SlideShare uma empresa Scribd logo

Security in java ee platform: what is included, what is missing

Transferir como PPT, PDF
Masoud Kalali
Masoud Kalali

The slides discuss current state of Java EE security, included features and missing ones.

Tecnologia
1 de 13
Java EE Platform Security What is included, what is missing. Masoud Kalali Author of GlassFish security book Http://kalali.me
What can Security refer to?
Security requirements ,[object Object],[object Object],[object Object],[object Object]
Java EE and Security Requirements I @ServletSecurity(@HttpConstraint(rolesAllowed = {&quot;manager&quot;, &quot;administrator&quot;})) ... String usrname = request.getParameter(&quot;username&quot;); String pass = request.getParameter(&quot;password&quot;); request.login(strUsername, strPassword); .... <login-config> <auth-method>BASIC</auth-method> <realm-name>JDBCRealm</realm-name> </login-config> ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Java EE and Security Requirements II ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],<method-permission> <role-name>manager</role-name> <method> <ejb-name>Emp</ejb-name> <method-name>getAge</method-name> </method> </method-permission> Annotation Targets Level Target Kind @DeclareRoles Class EJB, Servlet @RunAs Class EJB, Servlet @ServletSecurity Class Servlet @PermitAll Class, Method EJB @DenyAll Method EJB @RolesAllowed Class, Method EJB
Java EE and Security Requirements III ,[object Object],[object Object],[object Object],[object Object],<security-constraint> <display-name>Current Online Users</display-name> <web-resource-collection> <web-resource-name>online users</web-resource-name> <description/> <url-pattern>/admin/online/*</url-pattern> </web-resource-collection> <auth-constraint> <description/> <role-name>manager</role-name> </auth-constraint> <user-data-constraint> <description/> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
Java EE and Security Requirements IV ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Is that All? Really, Is that all we need to have? Do we miss anything major? Is there anything still basic and good to have?
Basic, but missing requirements ,[object Object],[object Object],[object Object]
Basic, but missing requirements I ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Authentication chain:
Basic, but missing requirements II Fine grained access control ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Basic, but missing requirements III What to do with more SSO requirements? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Time For Questions Questions? You can contact me at [email_address] or http://twitter.com/MasoudKalali

Recomendados

JavaEE Security
JavaEE SecurityJavaEE Security
JavaEE SecurityAlex Kim
 
Developing With JAAS
Developing With JAASDeveloping With JAAS
Developing With JAASrahmed_sct
 
Extending Arquillian graphene
Extending Arquillian graphene Extending Arquillian graphene
Extending Arquillian graphene Rudy De Busscher
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Kenneth Peeples
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overviewRudy De Busscher
 
J2EE Security with Apache SHIRO
J2EE Security with Apache SHIROJ2EE Security with Apache SHIRO
J2EE Security with Apache SHIROCygnet Infotech
 

Recomendados

JavaEE Security
JavaEE SecurityJavaEE Security
JavaEE SecurityAlex Kim
 
Developing With JAAS
Developing With JAASDeveloping With JAAS
Developing With JAASrahmed_sct
 
Extending Arquillian graphene
Extending Arquillian graphene Extending Arquillian graphene
Extending Arquillian graphene Rudy De Busscher
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Kenneth Peeples
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overviewRudy De Busscher
 
J2EE Security with Apache SHIRO
J2EE Security with Apache SHIROJ2EE Security with Apache SHIRO
J2EE Security with Apache SHIROCygnet Infotech
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0robwinch
 
Learn Apache Shiro
Learn Apache ShiroLearn Apache Shiro
Learn Apache ShiroSmita Prasad
 
Spring Security
Spring SecuritySpring Security
Spring SecurityManish Sharma
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3Jason Ferguson
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache ShiroClaire Hunsaker
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework'sMohammed Fazuluddin
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraDataStax Academy
 
Java Security
Java SecurityJava Security
Java Securityelliando dias
 
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)Artur Barseghyan
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2Jim Manico
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIsClaire Hunsaker
 
CAS Enhancement
CAS EnhancementCAS Enhancement
CAS EnhancementGuo Albert
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5Jesus Perez Franco
 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecturePrabath Siriwardena
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Matt Raible
 
Fun With Spring Security
Fun With Spring SecurityFun With Spring Security
Fun With Spring SecurityBurt Beckwith
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
Java Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJava Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJosef Cacek
 
Java Security Overview
Java Security OverviewJava Security Overview
Java Security Overviewwhite paper
 

Mais conteúdo relacionado

Mais procurados

From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0robwinch
 
Learn Apache Shiro
Learn Apache ShiroLearn Apache Shiro
Learn Apache ShiroSmita Prasad
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraDataStax Academy
 
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)Artur Barseghyan
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2Jim Manico
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
CAS Enhancement
CAS EnhancementCAS Enhancement
CAS EnhancementGuo Albert
 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecturePrabath Siriwardena
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Matt Raible
 
Fun With Spring Security
Fun With Spring SecurityFun With Spring Security
Fun With Spring SecurityBurt Beckwith
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 

Mais procurados (20)

From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0
 
Learn Apache Shiro
Learn Apache ShiroLearn Apache Shiro
Learn Apache Shiro
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache Shiro
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework's
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
 
Java Security
Java SecurityJava Security
Java Security
 
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIs
 
CAS Enhancement
CAS EnhancementCAS Enhancement
CAS Enhancement
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5
 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecture
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
 
Fun With Spring Security
Fun With Spring SecurityFun With Spring Security
Fun With Spring Security
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
 

Destaque

Java Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJava Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJosef Cacek
 
Java Security Overview
Java Security OverviewJava Security Overview
Java Security Overviewwhite paper
 
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Martin Toshev
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Serviceguest536dd0e
 
Security via Java
Security via JavaSecurity via Java
Security via JavaBahaa Zaid
 

Destaque (6)

Java Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJava Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning Talk
 
Java Security Overview
Java Security OverviewJava Security Overview
Java Security Overview
 
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
 
Java security
Java securityJava security
Java security
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Service
 
Security via Java
Security via JavaSecurity via Java
Security via Java
 

Semelhante a Security in java ee platform: what is included, what is missing

OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
Securing Portlets With Spring Security
Securing Portlets With Spring SecuritySecuring Portlets With Spring Security
Securing Portlets With Spring SecurityJohn Lewis
 
Automated Testing Of Web Applications Using XML
Automated Testing Of Web Applications Using XMLAutomated Testing Of Web Applications Using XML
Automated Testing Of Web Applications Using XMLdiongillard
 
香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellCA API Management
 
Testing Ajax Web Applications
Testing Ajax Web ApplicationsTesting Ajax Web Applications
Testing Ajax Web ApplicationsTed Husted
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net frameworkLalit Kale
 
AuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formAuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formDiana Pinchuk
 
Synapse india reviews on security for the share point developer
Synapse india reviews on security for the share point developerSynapse india reviews on security for the share point developer
Synapse india reviews on security for the share point developersaritasingh19866
 
Creating Secure Applications
Creating Secure Applications Creating Secure Applications
Creating Secure Applications guest879f38
 
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...Dakiry
 
Getting Started with CAS
Getting Started with CASGetting Started with CAS
Getting Started with CASMisagh Moayyed
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxFernandoVizer
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Matt Raible
 
Acceptance & Functional Testing with Codeception - SunshinePHP 2016
Acceptance & Functional Testing with Codeception - SunshinePHP 2016Acceptance & Functional Testing with Codeception - SunshinePHP 2016
Acceptance & Functional Testing with Codeception - SunshinePHP 2016Joe Ferguson
 
Acceptance & Functional Testing with Codeception - Devspace 2015
Acceptance & Functional Testing with Codeception - Devspace 2015 Acceptance & Functional Testing with Codeception - Devspace 2015
Acceptance & Functional Testing with Codeception - Devspace 2015 Joe Ferguson
 
Web App Testing With Selenium
Web App Testing With SeleniumWeb App Testing With Selenium
Web App Testing With Seleniumjoaopmaia
 
Utilize the Full Power of GlassFish Server and Java EE Security
Utilize the Full Power of GlassFish Server and Java EE SecurityUtilize the Full Power of GlassFish Server and Java EE Security
Utilize the Full Power of GlassFish Server and Java EE SecurityMasoud Kalali
 

Semelhante a Security in java ee platform: what is included, what is missing (20)

OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
Securing Portlets With Spring Security
Securing Portlets With Spring SecuritySecuring Portlets With Spring Security
Securing Portlets With Spring Security
 
Automated Testing Of Web Applications Using XML
Automated Testing Of Web Applications Using XMLAutomated Testing Of Web Applications Using XML
Automated Testing Of Web Applications Using XML
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
Web Services Security
Web Services SecurityWeb Services Security
Web Services Security
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring Webshell
 
Testing Ajax Web Applications
Testing Ajax Web ApplicationsTesting Ajax Web Applications
Testing Ajax Web Applications
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net framework
 
AuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formAuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login form
 
Synapse india reviews on security for the share point developer
Synapse india reviews on security for the share point developerSynapse india reviews on security for the share point developer
Synapse india reviews on security for the share point developer
 
Creating Secure Applications
Creating Secure Applications Creating Secure Applications
Creating Secure Applications
 
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
 
Getting Started with CAS
Getting Started with CASGetting Started with CAS
Getting Started with CAS
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
 
Acceptance & Functional Testing with Codeception - SunshinePHP 2016
Acceptance & Functional Testing with Codeception - SunshinePHP 2016Acceptance & Functional Testing with Codeception - SunshinePHP 2016
Acceptance & Functional Testing with Codeception - SunshinePHP 2016
 
Acceptance & Functional Testing with Codeception - Devspace 2015
Acceptance & Functional Testing with Codeception - Devspace 2015 Acceptance & Functional Testing with Codeception - Devspace 2015
Acceptance & Functional Testing with Codeception - Devspace 2015
 
Web App Testing With Selenium
Web App Testing With SeleniumWeb App Testing With Selenium
Web App Testing With Selenium
 
Utilize the Full Power of GlassFish Server and Java EE Security
Utilize the Full Power of GlassFish Server and Java EE SecurityUtilize the Full Power of GlassFish Server and Java EE Security
Utilize the Full Power of GlassFish Server and Java EE Security
 

Mais de Masoud Kalali

Real world RESTful service development problems and solutions
Real world RESTful service development problems and solutionsReal world RESTful service development problems and solutions
Real world RESTful service development problems and solutionsMasoud Kalali
 
CON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EE
CON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EECON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EE
CON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EEMasoud Kalali
 
BOF 2193 - How to work from home effectively
BOF 2193 - How to work from home effectivelyBOF 2193 - How to work from home effectively
BOF 2193 - How to work from home effectivelyMasoud Kalali
 
Real-World RESTful Service Development Problems and Solutions
Real-World RESTful Service Development Problems and SolutionsReal-World RESTful Service Development Problems and Solutions
Real-World RESTful Service Development Problems and SolutionsMasoud Kalali
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themMasoud Kalali
 
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practiceConfess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practiceMasoud Kalali
 
Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!
Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!
Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!Masoud Kalali
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Masoud Kalali
 
An Overview of RUP methodology
An Overview of RUP methodologyAn Overview of RUP methodology
An Overview of RUP methodologyMasoud Kalali
 
An overview of software development methodologies.
An overview of software development methodologies.An overview of software development methodologies.
An overview of software development methodologies.Masoud Kalali
 
NIO.2, the I/O API for the future
NIO.2, the I/O API for the futureNIO.2, the I/O API for the future
NIO.2, the I/O API for the futureMasoud Kalali
 

Mais de Masoud Kalali (12)

Real world RESTful service development problems and solutions
Real world RESTful service development problems and solutionsReal world RESTful service development problems and solutions
Real world RESTful service development problems and solutions
 
CON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EE
CON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EECON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EE
CON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EE
 
BOF 2193 - How to work from home effectively
BOF 2193 - How to work from home effectivelyBOF 2193 - How to work from home effectively
BOF 2193 - How to work from home effectively
 
Real-World RESTful Service Development Problems and Solutions
Real-World RESTful Service Development Problems and SolutionsReal-World RESTful Service Development Problems and Solutions
Real-World RESTful Service Development Problems and Solutions
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid them
 
Java EE 7 overview
Java EE 7 overviewJava EE 7 overview
Java EE 7 overview
 
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practiceConfess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
 
Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!
Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!
Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881
 
An Overview of RUP methodology
An Overview of RUP methodologyAn Overview of RUP methodology
An Overview of RUP methodology
 
An overview of software development methodologies.
An overview of software development methodologies.An overview of software development methodologies.
An overview of software development methodologies.
 
NIO.2, the I/O API for the future
NIO.2, the I/O API for the futureNIO.2, the I/O API for the future
NIO.2, the I/O API for the future
 

Último

Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 

Último (20)

Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 

Security in java ee platform: what is included, what is missing

  • 1. Java EE Platform Security What is included, what is missing. Masoud Kalali Author of GlassFish security book Http://kalali.me
  • 2. What can Security refer to?
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8. Is that All? Really, Is that all we need to have? Do we miss anything major? Is there anything still basic and good to have?
  • 9.
  • 10.
  • 11.
  • 12.
  • 13. Time For Questions Questions? You can contact me at [email_address] or http://twitter.com/MasoudKalali