OAuth 2.0 is an open authentication and authorization protocol which enables applications to access each others data. This talk will presents how to implement the OAuth2 definitions to secure RESTful resources developed using JAX-RS in the Java EE platform.
Presentation sur la contrainte d'architecture HATEOAS et comment le framework Spring nous facilite son implementation.
Source code : https://github.com/YoannBuch/simple-spring-restbucks
Fait par l'equipe de http://findtheflow.io, un outil qui permet d'analyser et visualiser des executions d'applications Java.
Project Lombok is a java library that automatically plugs into your editor and build tools, spicing up your java.Never write another getter or equals method again.
After watching this you will be able to give answer on following Questions
What is lombok?
Why to use project Lombok?
How to integrate/plug lombok project jar with you Eclipse ID?
How to use lombok maven project?
What is @Getter/@Setter annotation in Lombok java?
How Project Lombok works?
What is @NonNull annotation?
What is @ToString annotation?
How to generate Equals and Hashcode using Lombok?
Check all lombok java example
What are the benefits/advantages of using lombok?
Nowadays traditional layered monolithic architecture in Java world is not so popular as 5-10 years ago. I remember how we wrote tons of code for each layer repeating almost the same parts for every application. Add unit and integration testing to understand how much time and efforts has been spent on repeatable work. All cool ideas around DDD (domain driven design) and Hexagonal Architecture was just a nice theory because reality hasn’t allow us to implement it easily. Even Dependency Injection with Spring framework was completely focused on traditional layered approach, not even talking about JavaEE platform.
Today we have Spring Boot ecosystem covering most of our needs for integration with almost all possible technologies and microservices architectural trend, enabling completely new approach to build Java applications around domain model. It is so natural to build Java domain-oriented services and connect them with external world using ports and adapters, that Hexagonal Architecture is almost enabled by default. You just need to switch your way of thinking…
Introduction to Flutter - truly crossplatform, amazingly fastBartosz Kosarzycki
Intro: Flutter meaning rapid variation of electronic signal recently became Dart's framework name for mobile development. This presentation is a short introduction into a cross-platform solution covering iOS/Android. During this 45 minute period you'll learn what is flutter, where it came from and what it's for.
Companion slides for Stormpath CTO and Co-Founder Les REST API Security Webinar. This presentation covers all the RESTful best practices learned building the Stormpath APIs. This webinar is full of best practices learned building the Stormpath API and supporting authentication for thousands of projects. Topics Include:
- HTTP Authentication
- Choosing a Security Protocol
- Generating & Managing API Keys
- Authorization & Scopes
- Token Authentication with JSON Web Tokens (JWTs)
- Much more...
Stormpath is a User Management API that reduces development time with instant-on, scalable user infrastructure. Stormpath's intuitive API and expert support make it easy for developers to authenticate, manage and secure users and roles in any application.
Presentation sur la contrainte d'architecture HATEOAS et comment le framework Spring nous facilite son implementation.
Source code : https://github.com/YoannBuch/simple-spring-restbucks
Fait par l'equipe de http://findtheflow.io, un outil qui permet d'analyser et visualiser des executions d'applications Java.
Project Lombok is a java library that automatically plugs into your editor and build tools, spicing up your java.Never write another getter or equals method again.
After watching this you will be able to give answer on following Questions
What is lombok?
Why to use project Lombok?
How to integrate/plug lombok project jar with you Eclipse ID?
How to use lombok maven project?
What is @Getter/@Setter annotation in Lombok java?
How Project Lombok works?
What is @NonNull annotation?
What is @ToString annotation?
How to generate Equals and Hashcode using Lombok?
Check all lombok java example
What are the benefits/advantages of using lombok?
Nowadays traditional layered monolithic architecture in Java world is not so popular as 5-10 years ago. I remember how we wrote tons of code for each layer repeating almost the same parts for every application. Add unit and integration testing to understand how much time and efforts has been spent on repeatable work. All cool ideas around DDD (domain driven design) and Hexagonal Architecture was just a nice theory because reality hasn’t allow us to implement it easily. Even Dependency Injection with Spring framework was completely focused on traditional layered approach, not even talking about JavaEE platform.
Today we have Spring Boot ecosystem covering most of our needs for integration with almost all possible technologies and microservices architectural trend, enabling completely new approach to build Java applications around domain model. It is so natural to build Java domain-oriented services and connect them with external world using ports and adapters, that Hexagonal Architecture is almost enabled by default. You just need to switch your way of thinking…
Introduction to Flutter - truly crossplatform, amazingly fastBartosz Kosarzycki
Intro: Flutter meaning rapid variation of electronic signal recently became Dart's framework name for mobile development. This presentation is a short introduction into a cross-platform solution covering iOS/Android. During this 45 minute period you'll learn what is flutter, where it came from and what it's for.
Companion slides for Stormpath CTO and Co-Founder Les REST API Security Webinar. This presentation covers all the RESTful best practices learned building the Stormpath APIs. This webinar is full of best practices learned building the Stormpath API and supporting authentication for thousands of projects. Topics Include:
- HTTP Authentication
- Choosing a Security Protocol
- Generating & Managing API Keys
- Authorization & Scopes
- Token Authentication with JSON Web Tokens (JWTs)
- Much more...
Stormpath is a User Management API that reduces development time with instant-on, scalable user infrastructure. Stormpath's intuitive API and expert support make it easy for developers to authenticate, manage and secure users and roles in any application.
The API acronym is everywhere on the Internet. It seems like every great company offers an API. But what is it exactly?
This deck will present you the very concept of API with a simple metaphor, and then will take four exemples of very popular APIs integrated by more popular websites (Airbnb, Uber, etc...).
A deck by Sébastien Saunier, CTO @ Le Wagon (https://www.lewagon.com)
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
In this talk, top ranked white-hat hacker Frans Rosén (@fransrosen) will focus on methodologies and results of attacking modern web technologies. He will do a deep-dive in postMessage, how vulnerable configurations in both AWS and Google Cloud allow attackers to take full control of your assets.
Listen to 60 minutes of new hacks, bug bounty stories and learnings that will make you realize that the protocols and policies you believed to be secure are most likely not.
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
Using Keycloak to Provide Authentication, Authorization, and Identity Management Services for Your Gateway
Presentation to accompany blog post: https://sciencegateways.org/-/eds-tech-blog-using-keycloak-to-provide-authentication-authorization-and-identity-management-services-for-your-gateway
Pentesting RESTful webservices talks about problems penetration testers face while testing RESTful Webservices and REST based web applications. The presentation also talks about tools and techniques to do pentesting of RESTful webservices.
Discussed the general OAuth2 features. Reviewer OAuth2 Roles and Grand Flows
Authorization code grant flow
Implicit grant flow
Resource owner password credentials grant flow
Client credentials grant flow
Reviewed access resource flow and token refresh.
see video: https://www.youtube.com/watch?v=UPsVD-A7gP0
In this Java Spring Training session, you will learn Spring – Inversion of Control, Dependency Injection and Bean definitions. Topics covered in this session are:
For more information, visit this link:
Spring Framework
• Core Container
• Data Access/Integration
• Web Layer
• Spring Setup
• Key features
• Spring Bean
• Dependency Injection
• Relation between DI and IoC
• Spring IoC Containers
• Spring DI
https://www.mindsmapped.com/courses/software-development/spring-fundamentals-learn-spring-framework-and-spring-boot/
OAuth 2.0 is an open authentication and authorization protocol which enables applications to access each others data. This talk will presents how to implement the OAuth2 definitions to secure RESTful resources developed using JAX-RS in the Java EE platform.
The API acronym is everywhere on the Internet. It seems like every great company offers an API. But what is it exactly?
This deck will present you the very concept of API with a simple metaphor, and then will take four exemples of very popular APIs integrated by more popular websites (Airbnb, Uber, etc...).
A deck by Sébastien Saunier, CTO @ Le Wagon (https://www.lewagon.com)
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
In this talk, top ranked white-hat hacker Frans Rosén (@fransrosen) will focus on methodologies and results of attacking modern web technologies. He will do a deep-dive in postMessage, how vulnerable configurations in both AWS and Google Cloud allow attackers to take full control of your assets.
Listen to 60 minutes of new hacks, bug bounty stories and learnings that will make you realize that the protocols and policies you believed to be secure are most likely not.
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
Using Keycloak to Provide Authentication, Authorization, and Identity Management Services for Your Gateway
Presentation to accompany blog post: https://sciencegateways.org/-/eds-tech-blog-using-keycloak-to-provide-authentication-authorization-and-identity-management-services-for-your-gateway
Pentesting RESTful webservices talks about problems penetration testers face while testing RESTful Webservices and REST based web applications. The presentation also talks about tools and techniques to do pentesting of RESTful webservices.
Discussed the general OAuth2 features. Reviewer OAuth2 Roles and Grand Flows
Authorization code grant flow
Implicit grant flow
Resource owner password credentials grant flow
Client credentials grant flow
Reviewed access resource flow and token refresh.
see video: https://www.youtube.com/watch?v=UPsVD-A7gP0
In this Java Spring Training session, you will learn Spring – Inversion of Control, Dependency Injection and Bean definitions. Topics covered in this session are:
For more information, visit this link:
Spring Framework
• Core Container
• Data Access/Integration
• Web Layer
• Spring Setup
• Key features
• Spring Bean
• Dependency Injection
• Relation between DI and IoC
• Spring IoC Containers
• Spring DI
https://www.mindsmapped.com/courses/software-development/spring-fundamentals-learn-spring-framework-and-spring-boot/
OAuth 2.0 is an open authentication and authorization protocol which enables applications to access each others data. This talk will presents how to implement the OAuth2 definitions to secure RESTful resources developed using JAX-RS in the Java EE platform.
Building an Effective Architecture for Identity and Access Management.pdfJorge Alvarez
La seguridad es omnipresente, en la casa, trabajo, teléfono, por lo que como individuos utilizamos diferentes mecanismos de desbloqueo: contraseñas, patrones, huellas, reconocimiento facial. ¡Tantos sistemas, proveedores de seguridad y mecanismos de desbloqueo! ¿Y ahora quién podrá ayudarnos?
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
Les Hazlewood, Stormpath CTO, already showed you how to build a Beautiful REST+JSON API, but how do you secure your API? At Stormpath, we spent 18 months researching best practices. Join Les as he explains how to secure your REST API, the right way. We'll also host a live Q&A session at the end.
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
Microservice architectures bring many benefits to software applications. But at the same time, new challenges of distributed systems have also been introduced. One of these challenges is how to implement a flexible, secure and efficient authentication and authorization scheme in such architectures.
The common solution for this is to use stateless token-based authentication and authorization by adopting standard protocols like OAuth 2.0 and OpenID Connect (OIDC).
In this talk, you will get a concise introduction into OAuth 2.0 and OIDC.
We will look at OAuth 2.0 and OIDC grant flows and discuss the differences between OAuth 2.0 and OpenID Connect. Finally, you will be introduced to the current best practices currently evolved by the working group.
So If you finally want to understand the base concepts of OAuth 2.0 and OIDC in a short time then this is the talk you should go for.
DDD Melbourne 2014 security in ASP.Net Web API 2Pratik Khasnabis
My presentation at DDD Melbourne 2014 Conference on Security in ASP.Net Web API 2. Includes a brief introduction to OWIN and Katana.
http://www.dddmelbourne.com/
Securing Microservices using Play and Akka HTTPRafal Gancarz
Going down the microservices route makes a lot of things around creating and maintaining large systems easier but it comes at a cost too, particularly associated with challenges around security. While securing monolithic applications was a relatively well understood area, the same can't be said about microservice based architectures.
This presentation covers how implementing microservices affects the security of distributed systems, outlines pros and cons of several standards and common practices and offers practical suggestions for securing microservice based systems using Play and Akka HTTP.
Adding Identity Management and Access Control to your AppFIWARE
Adding Identity Management and Access Control to your App presentation, by Alvaro Alonso & Cyril Dangerville.
Security Chapter. 1st FIWARE Summit, Málaga Dec. 13-15, 2016.
The Java EE Security API (JSR-375) wants to simplify the implementation of security-related features in your Java EE application. Application server specific configuration changes will be no longer needed and things will be much more app developer friendly. Aligning security with the ease of development we saw in the recent version of Java EE. We will show you the basic goals and concepts behind Java EE Security API. And of course, demos with the current version of the RI, named Soteria, how you can do Authentication and Authorization.
Getting Started with Spring Authorization ServerVMware Tanzu
SpringOne 2021
Title: Getting Started with Spring Authorization Server
Speakers: Joe Grandja, Spring Security Engineer at VMware; Steve Riesenberg, Software Engineer at VMware
A versão do Java 9 trouxe muitas novidades e melhorias para a plataforma e estrutura da linguagem. Novos recursos foram incorporados, como suporte à modularidade (Jigsaw), JShell, Stream API, Collection factories, dentre outros. A versão 10 também acabou de ser lançada com alguns recursos bem importantes. Venha conhecer e acompanhar demonstrações destes recursos em ação e também discutir sobre as futuras modificações da próxima versão 11 planejada para setembro deste ano.
O desenvolvimento de aplicações no ambiente de nuvem já tornou-se ?mainstream?. É fato também que o deployment de uma aplicação Java EE neste ambiente pode ser feito rapidamente, sem muita necessidade de adaptação. Mas, muitos são os desafios enfrentados e as melhores práticas recomendadas afim de extrair todo o benefício (escalabilidade, elasticidade, produtividade, adaptabilidade, resiliência) que este ambiente pode oferecer. Nesta talk iremos demonstrar como tirar proveito dos recursos e serviços computacionais oferecidos pela nuvem (Microsoft Azure) no desenvolvimento de uma aplicação Java EE utilizando os últimos recursos da versão EE 8 (JAX-RS, CDI, JPA, EJB, JSON-P, Servlets, etc).
Microservices tornaram-se o tema mais quente na arquitetura de software atualmente, e muito pode ser dito sobre os seus benefícios. Mas, existem inúmeros desafios relacionados a implementação e propagação de segurança no contexto destes componentes. Esta palestra abordará como realizar os cenários de autenticação e autorização com microservices, bem como discutir boas práticas e estratégias de implementação de segurança cobrindo tecnologias como OAuth2, OpenID Connect, JSON Web Token.
Microservices have become the hottest topic in software architecture over the past year, and much can be said about their benefits. But there are many challenges related to their security implementation and security context propagation over their components. This session addresses how to perform authentication and authorization inside a microservices architecture, covering technologies such as OAuth2, OpenID Connect, and JSON Web Token and use of Spring Cloud Security to integrate with a Spring and/or Java EE–based application platform.
A versão do Java 9 acabou de ser lançada e traz muitas novidades e melhorias para a plataforma e na estrutura da linguagem. Novos recursos foram incorporados, como suporte à modularidade (Jigsaw), JShell, Stream API, Collection factories, dentre outros. Venha conhecer e acompanhar algumas demonstrações destes estes novos recursos em ação.
Microservices tornaram-se o tema mais quente na arquitetura de software durante o ano passado, e muito pode ser dito sobre os seus benefícios. Mas, existem inúmeros desafios relacionados a implementação e propagação de segurança no contexto destes componentes. Esta palestra abordará como realizar os cenários de autenticação e autorização com microservices, cobrindo tecnologias como OAuth2, JSON Web Token, utilizando a plataforma do Spring Cloud Security afim de integrar-se com aplicações Spring e/ou Java EE.
Serviços reativos foram definidos pelo Manifesto Reativo. Eles são construídos para serem flexíveis, fracamente acoplados, escaláveis, e também qualificados com base nos quatro principais princípios: responsividade, resiliência, elasticidade e dirigido à mensagens. Java e a plataforma Java EE oferecem uma ótima estrutura com bibliotecas para implementar serviços reativos e transformá-los em uma arquitetura otimizada para micro-serviços. Esta palestra apresentará as melhores práticas para implementar serviços reativos em Java usando RxJava, definindo uma arquitetura de micro-serviços baseada em casos reais e boa práticas aplicadas.
Serviços reativos foram definidos pelo Manifesto Reativo. Eles são desenvolvidos para serem mais flexíveis, fracamente acoplados, escaláveis e também qualificados a partir dos quatro princípios: responsivo, resiliente, elástico e direcionados a mensagens. A plataforma Java e Java EE oferecem uma ótima estrutura e bibliotecas para implementarem serviços reativos e transformá-los em uma arquitetura de micro-serviços resiliente.
Reactive services were defined by the Reactive Manifesto. They are built to be more flexible, loosely-coupled and scalable and also they are qualified based on the four principles: responsive, resilient, elastic and message driven. Java and the Java EE platform offers a pretty good structure and libraries to implement reactive services and transform it in a microservices architecture designed.
AngularJS tem atraído muita atenção ultimamente e a maioria das aplicações utilizando Angular necessitam comunicar-se por meio de uma API REST. A plataforma Java EE com sua robustez e o seu avançado suporte a REST é uma das melhoras soluções atuais para suportar todos os requisitos de uma API REST backend para aplicações baseadas em HTML5 e AngularJS. Esta palestra abordará como construir uma aplicação em Angular utilizando tecnologias backend Java EE, como JAX-RS, WebSockets, JSON-P e CDI. Ao final desta sessão, você vai entender os benefícios no uso destas tecnologias, bem como padrões e boas práticas aplicadas neste modelo de desenvolvimento. Os tópicos abordados incluem: Javascript, HTML5, AngularJS, algumas API's Java EE (JAX-RS, WebSockets, JSON-P, CDI).
Spring Data REST oferece uma customização no topo do projeto Spring Data que exporta os repositórios automaticamente como serviços REST. Implementa conceitos e boas práticas em arquiteturas REST, como RESTful, ALPS, HATEOAS, permitindo os clientes encontrarem e explorarem as funcionalidades expostas de uma maneira fácil e organizada.
Esta palestra irá abordar como desenvolver rapidamente uma API de microservicos REST utilizando Spring Boot e Spring Data REST. Será principalmente orientada a exemplos de código demonstrando a implementação destas tecnologias.
Micro-serviços tornaram-se o tema mais quente na arquitetura de software durante o ano passado, e muito pode ser dito sobre os seus benefícios. No entanto, é importante compreender que ao começar a decompor o monolito, entramos no reino de sistemas distribuídos lidando com cenários de transparência de localização, recuperação à falhas, escalabilidade, autonomia, fácil atualização, etc. O projeto Spring Cloud promove ferramentas para facilmente implementar estes conceitos, definindo padrões de implementação para sistemas distribuídos com suporte para gerenciamento de configuração, descoberta de serviços, circuit breakers, roteamento, distribuição de sessão, barramento de controle, dentre outros. Nesta palestra serão demonstrados os conceitos destas ferramentas com a utilização do projeto Spring Cloud e com o suporte da plataforma do Netflix OSS.
O AngularJS tem atraído muita atenção dos desenvolvedores, e a maioria das aplicações utilizando esse framework open source necessitam se comunicar por meio de APIs web. A plataforma Java EE, com sua robustez e suporte avançado a REST, é uma das melhoras soluções atuais para suportar todos os requisitos de uma API REST de backend para aplicações baseadas em HTML5 e AngularJS.
Esta palestra abordará como construir uma aplicação em AngularJS utilizando tecnologias backend Java EE, incluindo JAX-RS, WebSockets, JSON-P e CDI. Ao final você vai entender os benefícios do uso destas tecnologias, bem como padrões e boas práticas aplicadas nesse modelo de desenvolvimento. Os tópicos abordados incluem JavaScript, HTML5, AngularJS e várias APIs do Java EE.
QCon SP 2016 - Construindo Microservices Auto-curáveis com Spring Cloud e Net...Rodrigo Cândido da Silva
Os microservices tornaram-se o tema mais quente na arquitetura de software, e muito se pode dizer sobre os seus benefícios. Mas é importante compreender que ao começar a decompor o monolito entramos no reino de sistemas distribuídos. Precisamos lidar com cenários de transparência de localização, recuperação de falhas, escalabilidade, autonomia, facilidade de atualização e outros aspectos. Por outro lado, quando tratamos toda essa complexidade, conseguimos definir aplicações que rodam “eternamente” – tornando-se auto-curáveis (self-healing) e muito escaláveis.
O projeto Spring Cloud traz ferramentas para facilitar a aplicação desses conceitos na prática, definindo padrões de implementação para sistemas distribuídos com suporte a gerenciamento de configuração, descoberta de serviços, circuit breakers, roteamento, distribuição de sessões, barramento de controle, dentre outras técnicas. Pode também ser combinado com a plataforma Netflix OSS, que oferece componentes especialmente úteis em um ambiente de microservices, como Eureka (registro), Ribbon (localização), Hystrix (tolerância a falhas), Zulu (roteamento).
Nesta palestra será demonstrado como usar na prática essas ferramentas, bem como os desafios e lições aprendidas – tudo com base em casos reais de uso de uma arquitetura de microservices implementada com Spring Cloud e Netflix OSS.
O AngularJS tem atraído muita atenção dos desenvolvedores, e a maioria das aplicações utilizando esse framework open source necessitam se comunicar por meio de APIs web. A plataforma Java EE, com sua robustez e suporte avançado a REST, é uma das melhoras soluções atuais para suportar todos os requisitos de uma API REST de backend para aplicações baseadas em HTML5 e AngularJS.
Esta palestra abordará como construir uma aplicação em AngularJS utilizando tecnologias backend Java EE, incluindo JAX-RS, WebSockets, JSON-P e CDI. Ao final você vai entender os benefícios do uso destas tecnologias, bem como padrões e boas práticas aplicadas nesse modelo de desenvolvimento. Os tópicos abordados incluem JavaScript, HTML5, AngularJS e várias APIs do Java EE.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
2. About Me
• Brazilian guy ;)
• Software Architect
• Java Platform
• Work for Integritas Tech
• http://integritastech.com
• JUG Leader of GUJavaSC
• http://gujavasc.org
• Twitter
• @rcandidosilva
• Personal
• http://rodrigocandido.me
3. Agenda
• Why use OAuth2?
• OAuth2 concepts
• Grant types
• OAuth2 Tokens
• Java Implementations
• Demo
6. Securing APIs
• Securing resources strategies
• Basic Auth (HTTP Basic)
• Sending user credentials in http authentication header
• Mutual Authentication (HTTP Digest)
• Based on certificates, server authenticate to client, client to server
• RESTful architecture not defines security procedures
• HTTP methods: GET, POST, PUT, DELETE
• REST API’s are equal vulnerable as standard web apps
• Injection attacks, replay attacks, cross-site scripting, etc.
9. Why OAuth
• Open standard protocol specification defined by IETF
• Enables applications to access each other’s data without
sharing credentials
• Avoid password issues
• User and password authentication is fine, but what if your API
needs to be used by other apps?
• Required for delegating access
• Third party applications
• For specified resource
• For limited time
• Can be selectively be revoked
11. OAuth Timeline
• OAuth 1.0
• Core specification published in Dec 2007
• OAuth 1.0a
• Revised specification published in June 2009
• Related to fix a security issue
• OAuth 2.0
• Standardized since Oct-2012
• Be more secure, simple, and standard
• Additional RFCs are still being worked on
12. OAuth2
• No username or passwords (only tokens)
• Protocol for authorization – not authentication
• Delegated model
• Fix the password anti-pattern
• Trust relationship between resource, identity server and client app
• Goal was simplicity
• Relies heavily on TLS/SSL
• Not backwards compatible
• Easily to revoke
13. OAuth2 Roles
• Resource Owner
• Entity capable of granting
access to a protected resource
• Client Application
• Application making protected resource requests on behalf of
the resource owner
• Resource Server
• The server hosting the protected resources
• Authorization Server
• The server issuing access tokens to the clients
15. OAuth2 Grant Types
• Authorization Code (web apps)
• Optimized for confidential clients
• Uses a authorization code from the server
• Implicit (browser-based and mobile apps)
• Optimized for script heavy web apps
• User can see the access token
• Resource Owner Password Credentials (user / password)
• Used in cases where the user trusts the client
• Exposes user credentials to the client
• Client Credentials (application)
• Clients gets an access token based on client credentials only
20. OAuth2 Tokens
• Types
• Bearer
• Large random token
• Need SSL to protect it in transit
• Server needs to store it securely hashed like a user password
• Mac
• Uses a nonce to prevent replay
• Does not required SSL
• OAuth 1.0 only supported
• Access Token
• Short-lived token
• Refresh Token
• Long-lived token
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":“bearer",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
}
21. OAuth2 Pros & Cons
• Pros
• Integration of third party apps to any sites
• Access can be granted for limited scope or duration
• No need for users to give password on third party
site
• Cons
• Writing an authorization server is somewhat
complex
• Interoperability issues
• Bad implementations can be security issues
22. OAuth2 Java Implementations
• Some Java implementations available
• Jersey
• Apache Oltu
• Spring Security OAuth2
• And others: CXF, Google OAuth2 API, etc
• Not available as Java EE standard yet
23. Jersey
• Open source RESTful Web services framework
• The JAX-RS reference implementation
• Integrates with the Java EE standard security
• @RolesAllowed
• @PermitAll
• @DenyAll
• Supports entity filtering features
• @EntityFiltering
• Only supports OAuth2 at client side :/
24. Jersey
Java EE security integration
@Path("restricted-resource")
@Produces("application/json")
public class RestrictedResource {
@GET @Path(”denyAll")
@DenyAll
public RestrictedEntity denyAll() { ... }
@GET @Path("rolesAllowed")
@RolesAllowed({"manager"})
public RestrictedEntity rolesAllowed() { ... }
}
25. Jersey
OAuth2 client support
OAuth2CodeGrantFlow.Builder builder =
OAuth2ClientSupport
.authorizationCodeGrantFlowBuilder(
clientId,
"https://example.com/oauth/authorization",
"https://example.com/oauth/token");
OAuth2CodeGrantFlow flow = builder.property(
OAuth2CodeGrantFlow.Phase.AUTHORIZATION,
"readOnly", "true")
.scope("contact")
.build();
String authorizationUri = flow.start();
...
final TokenResult result = flow.finish(code, state);
...
26. Apache Oltu
• Apache OAuth protocol implementation
• It also covers others related implementations
• JSON Web Token (JWT)
• JSON Web Signature (JWS)
• OpenID Connect
• Supports the full OAuth2 features
• Authorization Server
• Resource Server
• Client
• Provides predefined OAuth2 client types
• Facebook, Foursquare, Github, Google, etc
• Still being improved…
31. Spring Security OAuth
• Provides OAuth (1a) and OAuth2 support
• Implements 4 types of authorization grants
• Supports the OAuth2 full features
• Authorization Server
• Resources Server
• Client
• Good integration with JAX-RS and Spring MVC
• Configuration using annotation support
• Integrates with the Spring ecosystem
32. Spring Authorization Server
• @EnableAuthorizationServer
• Annotation used to configure OAuth2 authorization server
• There is also XML configuration related <authorization-server/>
• ClientDetailsServiceConfigurer
• Defines the client details service
• In-memory or JDBC implementation
• AuthorizationServerTokenServices
• Operations to manage OAuth2 tokens
• Tokens in-memory, JDBC or JSON Web Token (JWT)
• AuthorizationServerEndpointConfigurer
• Grant types supported by the server
• All grant types are supported except password types
33. Spring Resource Server
• Can be the same as Authorization Server
• Or deployed in a separate application
• Provides a authentication filter for web protection
• @EnableResourceServer
• Annotation used to configure OAuth2 resource server
• There is also XML configuration related <resource-server/>
• Supports expression-based access control
• #oauth2.clientHasRole
• #oauth2.clientHasAnyRole
• #oauth2.denyClient
34. Spring OAuth2 Client
• Creates a filter to store the current request and context
• Manages the redirection to and from the OAuth
authentication URI
• @EnableOAuth2Client
• Annotation used to configure OAuth2 client
• There is also XML configuration related <client/>
• OAuth2RestTemplate
• Wrapper client object to access the resources
35. Demo
• OAuth2 Use Case
• Conference application sharing resources with different clients
• http://github.com/rcandidosilva/rest-oauth2-sample