Download as PDF, PPTX
Uploaded byRudy De Busscher
What is tackled in the Java EE Security API (Java EE 8)
The document details the Java EE Security API (JSR-375), emphasizing the need for modernization to address portability and usability issues in cloud applications. It discusses the various concepts involved, including authentication mechanisms, identity stores, and authorization processes while encouraging participation in the development process through resources and repositories. The aim is to create a simplified and standardized security framework for Java EE developers that integrates various authentication and authorization sources.
In this document
Powered by AI
Introduction to Java EE 8 Security API, outlining goals and the importance of security in applications.
Agenda for the presentation outlining the key topics: Java EE, updates, JSR-375, Soteria, concepts, and a demo.
Introduction of Rudy De Busscher, senior Java web developer and member of JSR-375 expert group.
Need to update Java EE security due to its complexity and lack of portability in modern cloud applications.
Terminologies related to identities and authentication storage in Java EE security, emphasizing the absence of a standardized JSR.
Highlighting the need for standardization in Java EE security practices.
Goals for the update: modernize security, leverage CDI, streamline access enforcement, enhance developer experience.
Formation and evolution of JSR-375, initiated discussions since March 2015 involving experts and developers.
Standardized security components aiming for portability, modern architecture, and ease of configuration.
Integration of existing security mechanisms like JASPIC and JACC with the new Soteria framework.
Core concepts in Java EE security: various authentication mechanisms including BASIC and FORM.
Example of how to define custom authentication mechanisms in Java EE.
Details of identity stores used for verifying credentials, including various storage options like LDAP and databases.
Example of LDAP identity store configuration in Java EE.
Explaining CDI's role in managing security beans and components effectively.
Demo of implementing basic authentication using an in-memory store.
Demo showcasing form-based authentication using JSF with LDAP.
Reiteration of key concepts in security, focusing on overall architecture.
Defining the Triple A model: Authentication, Authorization, and Accounting.
Examples illustrating authentication and authorization from multiple sources.
Role of IdentityStoreHandler in managing multiple identity stores, including configuration examples.
Demonstration of multi-store authentication mechanism using diverse sources.
Emphasizing extensibility of the security API through interfaces for mechanisms and handlers.
An overview of the security context, detailing its components and data usage.
Information on how to participate in the Java EE security project and its community.
Open forum for addressing audience queries about Java EE security.
What is tackled in the Java EE Security API (Java EE 8)
- 2. What is tackledin the Java EE Security API (Java EE 8)
- 3. A G EN D A JAVA EE SECURITY WHY UPDATE? ALREADY AVAILABLE? JSR-375 SOTERIA CONCEPTS DEMO
- 4. • C4J • SeniorJava Web Developer, Java Coach, Information Security • JSR-375 • Java EE Security API Expert group member • Java EE Believer @rdebusscher http://jsfcorner.blogspot.be http://javaeesquad.blogspot.be W H O A M I RUDY DE BUSSCHER
- 5. • Why Update? •What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context W H Y U P D A T E ?
- 6. W H YA N E W J S R ? • Java EE Security is viewed as not portable, abstract/confusing, antiquated • Doesn't fit cloud app developer paradigm: requires app server configuration
- 7. T E RM I N O L O G Y ? • What is that "something" where identities are stored? • realm (Tomcat, some hints in Servlet spec) • (auth) repository • (auth) store • login module (JAAS) • identity manager (Undertow) • authenticator (Resin, OmniSecurity, Seam security) • authentication provider (Spring Security) • Identity provider
- 8. J A VA E E S E C U R I T Y • No JSR exists to address security overall • Each JSR has his 'own' way • They look at each other, but ...
- 9. So what isstandardised?
- 10. • Why Update? •What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context W H Y U P D A T E ?
- 11. J A SP I C Java Authentication Service Provider Interface for Containers • Java EE 6 • For custom logic • BASIC/FORM/DIGEST • Low Level (per request) • Verbose
- 13. Java Authorization Service Provider Contractfor Containers J A C C • J2EE 1.4 ERA • C.O.M.P.L.E.X.I.T.Y • Application Server Wide • No Role Mapping specified
- 14. • Why Update? •What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context G O A L S
- 15. J S R- 3 7 5 • EG discussions started March 2015 • EG Members • EE API veterans: many JSRs, many years struggling with Security API • 3rd party security framework creators/developers • EE platform security implementers • October 2016 • EG Updated, switch Spec Lead
- 16. G O AL S • Plug the portability holes • Modernize • Context Dependency Injection (CDI) • Intercept at Access Enforcement Points: POJO methods • Expression Language (EL) • Enable Access Enforcement Points with complex rules • App Developer Friendly • Common security configurations not requiring server changes • Annotation defaults not requiring XML
- 17. I D EA S • Terminology • API for Authentication Mechanism • API for Identity Store • API for Security Context • API for Password Aliasing • API for Role/Permission Assignment • API for Authorization Interceptors • + ... JAVA EE 8 JAVA EE 9
- 18. S O TE R I A • In Greek mythology, Soteria was the goddess of safety and salvation. • RI of JSR-375 • Should work on Java EE 7 • WildFly 10+ • Payara 4.1.1.161+ • TomEE 7.0.2+ • WebSphere Liberty 2016.9+
- 19. JASPIC JACC SOTERIA U SI N G Existing blocks for authentication and authorization
- 20. OR SHOULD IPUT THE SAFE HARBOUR TEXT ...
- 21. • Why Update? •What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
- 22. H T TP A U T H E N T I C A T I O N M E C H A N I S M • How are credentials retrieved • BASIC • FORM • classic j_security_check, ... • CustomForm • programmatic • Custom • For JAX-RS endpoints, ...
- 23.
- 24. • Why Update? •What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
- 25. I D EN T I T Y S T O R E • Verify credentials • LDAP • DATABASE • with configurable queries • EMBEDDED • Easy for testing with hardcoded values • Custom • Whatever your need is
- 26. @LdapIdentityStoreDefinition( url = "ldap://localhost:33389/", baseDn= "uid=ldap,ou=apps,dc=jsr375,dc=net", password = "changeOnInstall", searchBase = "dc=jsr375,dc=net", searchExpression = "(&(uid=%s)(objectClass=person))", groupBaseDn = "ou=group,dc=jsr375,dc=net" )
- 27. C D I •Context and Dependency Injection concepts used for many artefacts. • Extension to read the annotations and create required beans.
- 28. • CDI ->beans.xml • HttpAuthenticationMechanism required to activate Soteria
- 29.
- 30.
- 31. • Why Update? •What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
- 32. T R IP L E A • Authentication • Verifying that a user is who she says she is. • Authorisation • He can execute the allowed actions within their privilege. • Accounting • Audit
- 33. M U LT I S T O R E • Authentication / Authorisation • From multiple sources! • Examples • Scenario 1 • Authentication : LDAP • Authorisation : Database
- 34. M U LT I S T O R E ( 2 ) • Scenario 2 • Authentication : OAuth2 • Authentication : Limited to certain email Domain • Authorization : ... • Scenario 3 • Authentication : ... • Authorisation : Database • Authorisation (In Test) : Extra roles/permissions
- 35. I D EN T I T Y S T O R E H A N D L E R • IdentityStoreHandler • Handles multiple defined Identity Stores • ValidationType on IdentityStore • BOTH • AUTHENTICATION • AUTHORIZATION
- 36. @LdapIdentityStoreDefinition( url = "ldap://localhost:33389/", baseDn= "uid=ldap,ou=apps,dc=jsr375,dc=net", password = "changeOnInstall", searchBase = "dc=jsr375,dc=net", searchExpression = "(&(uid=%s)(objectClass=person))", groupBaseDn = "ou=group,dc=jsr375,dc=net", authenticateOnly = true )
- 37.
- 38. • Why Update? •What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
- 39. E X TE N S I B I L I T Y interface HttpAuthenticationMechanism interface IdentityStore interface IdentityStoreHandler
- 40. • Why Update? •What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
- 41. S E CU R I T Y C O N T E X T Security Context Authentication Mechanism Identity Store Principal Info for Request Authorization Interceptors U S E S D A T A
- 42. Project page The startingpoint to all resources https://java.net/projects/javaee-security-spec Users List Subscribe and contribute users@javaee-security-spec.java.net Github Soteria repository Fork and play! https://github.com/javaee-security-spec/soteria G E T I N V O L V E D
- 43.