O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

What is tackled in the Java EE Security API (Java EE 8)

15 de Nov de 2016
5 gostaram 18.775 visualizações
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Próximos SlideShares
Java ee 8 + security overview
Java ee 8 + security overview
Carregando em…3
×

Confira estes a seguir

Seven Points for Applying Java EE 7
Hirofumi Iwasaki
Java EE 6 Adoption in One of the World’s Largest Online Financial Systems
Arshal Ameen
Java EE 8 Update
Ryan Cuprak
JavaScript Frameworks and Java EE – A Great Match
Reza Rahman
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015
Werner Keil
Modern web application development with java ee 7
Shekhar Gulati
Geecon 2017 Anatomy of Java Vulnerabilities
Steve Poole
EJB and CDI - Alignment and Strategy
David Delabassee
1 de 43 Anúncio

What is tackled in the Java EE Security API (Java EE 8)

15 de Nov de 2016
5 gostaram 18.775 visualizações

Baixar para ler offline

Tecnologia

The Java EE Security API (JSR-375) wants to simplify the implementation of security-related features in your Java EE application. Application server specific configuration changes will be no longer needed and things will be much more app developer friendly. Aligning security with the ease of development we saw in the recent version of Java EE. We will show you the basic goals and concepts behind Java EE Security API. And of course, demos with the current version of the RI, named Soteria, how you can do Authentication and Authorization.

The Java EE Security API (JSR-375) wants to simplify the implementation of security-related features in your Java EE application. Application server specific configuration changes will be no longer needed and things will be much more app developer friendly. Aligning security with the ease of development we saw in the recent version of Java EE. We will show you the basic goals and concepts behind Java EE Security API. And of course, demos with the current version of the RI, named Soteria, how you can do Authentication and Authorization.

Tecnologia
Anúncio

Recomendadas

Java ee 8 + security overview
Rudy De Busscher
3.7k visualizações
45 slides
Java EE Security API - JSR375: Getting Started
Rudy De Busscher
2.1k visualizações
40 slides
Finally, EE Security API JSR 375
Alex Kosowski
13.4k visualizações
80 slides
Octopus framework; Permission based security framework for Java EE
Rudy De Busscher
1.7k visualizações
33 slides
Java on Azure
Philly JUG
2.1k visualizações
27 slides
Java EE 8: On the Horizon
Josh Juneau
13.3k visualizações
72 slides
Testing Java EE Applications Using Arquillian
Reza Rahman
25.6k visualizações
17 slides
Java EE8 - by Kito Mann
Kile Niklawski
642 visualizações
69 slides
Anúncio

Mais Conteúdo rRelacionado

Diapositivos para si (19)

Seven Points for Applying Java EE 7
Hirofumi Iwasaki
24.2k visualizações
Java EE 6 Adoption in One of the World’s Largest Online Financial Systems
Arshal Ameen
10.5k visualizações
Java EE 8 Update
Ryan Cuprak
9.6k visualizações
JavaScript Frameworks and Java EE – A Great Match
Reza Rahman
132.7k visualizações
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015
Werner Keil
1.1k visualizações
Modern web application development with java ee 7
Shekhar Gulati
24k visualizações
Geecon 2017 Anatomy of Java Vulnerabilities
Steve Poole
671 visualizações
EJB and CDI - Alignment and Strategy
David Delabassee
31.9k visualizações
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
Steve Poole
877 visualizações
JavaCro'15 - Oracle Java Cloud Service Java PaaS - Duško Vukmanović
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
1.9k visualizações
How to avoid top 10 security risks in Java EE applications and how to avoid them
Masoud Kalali
3.8k visualizações
Security in practice with Java EE 6 and GlassFish
Markus Eisele
7.8k visualizações
CQRS and Event Sourcing
Inho Kang
1.4k visualizações
Java EE 8 - An instant snapshot
David Delabassee
10.7k visualizações
WSO2 Charon
HasiniG
5.4k visualizações
SSL Everywhere!
Simon Haslam
1.1k visualizações
Java Security Framework's
Mohammed Fazuluddin
5.1k visualizações
Standardizing Identity Provisioning with SCIM
HasiniG
2.7k visualizações
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CloudIDSummit
7.3k visualizações
Seven Points for Applying Java EE 7
Hirofumi Iwasaki
24.2k visualizações
67 slides
Java EE 6 Adoption in One of the World’s Largest Online Financial Systems
Arshal Ameen
10.5k visualizações
44 slides
Java EE 8 Update
Ryan Cuprak
9.6k visualizações
63 slides
JavaScript Frameworks and Java EE – A Great Match
Reza Rahman
132.7k visualizações
11 slides
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015
Werner Keil
1.1k visualizações
49 slides
Modern web application development with java ee 7
Shekhar Gulati
24k visualizações
52 slides

Semelhante a What is tackled in the Java EE Security API (Java EE 8) (20)

Can you keep a secret? (XP Days 2017)
Valerii Moisieienko
310 visualizações
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
5k visualizações
WebLogic authentication debugging
Maarten Smeets
5k visualizações
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva
18k visualizações
STATE OF THE ART AUTHENTICATION MIT JAVA EE 8
open knowledge GmbH
1.3k visualizações
Don't Loose Sleep - Secure Your Rest - php[tek] 2017
Adam Englander
330 visualizações
Enterprise-class security with PostgreSQL - 1
Ashnikbiz
98 visualizações
Intro to Apache Shiro
Claire Hunsaker
5.2k visualizações
State of the art authentication mit Java EE 8
open knowledge GmbH
1.3k visualizações
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Adam Englander
232 visualizações
Managing your secrets in a cloud environment
Taswar Bhatti
2k visualizações
7.1. SDLC try me to implenment
defconmoscow
360 visualizações
Secure JAX-RS
Payara
310 visualizações
Spa Secure Coding Guide
Geoffrey Vandiest
147 visualizações
Isaca sql server 2008 r2 security & auditing
Antonios Chatzipavlis
1.5k visualizações
World Azure Day Mobile Services Presentation
Dmitri Artamonov
1.1k visualizações
Securing Microservices using Play and Akka HTTP
Rafal Gancarz
8k visualizações
Building an Effective Architecture for Identity and Access Management.pdf
Jorge Alvarez
16 visualizações
The Spy Who Loathed Me - An Intro to SQL Server Security
Chris Bell
575 visualizações
Web security and OWASP
Isuru Samaraweera
1.2k visualizações
Can you keep a secret? (XP Days 2017)
Valerii Moisieienko
310 visualizações
31 slides
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
5k visualizações
35 slides
WebLogic authentication debugging
Maarten Smeets
5k visualizações
40 slides
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva
18k visualizações
38 slides
STATE OF THE ART AUTHENTICATION MIT JAVA EE 8
open knowledge GmbH
1.3k visualizações
170 slides
Don't Loose Sleep - Secure Your Rest - php[tek] 2017
Adam Englander
330 visualizações
55 slides
Anúncio

Mais de Rudy De Busscher (14)

core-profile_jakartaOne2022.pdf
Rudy De Busscher
523 visualizações
MicroStream-WithoutDatabase.pdf
Rudy De Busscher
47 visualizações
Jakarta EE 8 on JDK17
Rudy De Busscher
198 visualizações
How Class Data Sharing Can Speed up Your Jakarta EE Application Startup
Rudy De Busscher
187 visualizações
Creating a Kubernetes Operator in Java
Rudy De Busscher
118 visualizações
Finally, easy integration testing with Testcontainers
Rudy De Busscher
837 visualizações
Control and monitor_microservices_with_microprofile
Rudy De Busscher
156 visualizações
Transactions in micro-services (fall 2019)
Rudy De Busscher
530 visualizações
Transactions in micro-services (summer 2019)
Rudy De Busscher
547 visualizações
Monitor Micro-service with MicroProfile metrics
Rudy De Busscher
433 visualizações
Gradual migration to MicroProfile
Rudy De Busscher
249 visualizações
Secure JAX-RS
Rudy De Busscher
434 visualizações
From Monolith to micro-services and back : The Self Contained Systems
Rudy De Busscher
603 visualizações
Extending Arquillian graphene
Rudy De Busscher
768 visualizações
core-profile_jakartaOne2022.pdf
Rudy De Busscher
523 visualizações
39 slides
MicroStream-WithoutDatabase.pdf
Rudy De Busscher
47 visualizações
33 slides
Jakarta EE 8 on JDK17
Rudy De Busscher
198 visualizações
34 slides
How Class Data Sharing Can Speed up Your Jakarta EE Application Startup
Rudy De Busscher
187 visualizações
17 slides
Creating a Kubernetes Operator in Java
Rudy De Busscher
118 visualizações
14 slides
Finally, easy integration testing with Testcontainers
Rudy De Busscher
837 visualizações
15 slides

Mais recentes (20)

Borel Products catalogue 2023
Borel Swiss
0 visualizações
Orto Alresa series_Digtor_22_C_ENG.pdf
ssuserfd0f7b
0 visualizações
Borel Swiss Fixed Crucible Melting Furnace 1200°C
Borel Swiss
0 visualizações
NavigationSystems_Enroute.pdf
NAVEENP330457
0 visualizações
CINEMA TICKETING KIOSK
PanashiFZCO1
0 visualizações
Use Case of Blockchain Technology
Maximus Tech
0 visualizações
12 Critical Cyber Controls for Insurance.pptx
Mike Mihm
0 visualizações
reactppt.pptx
sandeepsingh360571
0 visualizações
Paris Blockchain Week-Report 2023.pdf
Lou Kerner
0 visualizações
AGILE Model (SDLC).pptx
MahithDias
0 visualizações
Getting Started with SQL Language.pptx
Cecilia Brusatori
0 visualizações
MIL DLL June 5- 9, 2017 Grade 12.docx
JcKingz
0 visualizações
Vasu_Aggarwal_Resume_Devops_B.Tech_CS.pdf
Vasu Agarwal
3 visualizações
Digital Technology.pptx
PutraAdi19
0 visualizações
The Five Phases of Agile Maturity (Part 2): Phase 3 and 4
Cprime
0 visualizações
MIL DLL September 18-22, 2017 Grade 12.docx
JcKingz
0 visualizações
Advanced Ceramics.pdf
RushiDalve
0 visualizações
Synthetic Food.pdf
RushiDalve
0 visualizações
Introduction to Information Management.pptx
RodolfoIII2
3 visualizações
Sniffing.ppt
ssuser22fe33
0 visualizações
Borel Products catalogue 2023
Borel Swiss
0 visualizações
24 slides
Orto Alresa series_Digtor_22_C_ENG.pdf
ssuserfd0f7b
0 visualizações
9 slides
Borel Swiss Fixed Crucible Melting Furnace 1200°C
Borel Swiss
0 visualizações
1 slide
NavigationSystems_Enroute.pdf
NAVEENP330457
0 visualizações
42 slides
CINEMA TICKETING KIOSK
PanashiFZCO1
0 visualizações
7 slides
Use Case of Blockchain Technology
Maximus Tech
0 visualizações
10 slides
Anúncio

What is tackled in the Java EE Security API (Java EE 8)

  1. 1. What is tackled in the Java EE Security API (Java EE 8)
  2. 2. A G E N D A JAVA EE SECURITY WHY 
 UPDATE? ALREADY
 AVAILABLE? JSR-375
 SOTERIA CONCEPTS DEMO
  3. 3. • C4J • Senior Java Web Developer, Java Coach, Information Security • JSR-375 • Java EE Security API Expert group member • Java EE Believer @rdebusscher http://jsfcorner.blogspot.be http://javaeesquad.blogspot.be W H O A M I RUDY DE BUSSCHER
  4. 4. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context W H Y U P D A T E ?
  5. 5. W H Y A N E W J S R ? • Java EE Security is viewed as not portable, abstract/confusing, antiquated • Doesn't fit cloud app developer paradigm: requires app server configuration
  6. 6. T E R M I N O L O G Y ? • What is that "something" where identities are stored? • realm (Tomcat, some hints in Servlet spec) • (auth) repository • (auth) store • login module (JAAS) • identity manager (Undertow) • authenticator (Resin, OmniSecurity, Seam security) • authentication provider (Spring Security) • Identity provider
  7. 7. J A V A E E S E C U R I T Y • No JSR exists to address security overall • Each JSR has his 'own' way • They look at each other, but ...
  8. 8. So what is standardised?
  9. 9. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context W H Y U P D A T E ?
  10. 10. J A S P I C Java Authentication Service Provider Interface for Containers • Java EE 6 • For custom logic • BASIC/FORM/DIGEST • Low Level (per request) • Verbose
  11. 11. Java Authorization Service Provider Contract for Containers J A C C • J2EE 1.4 ERA • C.O.M.P.L.E.X.I.T.Y • Application Server Wide • No Role Mapping specified
  12. 12. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context G O A L S
  13. 13. J S R - 3 7 5 • EG discussions started March 2015 • EG Members • EE API veterans: many JSRs, many years struggling with Security API • 3rd party security framework creators/developers • EE platform security implementers • October 2016 • EG Updated, switch Spec Lead
  14. 14. G O A L S • Plug the portability holes • Modernize • Context Dependency Injection (CDI) • Intercept at Access Enforcement Points: POJO methods • Expression Language (EL) • Enable Access Enforcement Points with complex rules • App Developer Friendly • Common security configurations not requiring server changes • Annotation defaults not requiring XML
  15. 15. I D E A S • Terminology • API for Authentication Mechanism • API for Identity Store • API for Security Context • API for Password Aliasing • API for Role/Permission Assignment • API for Authorization Interceptors • + ... JAVA EE 8 JAVA EE 9
  16. 16. S O T E R I A • In Greek mythology, Soteria was the goddess of safety and salvation. • RI of JSR-375 • Should work on Java EE 7 • WildFly 10+ • Payara 4.1.1.161+ • TomEE 7.0.2+ • WebSphere Liberty 2016.9+
  17. 17. JASPIC JACC SOTERIA U S I N G Existing blocks for authentication and authorization
  18. 18. OR SHOULD I PUT THE SAFE HARBOUR TEXT ...
  19. 19. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
  20. 20. H T T P A U T H E N T I C A T I O N M E C H A N I S M • How are credentials retrieved • BASIC • FORM • classic j_security_check, ... • CustomForm • programmatic • Custom • For JAX-RS endpoints, ...
  21. 21. @CustomFormAuthenticationMechanismDefinition(
 loginToContinue = @LoginToContinue(
 loginPage="/login.xhtml",
 errorPage=""
 )
 )
  22. 22. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
  23. 23. I D E N T I T Y S T O R E • Verify credentials • LDAP • DATABASE • with configurable queries • EMBEDDED • Easy for testing with hardcoded values • Custom • Whatever your need is
  24. 24. @LdapIdentityStoreDefinition(
 url = "ldap://localhost:33389/",
 baseDn = "uid=ldap,ou=apps,dc=jsr375,dc=net",
 password = "changeOnInstall",
 searchBase = "dc=jsr375,dc=net",
 searchExpression = "(&(uid=%s)(objectClass=person))",
 groupBaseDn = "ou=group,dc=jsr375,dc=net"
 )
  25. 25. C D I • Context and Dependency Injection
 concepts used for many artefacts. • Extension to read the annotations and create required beans.
  26. 26. • CDI -> beans.xml • HttpAuthenticationMechanism required to activate Soteria
  27. 27. Demo BASIC
 IN MEMORY
  28. 28. Demo FORM IN JSF WITH LDAP
  29. 29. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
  30. 30. T R I P L E A • Authentication • Verifying that a user is who she says she is. • Authorisation • He can execute the allowed actions within their privilege. • Accounting • Audit
  31. 31. M U L T I S T O R E • Authentication / Authorisation • From multiple sources! • Examples • Scenario 1 • Authentication : LDAP • Authorisation : Database
  32. 32. M U L T I S T O R E ( 2 ) • Scenario 2 • Authentication : OAuth2 • Authentication : Limited to certain email Domain • Authorization : ... • Scenario 3 • Authentication : ... • Authorisation : Database • Authorisation (In Test) : Extra roles/permissions
  33. 33. I D E N T I T Y S T O R E H A N D L E R • IdentityStoreHandler • Handles multiple defined Identity Stores • ValidationType on IdentityStore • BOTH • AUTHENTICATION • AUTHORIZATION
  34. 34. @LdapIdentityStoreDefinition(
 url = "ldap://localhost:33389/",
 baseDn = "uid=ldap,ou=apps,dc=jsr375,dc=net",
 password = "changeOnInstall",
 searchBase = "dc=jsr375,dc=net",
 searchExpression = "(&(uid=%s)(objectClass=person))",
 groupBaseDn = "ou=group,dc=jsr375,dc=net", authenticateOnly = true
 )
  35. 35. Demo MULTI STORE
  36. 36. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
  37. 37. E X T E N S I B I L I T Y interface HttpAuthenticationMechanism interface IdentityStore interface IdentityStoreHandler
  38. 38. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
  39. 39. S E C U R I T Y C O N T E X T Security
 Context Authentication
 Mechanism Identity
 Store Principal
 Info for
 Request Authorization
 Interceptors U S E S D A T A
  40. 40. Project page The starting point to all resources https://java.net/projects/javaee-security-spec Users List Subscribe and contribute users@javaee-security-spec.java.net Github Soteria repository Fork and play! https://github.com/javaee-security-spec/soteria G E T I N V O L V E D
  41. 41. Q & A

×