Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
What is tackled in the Java EE Security API
(Java EE 8)
A G E N D A
JAVA EE
SECURITY
WHY 

UPDATE?
ALREADY

AVAILABLE?
JSR-375

SOTERIA
CONCEPTS
DEMO
• C4J
• Senior Java Web Developer, Java Coach, Information Security
• JSR-375
• Java EE Security API Expert group member
•...
• Why Update?
• What is available?
• JSR-375
• Concepts
• Authentication Mechanism
• IdentityStore
• Authentication - Auth...
W H Y A N E W J S R ?
• Java EE Security is viewed as not portable,
abstract/confusing, antiquated
• Doesn't fit cloud app...
T E R M I N O L O G Y ?
• What is that "something" where identities are
stored?
• realm (Tomcat, some hints in Servlet spe...
J A V A E E S E C U R I T Y
• No JSR exists to address security overall
• Each JSR has his 'own' way
• They look at each o...
So what is standardised?
• Why Update?
• What is available?
• JSR-375
• Concepts
• Authentication Mechanism
• IdentityStore
• Authentication - Auth...
J A S P I C
Java Authentication Service
Provider Interface for
Containers
• Java EE 6
• For custom logic
• BASIC/FORM/DIGE...
Java Authorization
Service Provider
Contract for Containers
J A C C
• J2EE 1.4 ERA
• C.O.M.P.L.E.X.I.T.Y
• Application Ser...
• Why Update?
• What is available?
• JSR-375
• Concepts
• Authentication Mechanism
• IdentityStore
• Authentication - Auth...
J S R - 3 7 5
• EG discussions started March 2015
• EG Members
• EE API veterans: many JSRs, many years struggling with
Se...
G O A L S
• Plug the portability holes
• Modernize
• Context Dependency Injection (CDI)
• Intercept at Access Enforcement ...
I D E A S
• Terminology
• API for Authentication Mechanism
• API for Identity Store
• API for Security Context
• API for P...
S O T E R I A
• In Greek mythology, Soteria was the goddess of
safety and salvation.
• RI of JSR-375
• Should work on Java...
JASPIC JACC
SOTERIA
U S I N G
Existing blocks for authentication and authorization
OR SHOULD I PUT THE SAFE HARBOUR TEXT ...
• Why Update?
• What is available?
• JSR-375
• Concepts
• Authentication Mechanism
• IdentityStore
• Authentication - Auth...
H T T P A U T H E N T I C A T I O N M E C H A N I S M
• How are credentials retrieved
• BASIC
• FORM
• classic j_security_...
@CustomFormAuthenticationMechanismDefinition(

loginToContinue = @LoginToContinue(

loginPage="/login.xhtml",

errorPage="...
• Why Update?
• What is available?
• JSR-375
• Concepts
• Authentication Mechanism
• IdentityStore
• Authentication - Auth...
I D E N T I T Y S T O R E
• Verify credentials
• LDAP
• DATABASE
• with configurable queries
• EMBEDDED
• Easy for testing...
@LdapIdentityStoreDefinition(

url = "ldap://localhost:33389/",

baseDn = "uid=ldap,ou=apps,dc=jsr375,dc=net",

password =...
C D I
• Context and Dependency Injection

concepts used for many artefacts.
• Extension to read the annotations and create...
• CDI -> beans.xml
• HttpAuthenticationMechanism
required to activate Soteria
Demo
BASIC

IN MEMORY
Demo
FORM IN JSF
WITH LDAP
• Why Update?
• What is available?
• JSR-375
• Concepts
• Authentication Mechanism
• IdentityStore
• Authentication - Auth...
T R I P L E A
• Authentication
• Verifying that a user is who she says she is.
• Authorisation
• He can execute the allowe...
M U L T I S T O R E
• Authentication / Authorisation
• From multiple sources!
• Examples
• Scenario 1
• Authentication : L...
M U L T I S T O R E ( 2 )
• Scenario 2
• Authentication : OAuth2
• Authentication : Limited to certain email Domain
• Auth...
I D E N T I T Y S T O R E H A N D L E R
• IdentityStoreHandler
• Handles multiple defined Identity Stores
• ValidationType...
@LdapIdentityStoreDefinition(

url = "ldap://localhost:33389/",

baseDn = "uid=ldap,ou=apps,dc=jsr375,dc=net",

password =...
Demo
MULTI STORE
• Why Update?
• What is available?
• JSR-375
• Concepts
• Authentication Mechanism
• IdentityStore
• Authentication - Auth...
E X T E N S I B I L I T Y
interface HttpAuthenticationMechanism
interface IdentityStore
interface IdentityStoreHandler
• Why Update?
• What is available?
• JSR-375
• Concepts
• Authentication Mechanism
• IdentityStore
• Authentication - Auth...
S E C U R I T Y C O N T E X T
Security

Context
Authentication

Mechanism
Identity

Store
Principal

Info for

Request
Aut...
Project page
The starting point to all resources
https://java.net/projects/javaee-security-spec
Users List
Subscribe and c...
Q & A
What is tackled in the Java EE Security API (Java EE 8)
What is tackled in the Java EE Security API (Java EE 8)
Upcoming SlideShare
Loading in …5
×

What is tackled in the Java EE Security API (Java EE 8)

15,835 views

Published on

The Java EE Security API (JSR-375) wants to simplify the implementation of security-related features in your Java EE application. Application server specific configuration changes will be no longer needed and things will be much more app developer friendly. Aligning security with the ease of development we saw in the recent version of Java EE. We will show you the basic goals and concepts behind Java EE Security API. And of course, demos with the current version of the RI, named Soteria, how you can do Authentication and Authorization.

Published in: Technology

What is tackled in the Java EE Security API (Java EE 8)

  1. 1. What is tackled in the Java EE Security API (Java EE 8)
  2. 2. A G E N D A JAVA EE SECURITY WHY 
 UPDATE? ALREADY
 AVAILABLE? JSR-375
 SOTERIA CONCEPTS DEMO
  3. 3. • C4J • Senior Java Web Developer, Java Coach, Information Security • JSR-375 • Java EE Security API Expert group member • Java EE Believer @rdebusscher http://jsfcorner.blogspot.be http://javaeesquad.blogspot.be W H O A M I RUDY DE BUSSCHER
  4. 4. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context W H Y U P D A T E ?
  5. 5. W H Y A N E W J S R ? • Java EE Security is viewed as not portable, abstract/confusing, antiquated • Doesn't fit cloud app developer paradigm: requires app server configuration
  6. 6. T E R M I N O L O G Y ? • What is that "something" where identities are stored? • realm (Tomcat, some hints in Servlet spec) • (auth) repository • (auth) store • login module (JAAS) • identity manager (Undertow) • authenticator (Resin, OmniSecurity, Seam security) • authentication provider (Spring Security) • Identity provider
  7. 7. J A V A E E S E C U R I T Y • No JSR exists to address security overall • Each JSR has his 'own' way • They look at each other, but ...
  8. 8. So what is standardised?
  9. 9. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context W H Y U P D A T E ?
  10. 10. J A S P I C Java Authentication Service Provider Interface for Containers • Java EE 6 • For custom logic • BASIC/FORM/DIGEST • Low Level (per request) • Verbose
  11. 11. Java Authorization Service Provider Contract for Containers J A C C • J2EE 1.4 ERA • C.O.M.P.L.E.X.I.T.Y • Application Server Wide • No Role Mapping specified
  12. 12. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context G O A L S
  13. 13. J S R - 3 7 5 • EG discussions started March 2015 • EG Members • EE API veterans: many JSRs, many years struggling with Security API • 3rd party security framework creators/developers • EE platform security implementers • October 2016 • EG Updated, switch Spec Lead
  14. 14. G O A L S • Plug the portability holes • Modernize • Context Dependency Injection (CDI) • Intercept at Access Enforcement Points: POJO methods • Expression Language (EL) • Enable Access Enforcement Points with complex rules • App Developer Friendly • Common security configurations not requiring server changes • Annotation defaults not requiring XML
  15. 15. I D E A S • Terminology • API for Authentication Mechanism • API for Identity Store • API for Security Context • API for Password Aliasing • API for Role/Permission Assignment • API for Authorization Interceptors • + ... JAVA EE 8 JAVA EE 9
  16. 16. S O T E R I A • In Greek mythology, Soteria was the goddess of safety and salvation. • RI of JSR-375 • Should work on Java EE 7 • WildFly 10+ • Payara 4.1.1.161+ • TomEE 7.0.2+ • WebSphere Liberty 2016.9+
  17. 17. JASPIC JACC SOTERIA U S I N G Existing blocks for authentication and authorization
  18. 18. OR SHOULD I PUT THE SAFE HARBOUR TEXT ...
  19. 19. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
  20. 20. H T T P A U T H E N T I C A T I O N M E C H A N I S M • How are credentials retrieved • BASIC • FORM • classic j_security_check, ... • CustomForm • programmatic • Custom • For JAX-RS endpoints, ...
  21. 21. @CustomFormAuthenticationMechanismDefinition(
 loginToContinue = @LoginToContinue(
 loginPage="/login.xhtml",
 errorPage=""
 )
 )
  22. 22. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
  23. 23. I D E N T I T Y S T O R E • Verify credentials • LDAP • DATABASE • with configurable queries • EMBEDDED • Easy for testing with hardcoded values • Custom • Whatever your need is
  24. 24. @LdapIdentityStoreDefinition(
 url = "ldap://localhost:33389/",
 baseDn = "uid=ldap,ou=apps,dc=jsr375,dc=net",
 password = "changeOnInstall",
 searchBase = "dc=jsr375,dc=net",
 searchExpression = "(&(uid=%s)(objectClass=person))",
 groupBaseDn = "ou=group,dc=jsr375,dc=net"
 )
  25. 25. C D I • Context and Dependency Injection
 concepts used for many artefacts. • Extension to read the annotations and create required beans.
  26. 26. • CDI -> beans.xml • HttpAuthenticationMechanism required to activate Soteria
  27. 27. Demo BASIC
 IN MEMORY
  28. 28. Demo FORM IN JSF WITH LDAP
  29. 29. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
  30. 30. T R I P L E A • Authentication • Verifying that a user is who she says she is. • Authorisation • He can execute the allowed actions within their privilege. • Accounting • Audit
  31. 31. M U L T I S T O R E • Authentication / Authorisation • From multiple sources! • Examples • Scenario 1 • Authentication : LDAP • Authorisation : Database
  32. 32. M U L T I S T O R E ( 2 ) • Scenario 2 • Authentication : OAuth2 • Authentication : Limited to certain email Domain • Authorization : ... • Scenario 3 • Authentication : ... • Authorisation : Database • Authorisation (In Test) : Extra roles/permissions
  33. 33. I D E N T I T Y S T O R E H A N D L E R • IdentityStoreHandler • Handles multiple defined Identity Stores • ValidationType on IdentityStore • BOTH • AUTHENTICATION • AUTHORIZATION
  34. 34. @LdapIdentityStoreDefinition(
 url = "ldap://localhost:33389/",
 baseDn = "uid=ldap,ou=apps,dc=jsr375,dc=net",
 password = "changeOnInstall",
 searchBase = "dc=jsr375,dc=net",
 searchExpression = "(&(uid=%s)(objectClass=person))",
 groupBaseDn = "ou=group,dc=jsr375,dc=net", authenticateOnly = true
 )
  35. 35. Demo MULTI STORE
  36. 36. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
  37. 37. E X T E N S I B I L I T Y interface HttpAuthenticationMechanism interface IdentityStore interface IdentityStoreHandler
  38. 38. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
  39. 39. S E C U R I T Y C O N T E X T Security
 Context Authentication
 Mechanism Identity
 Store Principal
 Info for
 Request Authorization
 Interceptors U S E S D A T A
  40. 40. Project page The starting point to all resources https://java.net/projects/javaee-security-spec Users List Subscribe and contribute users@javaee-security-spec.java.net Github Soteria repository Fork and play! https://github.com/javaee-security-spec/soteria G E T I N V O L V E D
  41. 41. Q & A

×