecting Hardware to the WebA Practical Guide to Connecting Hardware to the Web
A Practical Guide to Connecting Hardware to the Web
 
Introdução ao Arduino
Introdução ao ArduinoIntrodução ao Arduino
Introdução ao Arduino
 
Minicurso arduino
Minicurso arduinoMinicurso arduino
Minicurso arduino
 
Incanter Data Sorcery
Incanter Data SorceryIncanter Data Sorcery
Incanter Data Sorcery
 
Rango
RangoRango
Rango
 
Fab.in.a.box - Fab Academy: Machine Design
Fab.in.a.box - Fab Academy: Machine DesignFab.in.a.box - Fab Academy: Machine Design
Fab.in.a.box - Fab Academy: Machine Design
 
The Digital Revolution: Machines that makes
The Digital Revolution: Machines that makesThe Digital Revolution: Machines that makes
The Digital Revolution: Machines that makes
 
Hadoop + Clojure
Hadoop + ClojureHadoop + Clojure
Hadoop + Clojure
 
Hadoop - Simple. Scalable.
Hadoop - Simple. Scalable.Hadoop - Simple. Scalable.
Hadoop - Simple. Scalable.
 
Hadoop and Hive Development at Facebook
Hadoop and Hive Development at FacebookHadoop and Hive Development at Facebook
Hadoop and Hive Development at Facebook
 
Multi-core Parallelization in Clojure - a Case Study
Multi-core Parallelization in Clojure - a Case StudyMulti-core Parallelization in Clojure - a Case Study
Multi-core Parallelization in Clojure - a Case Study
 

Dernier

So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 

Dernier (20)

So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 

ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS

  • 1. ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS Ben Alex, Principal Software Engineer TS-6348 Speaker’s logo here (optional)
  • 2. Learn what's coming in enterprise application security, and how to achieve it easily today. 2008 JavaOneSM Conference | java.com.sun/javaone | 2
  • 3. Agenda A Quick Landscape Review Simple Web Application Security Beyond Simple Web Application Security Adding Method Authorization Enterprise Connectivity AJAX Clients and Web 2.0 Final Thoughts 2008 JavaOneSM Conference | java.com.sun/javaone | 3
  • 4. Approaching AAAA Security considerations revolve around AAAA • Authentication: who are they? • Authorization: what can they do? • Accounting: what resources did they consume in doing it? • Auditing: what exactly did they do? Java™ Servlets and JAAS Third party products Build your own 2008 JavaOneSM Conference | java.com.sun/javaone | 4
  • 5. Java™ Servlet Security Solid foundation provided by the Servlet API HttpServletRequest methods • boolean isUserInRole(String role) • String getRemoteUser() • Principal getUserPrincipal() Configured in web.xml • <security-constraint> • <login-config> • <security-role> Self registration requirements being considered in JSR 315 2008 JavaOneSM Conference | java.com.sun/javaone | 5
  • 6. JAAS Java Authentication and Authorization Service (JAAS) Optional in Java™ 1.3, and included in SDK from Java™ 1.4 LoginContext CallbackHandler LoginModule Subject Principal Configured in policy files Many Java™ servers use JAAS 2008 JavaOneSM Conference | java.com.sun/javaone | 6
  • 7. Agenda A Quick Landscape Review Simple Web Application Security Beyond Simple Web Application Security Adding Method Authorization Enterprise Connectivity AJAX Clients and Web 2.0 Final Thoughts 2008 JavaOneSM Conference | java.com.sun/javaone | 7
  • 8. What Are “Simple Requirements”? Login form Authentication against common backends Web URL authorization Determining who is logged in Programmatic authorization Logout mechanism Externalization of deployment configuration Transport-level protection Maintaining authentication scope during a session 2008 JavaOneSM Conference | java.com.sun/javaone | 8
  • 9. Demonstration Software My demos today will use Spring Security 2 • Open source project from SpringSource, the company behind Spring • Formerly known as “Acegi Security”, and publicly available since 2003 Builds upon the Java™ platform • Integrates with Java™ Servlet Security container authentication • Integrates with JAAS login modules • External porting efforts underway to .Net, Python and other platforms Spring Security supports all technologies discussed today Widely used in global banking, defense, government etc 2008 JavaOneSM Conference | java.com.sun/javaone | 9
  • 10. Implementing Simple Requirements (in 10 minutes or less) 2008 JavaOneSM Conference | java.com.sun/javaone | 10
  • 11. Agenda A Quick Landscape Review Simple Web Application Security Beyond Simple Web Application Security Adding Method Authorization Enterprise Connectivity AJAX Clients and Web 2.0 Final Thoughts 2008 JavaOneSM Conference | java.com.sun/javaone | 11
  • 12. Component, State and Transition Security We're moving towards component-based web frameworks • For example, Java™ Server Faces • Reducing development time, and increasing modularity Spring Web Flow provides a JSF model and authorization of • States • Flows • Transitions Spring Web Flow unifies JSF and Spring Security 2008 JavaOneSM Conference | java.com.sun/javaone | 12
  • 13. CAPTCHA Overview Completely Automated Public Test to tell Computers and Humans Apart Useful for mitigating denial of service and IP infringement Popular Java™ solutions include JCaptcha and reCAPTCHA Consider accessibility issues • http://tinyurl.com/3ypzck (Matt May, “Escape from Captcha”, 2004) Captchas are often machine decipherable • http://www.cs.sfu.ca/~mori/research/gimpy/ 2008 JavaOneSM Conference | java.com.sun/javaone | 13
  • 14. Single Sign On and Federated Identity NTLM for Microsoft® Windows® intranet apps • Works with Mozilla® Firefox® and Microsoft® Internet Explorer® • Implement using Samba JCIFS JA-SIG Central Authentication Service (CAS) for intranet apps • Java™ (for both client and server, plus full Spring Security support) • Other clients include .Net, PHP, Perl, Apache etc OpenID for Internet apps • Sun®, IBM®, Microsoft®, Google®, Yahoo®, AOL®, Yahoo®, Blogger™ • Implement using OpenID4Java 2008 JavaOneSM Conference | java.com.sun/javaone | 14
  • 15. Agenda A Quick Landscape Review Simple Web Application Security Beyond Simple Web Application Security Adding Method Authorization Enterprise Connectivity AJAX Clients and Web 2.0 Final Thoughts 2008 JavaOneSM Conference | java.com.sun/javaone | 15
  • 16. Protecting Methods Strongly recommended in preference to web authorization • Can still be used concurrently with web URL authorization Before a method invocation • Is the user authorized in view of the signature and arguments? After a method invocation • Was the user authorized in view of the returned object? • Should the returned object be modified in some manner? Typically used on the services or domain layer • Thus all client layers are secured (web, rich client, JMS etc) • Of course, proper encapsulation and layering should remain a priority 2008 JavaOneSM Conference | java.com.sun/javaone | 16
  • 17. JSR 250 Method Security Metadata JSR 250: “Common Annotations for the Java™ Platform™” Annotate classes • @RunAs(“someRole”) • @RolesAllowed(“someRole”) • @PermitAll() • @DenyAll() • @DeclareRoles(“someRole”) Annotation interaction defined in JSR 250, Section 2.11 Spring Security supports JSR-250, plus @Secured, <protect- pointcut>, <protect-method> and custom strategies 2008 JavaOneSM Conference | java.com.sun/javaone | 17
  • 18. Domain Access Control Domain access control considers • Who the user is • Which method they are invoking on which Java™ type • Which domain object instance they are invoking the method on Major considerations • Performance and normalization level of the ACL database • Appropriate tier to perform filtering (eg database-side or Java™) • Potential propagation of user identity from Java™ to database 2008 JavaOneSM Conference | java.com.sun/javaone | 18
  • 19. Method Authorization 2008 JavaOneSM Conference | java.com.sun/javaone | 19
  • 20. Agenda A Quick Landscape Review Simple Web Application Security Beyond Simple Web Application Security Adding Method Authorization Enterprise Connectivity AJAX Clients and Web 2.0 Final Thoughts 2008 JavaOneSM Conference | java.com.sun/javaone | 20
  • 21. Basic Authentication Great for RESTful paradigms and remote clients RFC 1945, Section 11.1 Stateless HTTP header based • Header name: “Authorization” • Header value: “Basic” + “ “ + Base64(username + “:” + password) • Some SSO solutions permit session tokens to be presented over Basic Recommended, but only if used with HTTPS • Consider Digest authentication if only HTTP is available • See RFC 2617 Section 4 for a comparison of Basic and Digest • Be aware of cross-site request forgery risks 2008 JavaOneSM Conference | java.com.sun/javaone | 21
  • 22. WSS (formerly WS-Security) and REST POX WSS provides key security functionality for SOAP Use XWSS for Java™ WSS • Visit https://xwss.dev.java.net/ • XWSS version 2.0 implements OASIS WSS Specification 1.0 • XWSS version 3.0 implements OASIS WSS Specification 1.1 • Part of Project Metro (https://metro.dev.java.net/) and Glassfish™ Spring Web Services integrates XWSS and Spring Security Securing Plain Old XML using the RESTful paradigm • Option 1: Use HTTP Basic authentication • Option 2: Use XPath to extract username/password from XML payload 2008 JavaOneSM Conference | java.com.sun/javaone | 22
  • 23. Securing JMS and ESBs JMS 1.1 does not provide message integrity or privacy • Refer to JMS 1.1 Specification (JSR 914) Section 2.7 • Implementations are expected to provide such features Destination authorization may be provided (eg ActiveMQ) • Read from destination; write to destination; admin destination ESBs may provide implementation-specific capabilities • Endpoint authorization; channel authorization; security translation Spring Integration addresses security in its Q2 2008 roadmap 2008 JavaOneSM Conference | java.com.sun/javaone | 23
  • 24. Enterprise Connectivity 2008 JavaOneSM Conference | java.com.sun/javaone | 24
  • 25. Agenda A Quick Landscape Review Simple Web Application Security Beyond Simple Web Application Security Adding Method Authorization Enterprise Connectivity AJAX Clients and Web 2.0 Final Thoughts 2008 JavaOneSM Conference | java.com.sun/javaone | 25
  • 26. Securing GWT GWT offers no authentication-specific features • Option 1: ServiceDefTarget.setServiceEndPoint(...) with jsessionid • Option 2: Establish a token, then present it as a cookie and in RPC calls Key considerations • Session and/or token timeout issues • How to robustly logout • Cross-site request forgery • Transition of existing server-side authentication to GWT client Useful GWT security advice • http://tinyurl.com/3akc6y (GWT wiki) offers GWT security advice • http://tinyurl.com/2ynd26 (GWT incubator) includes Spring Security 2008 JavaOneSM Conference | java.com.sun/javaone | 26
  • 27. AJAX Clients and Web 2.0 2008 JavaOneSM Conference | java.com.sun/javaone | 27
  • 28. Agenda A Quick Landscape Review Simple Web Application Security Beyond Simple Web Application Security Adding Method Authorization Enterprise Connectivity Remote Clients and Web 2.0 Final Thoughts 2008 JavaOneSM Conference | java.com.sun/javaone | 28
  • 29. Enterprise Application Security Tips Use a proven security framework; don't roll your own Start simply, and add complexity incrementally Consider user registration requirements Plan for federated identity, particularly involving OpenID For in-house applications, consider NTLM and CAS Employ Captcha techniques to mitigate DoS attacks Favor method authorization over web authorization Annotations-based authorization metadata is quick and easy Very carefully consider any domain object instance security Prefer Basic authentication for RESTful, HTTPS interactions Leverage WSS for transport-independent SOAP 2008 JavaOneSM Conference | java.com.sun/javaone | 29
  • 30. Ben Alex, Principal Software Engineer TS-6348 Speaker’s logo here (optional) 2008 JavaOneSM Conference | java.com.sun/javaone | 30