SlideShare une entreprise Scribd logo

What is tackled in the Java EE Security API (Java EE 8)

Rudy De Busscher
Rudy De Busscher

The Java EE Security API (JSR-375) wants to simplify the implementation of security-related features in your Java EE application. Application server specific configuration changes will be no longer needed and things will be much more app developer friendly. Aligning security with the ease of development we saw in the recent version of Java EE. We will show you the basic goals and concepts behind Java EE Security API. And of course, demos with the current version of the RI, named Soteria, how you can do Authentication and Authorization.

Technologie
1  sur  43
Télécharger pour lire hors ligne
What is tackled in the Java EE Security API (Java EE 8)
A G E N D A JAVA EE SECURITY WHY 
 UPDATE? ALREADY
 AVAILABLE? JSR-375
 SOTERIA CONCEPTS DEMO
• C4J • Senior Java Web Developer, Java Coach, Information Security • JSR-375 • Java EE Security API Expert group member • Java EE Believer @rdebusscher http://jsfcorner.blogspot.be http://javaeesquad.blogspot.be W H O A M I RUDY DE BUSSCHER
• Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context W H Y U P D A T E ?
W H Y A N E W J S R ? • Java EE Security is viewed as not portable, abstract/confusing, antiquated • Doesn't fit cloud app developer paradigm: requires app server configuration
T E R M I N O L O G Y ? • What is that "something" where identities are stored? • realm (Tomcat, some hints in Servlet spec) • (auth) repository • (auth) store • login module (JAAS) • identity manager (Undertow) • authenticator (Resin, OmniSecurity, Seam security) • authentication provider (Spring Security) • Identity provider
J A V A E E S E C U R I T Y • No JSR exists to address security overall • Each JSR has his 'own' way • They look at each other, but ...
So what is standardised?
• Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context W H Y U P D A T E ?
J A S P I C Java Authentication Service Provider Interface for Containers • Java EE 6 • For custom logic • BASIC/FORM/DIGEST • Low Level (per request) • Verbose
Java Authorization Service Provider Contract for Containers J A C C • J2EE 1.4 ERA • C.O.M.P.L.E.X.I.T.Y • Application Server Wide • No Role Mapping specified
• Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context G O A L S
J S R - 3 7 5 • EG discussions started March 2015 • EG Members • EE API veterans: many JSRs, many years struggling with Security API • 3rd party security framework creators/developers • EE platform security implementers • October 2016 • EG Updated, switch Spec Lead
G O A L S • Plug the portability holes • Modernize • Context Dependency Injection (CDI) • Intercept at Access Enforcement Points: POJO methods • Expression Language (EL) • Enable Access Enforcement Points with complex rules • App Developer Friendly • Common security configurations not requiring server changes • Annotation defaults not requiring XML
I D E A S • Terminology • API for Authentication Mechanism • API for Identity Store • API for Security Context • API for Password Aliasing • API for Role/Permission Assignment • API for Authorization Interceptors • + ... JAVA EE 8 JAVA EE 9
S O T E R I A • In Greek mythology, Soteria was the goddess of safety and salvation. • RI of JSR-375 • Should work on Java EE 7 • WildFly 10+ • Payara 4.1.1.161+ • TomEE 7.0.2+ • WebSphere Liberty 2016.9+
JASPIC JACC SOTERIA U S I N G Existing blocks for authentication and authorization
OR SHOULD I PUT THE SAFE HARBOUR TEXT ...
• Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
H T T P A U T H E N T I C A T I O N M E C H A N I S M • How are credentials retrieved • BASIC • FORM • classic j_security_check, ... • CustomForm • programmatic • Custom • For JAX-RS endpoints, ...
@CustomFormAuthenticationMechanismDefinition(
 loginToContinue = @LoginToContinue(
 loginPage="/login.xhtml",
 errorPage=""
 )
 )
• Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
I D E N T I T Y S T O R E • Verify credentials • LDAP • DATABASE • with configurable queries • EMBEDDED • Easy for testing with hardcoded values • Custom • Whatever your need is
@LdapIdentityStoreDefinition(
 url = "ldap://localhost:33389/",
 baseDn = "uid=ldap,ou=apps,dc=jsr375,dc=net",
 password = "changeOnInstall",
 searchBase = "dc=jsr375,dc=net",
 searchExpression = "(&(uid=%s)(objectClass=person))",
 groupBaseDn = "ou=group,dc=jsr375,dc=net"
 )
C D I • Context and Dependency Injection
 concepts used for many artefacts. • Extension to read the annotations and create required beans.
• CDI -> beans.xml • HttpAuthenticationMechanism required to activate Soteria
Demo BASIC
 IN MEMORY
Demo FORM IN JSF WITH LDAP
• Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
T R I P L E A • Authentication • Verifying that a user is who she says she is. • Authorisation • He can execute the allowed actions within their privilege. • Accounting • Audit
M U L T I S T O R E • Authentication / Authorisation • From multiple sources! • Examples • Scenario 1 • Authentication : LDAP • Authorisation : Database
M U L T I S T O R E ( 2 ) • Scenario 2 • Authentication : OAuth2 • Authentication : Limited to certain email Domain • Authorization : ... • Scenario 3 • Authentication : ... • Authorisation : Database • Authorisation (In Test) : Extra roles/permissions
I D E N T I T Y S T O R E H A N D L E R • IdentityStoreHandler • Handles multiple defined Identity Stores • ValidationType on IdentityStore • BOTH • AUTHENTICATION • AUTHORIZATION
@LdapIdentityStoreDefinition(
 url = "ldap://localhost:33389/",
 baseDn = "uid=ldap,ou=apps,dc=jsr375,dc=net",
 password = "changeOnInstall",
 searchBase = "dc=jsr375,dc=net",
 searchExpression = "(&(uid=%s)(objectClass=person))",
 groupBaseDn = "ou=group,dc=jsr375,dc=net", authenticateOnly = true
 )
Demo MULTI STORE
• Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
E X T E N S I B I L I T Y interface HttpAuthenticationMechanism interface IdentityStore interface IdentityStoreHandler
• Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
S E C U R I T Y C O N T E X T Security
 Context Authentication
 Mechanism Identity
 Store Principal
 Info for
 Request Authorization
 Interceptors U S E S D A T A
Project page The starting point to all resources https://java.net/projects/javaee-security-spec Users List Subscribe and contribute users@javaee-security-spec.java.net Github Soteria repository Fork and play! https://github.com/javaee-security-spec/soteria G E T I N V O L V E D
Q & A

Recommandé

Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5Jesus Perez Franco
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT ExploitationAkshaeyBhosale
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
Spring Security
Spring SecuritySpring Security
Spring SecurityKnoldus Inc.
 
Okta docs
Okta docsOkta docs
Okta docsSam Bauch
 

Recommandé

Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5Jesus Perez Franco
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT ExploitationAkshaeyBhosale
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
Spring Security
Spring SecuritySpring Security
Spring SecurityKnoldus Inc.
 
Okta docs
Okta docsOkta docs
Okta docsSam Bauch
 
REST API Design
REST API DesignREST API Design
REST API DesignDevi Kiran G
 
Spring Mvc,Java, Spring
Spring Mvc,Java, SpringSpring Mvc,Java, Spring
Spring Mvc,Java, Springifnu bima
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring SecurityDzmitry Naskou
 
OAuth 2
OAuth 2OAuth 2
OAuth 2ChrisWood262
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
 
Spring Security
Spring SecuritySpring Security
Spring SecuritySumit Gole
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
Spring security
Spring securitySpring security
Spring securitySaurabh Sharma
 
Springboot Microservices
Springboot MicroservicesSpringboot Microservices
Springboot MicroservicesNexThoughts Technologies
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateCraig Wu
 
What is Dependency Injection in Spring Boot | Edureka
What is Dependency Injection in Spring Boot | EdurekaWhat is Dependency Injection in Spring Boot | Edureka
What is Dependency Injection in Spring Boot | EdurekaEdureka!
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
Pentesting jwt
Pentesting jwtPentesting jwt
Pentesting jwtJaya Kumar Kondapalli
 
Building microservices sample application
Building microservices sample applicationBuilding microservices sample application
Building microservices sample applicationAnil Allewar
 
WebSockets with Spring 4
WebSockets with Spring 4WebSockets with Spring 4
WebSockets with Spring 4Sergi Almar i Graupera
 
Testando API REST - Parte 1
Testando API REST - Parte 1Testando API REST - Parte 1
Testando API REST - Parte 1alinebiath
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
AngularJS $http Interceptors (Explanation and Examples)
AngularJS $http Interceptors (Explanation and Examples)AngularJS $http Interceptors (Explanation and Examples)
AngularJS $http Interceptors (Explanation and Examples)Brian Swartzfager
 
Resume-UI developer
Resume-UI developerResume-UI developer
Resume-UI developerSriSubba Kasireddy
 
Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started Rudy De Busscher
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overviewRudy De Busscher
 

Contenu connexe

Tendances

Spring Mvc,Java, Spring
Spring Mvc,Java, SpringSpring Mvc,Java, Spring
Spring Mvc,Java, Springifnu bima
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring SecurityDzmitry Naskou
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
 
Spring Security
Spring SecuritySpring Security
Spring SecuritySumit Gole
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateCraig Wu
 
What is Dependency Injection in Spring Boot | Edureka
What is Dependency Injection in Spring Boot | EdurekaWhat is Dependency Injection in Spring Boot | Edureka
What is Dependency Injection in Spring Boot | EdurekaEdureka!
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
Building microservices sample application
Building microservices sample applicationBuilding microservices sample application
Building microservices sample applicationAnil Allewar
 
Testando API REST - Parte 1
Testando API REST - Parte 1Testando API REST - Parte 1
Testando API REST - Parte 1alinebiath
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
AngularJS $http Interceptors (Explanation and Examples)
AngularJS $http Interceptors (Explanation and Examples)AngularJS $http Interceptors (Explanation and Examples)
AngularJS $http Interceptors (Explanation and Examples)Brian Swartzfager
 

Tendances (20)

REST API Design
REST API DesignREST API Design
REST API Design
 
Spring Mvc,Java, Spring
Spring Mvc,Java, SpringSpring Mvc,Java, Spring
Spring Mvc,Java, Spring
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring Security
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
Spring security
Spring securitySpring security
Spring security
 
Springboot Microservices
Springboot MicroservicesSpringboot Microservices
Springboot Microservices
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederate
 
What is Dependency Injection in Spring Boot | Edureka
What is Dependency Injection in Spring Boot | EdurekaWhat is Dependency Injection in Spring Boot | Edureka
What is Dependency Injection in Spring Boot | Edureka
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
Pentesting jwt
Pentesting jwtPentesting jwt
Pentesting jwt
 
Building microservices sample application
Building microservices sample applicationBuilding microservices sample application
Building microservices sample application
 
WebSockets with Spring 4
WebSockets with Spring 4WebSockets with Spring 4
WebSockets with Spring 4
 
Testando API REST - Parte 1
Testando API REST - Parte 1Testando API REST - Parte 1
Testando API REST - Parte 1
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
 
AngularJS $http Interceptors (Explanation and Examples)
AngularJS $http Interceptors (Explanation and Examples)AngularJS $http Interceptors (Explanation and Examples)
AngularJS $http Interceptors (Explanation and Examples)
 
Resume-UI developer
Resume-UI developerResume-UI developer
Resume-UI developer
 

Similaire à What is tackled in the Java EE Security API (Java EE 8)

Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started Rudy De Busscher
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overviewRudy De Busscher
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Valerii Moisieienko
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
WebLogic authentication debugging
WebLogic authentication debuggingWebLogic authentication debugging
WebLogic authentication debuggingMaarten Smeets
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva
 
STATE OF THE ART AUTHENTICATION MIT JAVA EE 8
STATE OF THE ART AUTHENTICATION MIT JAVA EE 8STATE OF THE ART AUTHENTICATION MIT JAVA EE 8
STATE OF THE ART AUTHENTICATION MIT JAVA EE 8OPEN KNOWLEDGE GmbH
 
Don't Loose Sleep - Secure Your Rest - php[tek] 2017
Don't Loose Sleep - Secure Your Rest - php[tek] 2017Don't Loose Sleep - Secure Your Rest - php[tek] 2017
Don't Loose Sleep - Secure Your Rest - php[tek] 2017Adam Englander
 
Enterprise-class security with PostgreSQL - 1
Enterprise-class security with PostgreSQL - 1Enterprise-class security with PostgreSQL - 1
Enterprise-class security with PostgreSQL - 1Ashnikbiz
 
State of the art authentication mit Java EE 8
State of the art authentication mit Java EE 8State of the art authentication mit Java EE 8
State of the art authentication mit Java EE 8OPEN KNOWLEDGE GmbH
 
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTCon Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTAdam Englander
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environmentTaswar Bhatti
 
7.1. SDLC try me to implenment
7.1. SDLC try me to implenment7.1. SDLC try me to implenment
7.1. SDLC try me to implenmentdefconmoscow
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RSPayara
 
Passwordless Development using Azure Identity
Passwordless Development using Azure IdentityPasswordless Development using Azure Identity
Passwordless Development using Azure IdentitySarah Dutkiewicz
 
Isaca sql server 2008 r2 security & auditing
Isaca sql server 2008 r2 security & auditingIsaca sql server 2008 r2 security & auditing
Isaca sql server 2008 r2 security & auditingAntonios Chatzipavlis
 

Similaire à What is tackled in the Java EE Security API (Java EE 8) (20)

Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overview
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
WebLogic authentication debugging
WebLogic authentication debuggingWebLogic authentication debugging
WebLogic authentication debugging
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
 
STATE OF THE ART AUTHENTICATION MIT JAVA EE 8
STATE OF THE ART AUTHENTICATION MIT JAVA EE 8STATE OF THE ART AUTHENTICATION MIT JAVA EE 8
STATE OF THE ART AUTHENTICATION MIT JAVA EE 8
 
Don't Loose Sleep - Secure Your Rest - php[tek] 2017
Don't Loose Sleep - Secure Your Rest - php[tek] 2017Don't Loose Sleep - Secure Your Rest - php[tek] 2017
Don't Loose Sleep - Secure Your Rest - php[tek] 2017
 
Enterprise-class security with PostgreSQL - 1
Enterprise-class security with PostgreSQL - 1Enterprise-class security with PostgreSQL - 1
Enterprise-class security with PostgreSQL - 1
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache Shiro
 
State of the art authentication mit Java EE 8
State of the art authentication mit Java EE 8State of the art authentication mit Java EE 8
State of the art authentication mit Java EE 8
 
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTCon Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
 
SSL Everywhere!
SSL Everywhere!SSL Everywhere!
SSL Everywhere!
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
 
7.1. SDLC try me to implenment
7.1. SDLC try me to implenment7.1. SDLC try me to implenment
7.1. SDLC try me to implenment
 
Secure all things with CBSecurity 3
Secure all things with CBSecurity 3Secure all things with CBSecurity 3
Secure all things with CBSecurity 3
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RS
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Passwordless Development using Azure Identity
Passwordless Development using Azure IdentityPasswordless Development using Azure Identity
Passwordless Development using Azure Identity
 
Isaca sql server 2008 r2 security & auditing
Isaca sql server 2008 r2 security & auditingIsaca sql server 2008 r2 security & auditing
Isaca sql server 2008 r2 security & auditing
 

Plus de Rudy De Busscher

jakarta-integration-testing.pdf
jakarta-integration-testing.pdfjakarta-integration-testing.pdf
jakarta-integration-testing.pdfRudy De Busscher
 
core-profile_jakartaOne2022.pdf
core-profile_jakartaOne2022.pdfcore-profile_jakartaOne2022.pdf
core-profile_jakartaOne2022.pdfRudy De Busscher
 
MicroStream-WithoutDatabase.pdf
MicroStream-WithoutDatabase.pdfMicroStream-WithoutDatabase.pdf
MicroStream-WithoutDatabase.pdfRudy De Busscher
 
How Class Data Sharing Can Speed up Your Jakarta EE Application Startup
How Class Data Sharing Can Speed up Your Jakarta EE Application StartupHow Class Data Sharing Can Speed up Your Jakarta EE Application Startup
How Class Data Sharing Can Speed up Your Jakarta EE Application StartupRudy De Busscher
 
Creating a Kubernetes Operator in Java
Creating a Kubernetes Operator in JavaCreating a Kubernetes Operator in Java
Creating a Kubernetes Operator in JavaRudy De Busscher
 
Finally, easy integration testing with Testcontainers
Finally, easy integration testing with TestcontainersFinally, easy integration testing with Testcontainers
Finally, easy integration testing with TestcontainersRudy De Busscher
 
Control and monitor_microservices_with_microprofile
Control and monitor_microservices_with_microprofileControl and monitor_microservices_with_microprofile
Control and monitor_microservices_with_microprofileRudy De Busscher
 
Transactions in micro-services (fall 2019)
Transactions in micro-services (fall 2019)Transactions in micro-services (fall 2019)
Transactions in micro-services (fall 2019)Rudy De Busscher
 
Transactions in micro-services (summer 2019)
Transactions in micro-services (summer 2019)Transactions in micro-services (summer 2019)
Transactions in micro-services (summer 2019)Rudy De Busscher
 
Monitor Micro-service with MicroProfile metrics
Monitor Micro-service with MicroProfile metricsMonitor Micro-service with MicroProfile metrics
Monitor Micro-service with MicroProfile metricsRudy De Busscher
 
Gradual migration to MicroProfile
Gradual migration to MicroProfileGradual migration to MicroProfile
Gradual migration to MicroProfileRudy De Busscher
 
From Monolith to micro-services and back : The Self Contained Systems
From Monolith to micro-services and back : The Self Contained SystemsFrom Monolith to micro-services and back : The Self Contained Systems
From Monolith to micro-services and back : The Self Contained SystemsRudy De Busscher
 
Extending Arquillian graphene
Extending Arquillian graphene Extending Arquillian graphene
Extending Arquillian graphene Rudy De Busscher
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 

Plus de Rudy De Busscher (16)

jakarta-integration-testing.pdf
jakarta-integration-testing.pdfjakarta-integration-testing.pdf
jakarta-integration-testing.pdf
 
core-profile_jakartaOne2022.pdf
core-profile_jakartaOne2022.pdfcore-profile_jakartaOne2022.pdf
core-profile_jakartaOne2022.pdf
 
MicroStream-WithoutDatabase.pdf
MicroStream-WithoutDatabase.pdfMicroStream-WithoutDatabase.pdf
MicroStream-WithoutDatabase.pdf
 
Jakarta EE 8 on JDK17
Jakarta EE 8 on JDK17Jakarta EE 8 on JDK17
Jakarta EE 8 on JDK17
 
How Class Data Sharing Can Speed up Your Jakarta EE Application Startup
How Class Data Sharing Can Speed up Your Jakarta EE Application StartupHow Class Data Sharing Can Speed up Your Jakarta EE Application Startup
How Class Data Sharing Can Speed up Your Jakarta EE Application Startup
 
Creating a Kubernetes Operator in Java
Creating a Kubernetes Operator in JavaCreating a Kubernetes Operator in Java
Creating a Kubernetes Operator in Java
 
Finally, easy integration testing with Testcontainers
Finally, easy integration testing with TestcontainersFinally, easy integration testing with Testcontainers
Finally, easy integration testing with Testcontainers
 
Control and monitor_microservices_with_microprofile
Control and monitor_microservices_with_microprofileControl and monitor_microservices_with_microprofile
Control and monitor_microservices_with_microprofile
 
Transactions in micro-services (fall 2019)
Transactions in micro-services (fall 2019)Transactions in micro-services (fall 2019)
Transactions in micro-services (fall 2019)
 
Transactions in micro-services (summer 2019)
Transactions in micro-services (summer 2019)Transactions in micro-services (summer 2019)
Transactions in micro-services (summer 2019)
 
Monitor Micro-service with MicroProfile metrics
Monitor Micro-service with MicroProfile metricsMonitor Micro-service with MicroProfile metrics
Monitor Micro-service with MicroProfile metrics
 
Gradual migration to MicroProfile
Gradual migration to MicroProfileGradual migration to MicroProfile
Gradual migration to MicroProfile
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RS
 
From Monolith to micro-services and back : The Self Contained Systems
From Monolith to micro-services and back : The Self Contained SystemsFrom Monolith to micro-services and back : The Self Contained Systems
From Monolith to micro-services and back : The Self Contained Systems
 
Extending Arquillian graphene
Extending Arquillian graphene Extending Arquillian graphene
Extending Arquillian graphene
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
 

Dernier

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 

Dernier (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 

What is tackled in the Java EE Security API (Java EE 8)

  • 1.
  • 2. What is tackled in the Java EE Security API (Java EE 8)
  • 3. A G E N D A JAVA EE SECURITY WHY 
 UPDATE? ALREADY
 AVAILABLE? JSR-375
 SOTERIA CONCEPTS DEMO
  • 4. • C4J • Senior Java Web Developer, Java Coach, Information Security • JSR-375 • Java EE Security API Expert group member • Java EE Believer @rdebusscher http://jsfcorner.blogspot.be http://javaeesquad.blogspot.be W H O A M I RUDY DE BUSSCHER
  • 5. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context W H Y U P D A T E ?
  • 6. W H Y A N E W J S R ? • Java EE Security is viewed as not portable, abstract/confusing, antiquated • Doesn't fit cloud app developer paradigm: requires app server configuration
  • 7. T E R M I N O L O G Y ? • What is that "something" where identities are stored? • realm (Tomcat, some hints in Servlet spec) • (auth) repository • (auth) store • login module (JAAS) • identity manager (Undertow) • authenticator (Resin, OmniSecurity, Seam security) • authentication provider (Spring Security) • Identity provider
  • 8. J A V A E E S E C U R I T Y • No JSR exists to address security overall • Each JSR has his 'own' way • They look at each other, but ...
  • 9. So what is standardised?
  • 10. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context W H Y U P D A T E ?
  • 11. J A S P I C Java Authentication Service Provider Interface for Containers • Java EE 6 • For custom logic • BASIC/FORM/DIGEST • Low Level (per request) • Verbose
  • 12.
  • 13. Java Authorization Service Provider Contract for Containers J A C C • J2EE 1.4 ERA • C.O.M.P.L.E.X.I.T.Y • Application Server Wide • No Role Mapping specified
  • 14. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context G O A L S
  • 15. J S R - 3 7 5 • EG discussions started March 2015 • EG Members • EE API veterans: many JSRs, many years struggling with Security API • 3rd party security framework creators/developers • EE platform security implementers • October 2016 • EG Updated, switch Spec Lead
  • 16. G O A L S • Plug the portability holes • Modernize • Context Dependency Injection (CDI) • Intercept at Access Enforcement Points: POJO methods • Expression Language (EL) • Enable Access Enforcement Points with complex rules • App Developer Friendly • Common security configurations not requiring server changes • Annotation defaults not requiring XML
  • 17. I D E A S • Terminology • API for Authentication Mechanism • API for Identity Store • API for Security Context • API for Password Aliasing • API for Role/Permission Assignment • API for Authorization Interceptors • + ... JAVA EE 8 JAVA EE 9
  • 18. S O T E R I A • In Greek mythology, Soteria was the goddess of safety and salvation. • RI of JSR-375 • Should work on Java EE 7 • WildFly 10+ • Payara 4.1.1.161+ • TomEE 7.0.2+ • WebSphere Liberty 2016.9+
  • 19. JASPIC JACC SOTERIA U S I N G Existing blocks for authentication and authorization
  • 20. OR SHOULD I PUT THE SAFE HARBOUR TEXT ...
  • 21. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
  • 22. H T T P A U T H E N T I C A T I O N M E C H A N I S M • How are credentials retrieved • BASIC • FORM • classic j_security_check, ... • CustomForm • programmatic • Custom • For JAX-RS endpoints, ...
  • 24. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
  • 25. I D E N T I T Y S T O R E • Verify credentials • LDAP • DATABASE • with configurable queries • EMBEDDED • Easy for testing with hardcoded values • Custom • Whatever your need is
  • 26. @LdapIdentityStoreDefinition(
 url = "ldap://localhost:33389/",
 baseDn = "uid=ldap,ou=apps,dc=jsr375,dc=net",
 password = "changeOnInstall",
 searchBase = "dc=jsr375,dc=net",
 searchExpression = "(&(uid=%s)(objectClass=person))",
 groupBaseDn = "ou=group,dc=jsr375,dc=net"
 )
  • 27. C D I • Context and Dependency Injection
 concepts used for many artefacts. • Extension to read the annotations and create required beans.
  • 28. • CDI -> beans.xml • HttpAuthenticationMechanism required to activate Soteria
  • 31. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
  • 32. T R I P L E A • Authentication • Verifying that a user is who she says she is. • Authorisation • He can execute the allowed actions within their privilege. • Accounting • Audit
  • 33. M U L T I S T O R E • Authentication / Authorisation • From multiple sources! • Examples • Scenario 1 • Authentication : LDAP • Authorisation : Database
  • 34. M U L T I S T O R E ( 2 ) • Scenario 2 • Authentication : OAuth2 • Authentication : Limited to certain email Domain • Authorization : ... • Scenario 3 • Authentication : ... • Authorisation : Database • Authorisation (In Test) : Extra roles/permissions
  • 35. I D E N T I T Y S T O R E H A N D L E R • IdentityStoreHandler • Handles multiple defined Identity Stores • ValidationType on IdentityStore • BOTH • AUTHENTICATION • AUTHORIZATION
  • 36. @LdapIdentityStoreDefinition(
 url = "ldap://localhost:33389/",
 baseDn = "uid=ldap,ou=apps,dc=jsr375,dc=net",
 password = "changeOnInstall",
 searchBase = "dc=jsr375,dc=net",
 searchExpression = "(&(uid=%s)(objectClass=person))",
 groupBaseDn = "ou=group,dc=jsr375,dc=net", authenticateOnly = true
 )
  • 38. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
  • 39. E X T E N S I B I L I T Y interface HttpAuthenticationMechanism interface IdentityStore interface IdentityStoreHandler
  • 40. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
  • 41. S E C U R I T Y C O N T E X T Security
 Context Authentication
 Mechanism Identity
 Store Principal
 Info for
 Request Authorization
 Interceptors U S E S D A T A
  • 42. Project page The starting point to all resources https://java.net/projects/javaee-security-spec Users List Subscribe and contribute users@javaee-security-spec.java.net Github Soteria repository Fork and play! https://github.com/javaee-security-spec/soteria G E T I N V O L V E D
  • 43. Q & A