Upcoming SlideShare
What is tackled in the Java EE Security API (Java EE 8)
- 1. What is tackled in the Java EE Security API (Java EE 8)
- 2. A G E N D A JAVA EE SECURITY WHY UPDATE? ALREADY AVAILABLE? JSR-375 SOTERIA CONCEPTS DEMO
- 3. • C4J • Senior Java Web Developer, Java Coach, Information Security • JSR-375 • Java EE Security API Expert group member • Java EE Believer @rdebusscher http://jsfcorner.blogspot.be http://javaeesquad.blogspot.be W H O A M I RUDY DE BUSSCHER
- 4. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context W H Y U P D A T E ?
- 5. W H Y A N E W J S R ? • Java EE Security is viewed as not portable, abstract/confusing, antiquated • Doesn't fit cloud app developer paradigm: requires app server configuration
- 6. T E R M I N O L O G Y ? • What is that "something" where identities are stored? • realm (Tomcat, some hints in Servlet spec) • (auth) repository • (auth) store • login module (JAAS) • identity manager (Undertow) • authenticator (Resin, OmniSecurity, Seam security) • authentication provider (Spring Security) • Identity provider
- 7. J A V A E E S E C U R I T Y • No JSR exists to address security overall • Each JSR has his 'own' way • They look at each other, but ...
- 8. So what is standardised?
- 9. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context W H Y U P D A T E ?
- 10. J A S P I C Java Authentication Service Provider Interface for Containers • Java EE 6 • For custom logic • BASIC/FORM/DIGEST • Low Level (per request) • Verbose
- 11. Java Authorization Service Provider Contract for Containers J A C C • J2EE 1.4 ERA • C.O.M.P.L.E.X.I.T.Y • Application Server Wide • No Role Mapping specified
- 12. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context G O A L S
- 13. J S R - 3 7 5 • EG discussions started March 2015 • EG Members • EE API veterans: many JSRs, many years struggling with Security API • 3rd party security framework creators/developers • EE platform security implementers • October 2016 • EG Updated, switch Spec Lead
- 14. G O A L S • Plug the portability holes • Modernize • Context Dependency Injection (CDI) • Intercept at Access Enforcement Points: POJO methods • Expression Language (EL) • Enable Access Enforcement Points with complex rules • App Developer Friendly • Common security configurations not requiring server changes • Annotation defaults not requiring XML
- 15. I D E A S • Terminology • API for Authentication Mechanism • API for Identity Store • API for Security Context • API for Password Aliasing • API for Role/Permission Assignment • API for Authorization Interceptors • + ... JAVA EE 8 JAVA EE 9
- 16. S O T E R I A • In Greek mythology, Soteria was the goddess of safety and salvation. • RI of JSR-375 • Should work on Java EE 7 • WildFly 10+ • Payara 4.1.1.161+ • TomEE 7.0.2+ • WebSphere Liberty 2016.9+
- 17. JASPIC JACC SOTERIA U S I N G Existing blocks for authentication and authorization
- 18. OR SHOULD I PUT THE SAFE HARBOUR TEXT ...
- 19. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
- 20. H T T P A U T H E N T I C A T I O N M E C H A N I S M • How are credentials retrieved • BASIC • FORM • classic j_security_check, ... • CustomForm • programmatic • Custom • For JAX-RS endpoints, ...
- 21. @CustomFormAuthenticationMechanismDefinition( loginToContinue = @LoginToContinue( loginPage="/login.xhtml", errorPage="" ) )
- 22. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
- 23. I D E N T I T Y S T O R E • Verify credentials • LDAP • DATABASE • with configurable queries • EMBEDDED • Easy for testing with hardcoded values • Custom • Whatever your need is
- 24. @LdapIdentityStoreDefinition( url = "ldap://localhost:33389/", baseDn = "uid=ldap,ou=apps,dc=jsr375,dc=net", password = "changeOnInstall", searchBase = "dc=jsr375,dc=net", searchExpression = "(&(uid=%s)(objectClass=person))", groupBaseDn = "ou=group,dc=jsr375,dc=net" )
- 25. C D I • Context and Dependency Injection concepts used for many artefacts. • Extension to read the annotations and create required beans.
- 26. • CDI -> beans.xml • HttpAuthenticationMechanism required to activate Soteria
- 27. Demo BASIC IN MEMORY
- 28. Demo FORM IN JSF WITH LDAP
- 29. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
- 30. T R I P L E A • Authentication • Verifying that a user is who she says she is. • Authorisation • He can execute the allowed actions within their privilege. • Accounting • Audit
- 31. M U L T I S T O R E • Authentication / Authorisation • From multiple sources! • Examples • Scenario 1 • Authentication : LDAP • Authorisation : Database
- 32. M U L T I S T O R E ( 2 ) • Scenario 2 • Authentication : OAuth2 • Authentication : Limited to certain email Domain • Authorization : ... • Scenario 3 • Authentication : ... • Authorisation : Database • Authorisation (In Test) : Extra roles/permissions
- 33. I D E N T I T Y S T O R E H A N D L E R • IdentityStoreHandler • Handles multiple defined Identity Stores • ValidationType on IdentityStore • BOTH • AUTHENTICATION • AUTHORIZATION
- 34. @LdapIdentityStoreDefinition( url = "ldap://localhost:33389/", baseDn = "uid=ldap,ou=apps,dc=jsr375,dc=net", password = "changeOnInstall", searchBase = "dc=jsr375,dc=net", searchExpression = "(&(uid=%s)(objectClass=person))", groupBaseDn = "ou=group,dc=jsr375,dc=net", authenticateOnly = true )
- 35. Demo MULTI STORE
- 36. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
- 37. E X T E N S I B I L I T Y interface HttpAuthenticationMechanism interface IdentityStore interface IdentityStoreHandler
- 38. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
- 39. S E C U R I T Y C O N T E X T Security Context Authentication Mechanism Identity Store Principal Info for Request Authorization Interceptors U S E S D A T A
- 40. Project page The starting point to all resources https://java.net/projects/javaee-security-spec Users List Subscribe and contribute users@javaee-security-spec.java.net Github Soteria repository Fork and play! https://github.com/javaee-security-spec/soteria G E T I N V O L V E D
- 41. Q & A
Login to see the comments