SlideShare a Scribd company logo

What is tackled in the Java EE Security API (Java EE 8)

Rudy De Busscher
Rudy De Busscher

The Java EE Security API (JSR-375) wants to simplify the implementation of security-related features in your Java EE application. Application server specific configuration changes will be no longer needed and things will be much more app developer friendly. Aligning security with the ease of development we saw in the recent version of Java EE. We will show you the basic goals and concepts behind Java EE Security API. And of course, demos with the current version of the RI, named Soteria, how you can do Authentication and Authorization.

1 of 43
Download to read offline
What is tackled in the Java EE Security API (Java EE 8)
A G E N D A JAVA EE SECURITY WHY 
 UPDATE? ALREADY
 AVAILABLE? JSR-375
 SOTERIA CONCEPTS DEMO
• C4J • Senior Java Web Developer, Java Coach, Information Security • JSR-375 • Java EE Security API Expert group member • Java EE Believer @rdebusscher http://jsfcorner.blogspot.be http://javaeesquad.blogspot.be W H O A M I RUDY DE BUSSCHER
• Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context W H Y U P D A T E ?
W H Y A N E W J S R ? • Java EE Security is viewed as not portable, abstract/confusing, antiquated • Doesn't fit cloud app developer paradigm: requires app server configuration
T E R M I N O L O G Y ? • What is that "something" where identities are stored? • realm (Tomcat, some hints in Servlet spec) • (auth) repository • (auth) store • login module (JAAS) • identity manager (Undertow) • authenticator (Resin, OmniSecurity, Seam security) • authentication provider (Spring Security) • Identity provider
J A V A E E S E C U R I T Y • No JSR exists to address security overall • Each JSR has his 'own' way • They look at each other, but ...
So what is standardised?
• Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context W H Y U P D A T E ?
J A S P I C Java Authentication Service Provider Interface for Containers • Java EE 6 • For custom logic • BASIC/FORM/DIGEST • Low Level (per request) • Verbose
Java Authorization Service Provider Contract for Containers J A C C • J2EE 1.4 ERA • C.O.M.P.L.E.X.I.T.Y • Application Server Wide • No Role Mapping specified
• Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context G O A L S
J S R - 3 7 5 • EG discussions started March 2015 • EG Members • EE API veterans: many JSRs, many years struggling with Security API • 3rd party security framework creators/developers • EE platform security implementers • October 2016 • EG Updated, switch Spec Lead
G O A L S • Plug the portability holes • Modernize • Context Dependency Injection (CDI) • Intercept at Access Enforcement Points: POJO methods • Expression Language (EL) • Enable Access Enforcement Points with complex rules • App Developer Friendly • Common security configurations not requiring server changes • Annotation defaults not requiring XML
I D E A S • Terminology • API for Authentication Mechanism • API for Identity Store • API for Security Context • API for Password Aliasing • API for Role/Permission Assignment • API for Authorization Interceptors • + ... JAVA EE 8 JAVA EE 9
S O T E R I A • In Greek mythology, Soteria was the goddess of safety and salvation. • RI of JSR-375 • Should work on Java EE 7 • WildFly 10+ • Payara 4.1.1.161+ • TomEE 7.0.2+ • WebSphere Liberty 2016.9+
JASPIC JACC SOTERIA U S I N G Existing blocks for authentication and authorization
OR SHOULD I PUT THE SAFE HARBOUR TEXT ...
• Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
H T T P A U T H E N T I C A T I O N M E C H A N I S M • How are credentials retrieved • BASIC • FORM • classic j_security_check, ... • CustomForm • programmatic • Custom • For JAX-RS endpoints, ...
@CustomFormAuthenticationMechanismDefinition(
 loginToContinue = @LoginToContinue(
 loginPage="/login.xhtml",
 errorPage=""
 )
 )
• Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
I D E N T I T Y S T O R E • Verify credentials • LDAP • DATABASE • with configurable queries • EMBEDDED • Easy for testing with hardcoded values • Custom • Whatever your need is
@LdapIdentityStoreDefinition(
 url = "ldap://localhost:33389/",
 baseDn = "uid=ldap,ou=apps,dc=jsr375,dc=net",
 password = "changeOnInstall",
 searchBase = "dc=jsr375,dc=net",
 searchExpression = "(&(uid=%s)(objectClass=person))",
 groupBaseDn = "ou=group,dc=jsr375,dc=net"
 )
C D I • Context and Dependency Injection
 concepts used for many artefacts. • Extension to read the annotations and create required beans.
• CDI -> beans.xml • HttpAuthenticationMechanism required to activate Soteria
Demo BASIC
 IN MEMORY
Demo FORM IN JSF WITH LDAP
• Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
T R I P L E A • Authentication • Verifying that a user is who she says she is. • Authorisation • He can execute the allowed actions within their privilege. • Accounting • Audit
M U L T I S T O R E • Authentication / Authorisation • From multiple sources! • Examples • Scenario 1 • Authentication : LDAP • Authorisation : Database
M U L T I S T O R E ( 2 ) • Scenario 2 • Authentication : OAuth2 • Authentication : Limited to certain email Domain • Authorization : ... • Scenario 3 • Authentication : ... • Authorisation : Database • Authorisation (In Test) : Extra roles/permissions
I D E N T I T Y S T O R E H A N D L E R • IdentityStoreHandler • Handles multiple defined Identity Stores • ValidationType on IdentityStore • BOTH • AUTHENTICATION • AUTHORIZATION
@LdapIdentityStoreDefinition(
 url = "ldap://localhost:33389/",
 baseDn = "uid=ldap,ou=apps,dc=jsr375,dc=net",
 password = "changeOnInstall",
 searchBase = "dc=jsr375,dc=net",
 searchExpression = "(&(uid=%s)(objectClass=person))",
 groupBaseDn = "ou=group,dc=jsr375,dc=net", authenticateOnly = true
 )
Demo MULTI STORE
• Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
E X T E N S I B I L I T Y interface HttpAuthenticationMechanism interface IdentityStore interface IdentityStoreHandler
• Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
S E C U R I T Y C O N T E X T Security
 Context Authentication
 Mechanism Identity
 Store Principal
 Info for
 Request Authorization
 Interceptors U S E S D A T A
Project page The starting point to all resources https://java.net/projects/javaee-security-spec Users List Subscribe and contribute users@javaee-security-spec.java.net Github Soteria repository Fork and play! https://github.com/javaee-security-spec/soteria G E T I N V O L V E D
Q & A

Recommended

Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5
Jesus Perez Franco
 
Spring security
Spring securitySpring security
Spring security
Saurabh Sharma
 
Spring Boot Tutorial
Spring Boot TutorialSpring Boot Tutorial
Spring Boot Tutorial
Naphachara Rattanawilai
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
axykim00
 
Spring Security
Spring SecuritySpring Security
Spring Security
Boy Tech
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
Exception handling
Exception handlingException handling
Exception handling
Anna Pietras
 
Spring data jpa
Spring data jpaSpring data jpa
Spring data jpa
Jeevesh Pandey
 

Recommended

Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5
Jesus Perez Franco
 
Spring security
Spring securitySpring security
Spring security
Saurabh Sharma
 
Spring Boot Tutorial
Spring Boot TutorialSpring Boot Tutorial
Spring Boot Tutorial
Naphachara Rattanawilai
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
axykim00
 
Spring Security
Spring SecuritySpring Security
Spring Security
Boy Tech
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
Exception handling
Exception handlingException handling
Exception handling
Anna Pietras
 
Spring data jpa
Spring data jpaSpring data jpa
Spring data jpa
Jeevesh Pandey
 
Getting started with Spring Security
Getting started with Spring SecurityGetting started with Spring Security
Getting started with Spring Security
Knoldus Inc.
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
REST APIs with Spring
REST APIs with SpringREST APIs with Spring
REST APIs with Spring
Joshua Long
 
Azure Key Vault Integration in Scala
Azure Key Vault Integration in ScalaAzure Key Vault Integration in Scala
Azure Key Vault Integration in Scala
Braja Krishna Das
 
Spring boot
Spring bootSpring boot
Spring boot
sdeeg
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET Core
Stormpath
 
Spring Security
Spring SecuritySpring Security
Spring Security
Sumit Gole
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
Julien Pivotto
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overview
Rudy De Busscher
 
Spring boot Introduction
Spring boot IntroductionSpring boot Introduction
Spring boot Introduction
Jeevesh Pandey
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3
Jason Ferguson
 
Spring annotation
Spring annotationSpring annotation
Spring annotationRajiv Srivastava
 
Java Spring framework, Dependency Injection, DI, IoC, Inversion of Control
Java Spring framework, Dependency Injection, DI, IoC, Inversion of ControlJava Spring framework, Dependency Injection, DI, IoC, Inversion of Control
Java Spring framework, Dependency Injection, DI, IoC, Inversion of Control
Arjun Thakur
 
Spring boot introduction
Spring boot introductionSpring boot introduction
Spring boot introduction
Rasheed Waraich
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring Security
Dzmitry Naskou
 
Rediscovering Spring with Spring Boot(1)
Rediscovering Spring with Spring Boot(1)Rediscovering Spring with Spring Boot(1)
Rediscovering Spring with Spring Boot(1)Gunith Devasurendra
 
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy Walkthrough
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy WalkthroughAzure AD B2C Webinar Series: Custom Policies Part 2 Policy Walkthrough
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy Walkthrough
Vinu Gunasekaran
 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization Requests
Torsten Lodderstedt
 
Introducing Swagger
Introducing SwaggerIntroducing Swagger
Introducing Swagger
Tony Tam
 
Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started
Rudy De Busscher
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)
Valerii Moisieienko
 

More Related Content

What's hot

Getting started with Spring Security
Getting started with Spring SecurityGetting started with Spring Security
Getting started with Spring Security
Knoldus Inc.
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
REST APIs with Spring
REST APIs with SpringREST APIs with Spring
REST APIs with Spring
Joshua Long
 
Azure Key Vault Integration in Scala
Azure Key Vault Integration in ScalaAzure Key Vault Integration in Scala
Azure Key Vault Integration in Scala
Braja Krishna Das
 
Spring boot
Spring bootSpring boot
Spring boot
sdeeg
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET Core
Stormpath
 
Spring Security
Spring SecuritySpring Security
Spring Security
Sumit Gole
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
Julien Pivotto
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overview
Rudy De Busscher
 
Spring boot Introduction
Spring boot IntroductionSpring boot Introduction
Spring boot Introduction
Jeevesh Pandey
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3
Jason Ferguson
 
Java Spring framework, Dependency Injection, DI, IoC, Inversion of Control
Java Spring framework, Dependency Injection, DI, IoC, Inversion of ControlJava Spring framework, Dependency Injection, DI, IoC, Inversion of Control
Java Spring framework, Dependency Injection, DI, IoC, Inversion of Control
Arjun Thakur
 
Spring boot introduction
Spring boot introductionSpring boot introduction
Spring boot introduction
Rasheed Waraich
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring Security
Dzmitry Naskou
 
Rediscovering Spring with Spring Boot(1)
Rediscovering Spring with Spring Boot(1)Rediscovering Spring with Spring Boot(1)
Rediscovering Spring with Spring Boot(1)Gunith Devasurendra
 
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy Walkthrough
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy WalkthroughAzure AD B2C Webinar Series: Custom Policies Part 2 Policy Walkthrough
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy Walkthrough
Vinu Gunasekaran
 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization Requests
Torsten Lodderstedt
 
Introducing Swagger
Introducing SwaggerIntroducing Swagger
Introducing Swagger
Tony Tam
 

What's hot (20)

Getting started with Spring Security
Getting started with Spring SecurityGetting started with Spring Security
Getting started with Spring Security
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
REST APIs with Spring
REST APIs with SpringREST APIs with Spring
REST APIs with Spring
 
Azure Key Vault Integration in Scala
Azure Key Vault Integration in ScalaAzure Key Vault Integration in Scala
Azure Key Vault Integration in Scala
 
Spring boot
Spring bootSpring boot
Spring boot
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET Core
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overview
 
Spring boot Introduction
Spring boot IntroductionSpring boot Introduction
Spring boot Introduction
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3
 
Spring annotation
Spring annotationSpring annotation
Spring annotation
 
Java Spring framework, Dependency Injection, DI, IoC, Inversion of Control
Java Spring framework, Dependency Injection, DI, IoC, Inversion of ControlJava Spring framework, Dependency Injection, DI, IoC, Inversion of Control
Java Spring framework, Dependency Injection, DI, IoC, Inversion of Control
 
Spring boot introduction
Spring boot introductionSpring boot introduction
Spring boot introduction
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring Security
 
Rediscovering Spring with Spring Boot(1)
Rediscovering Spring with Spring Boot(1)Rediscovering Spring with Spring Boot(1)
Rediscovering Spring with Spring Boot(1)
 
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy Walkthrough
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy WalkthroughAzure AD B2C Webinar Series: Custom Policies Part 2 Policy Walkthrough
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy Walkthrough
 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization Requests
 
Introducing Swagger
Introducing SwaggerIntroducing Swagger
Introducing Swagger
 

Similar to What is tackled in the Java EE Security API (Java EE 8)

Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started
Rudy De Busscher
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)
Valerii Moisieienko
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
WebLogic authentication debugging
WebLogic authentication debuggingWebLogic authentication debugging
WebLogic authentication debugging
Maarten Smeets
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva
 
STATE OF THE ART AUTHENTICATION MIT JAVA EE 8
STATE OF THE ART AUTHENTICATION MIT JAVA EE 8STATE OF THE ART AUTHENTICATION MIT JAVA EE 8
STATE OF THE ART AUTHENTICATION MIT JAVA EE 8
OPEN KNOWLEDGE GmbH
 
Don't Loose Sleep - Secure Your Rest - php[tek] 2017
Don't Loose Sleep - Secure Your Rest - php[tek] 2017Don't Loose Sleep - Secure Your Rest - php[tek] 2017
Don't Loose Sleep - Secure Your Rest - php[tek] 2017
Adam Englander
 
Enterprise-class security with PostgreSQL - 1
Enterprise-class security with PostgreSQL - 1Enterprise-class security with PostgreSQL - 1
Enterprise-class security with PostgreSQL - 1
Ashnikbiz
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache Shiro
Claire Hunsaker
 
State of the art authentication mit Java EE 8
State of the art authentication mit Java EE 8State of the art authentication mit Java EE 8
State of the art authentication mit Java EE 8
OPEN KNOWLEDGE GmbH
 
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTCon Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Adam Englander
 
SSL Everywhere!
SSL Everywhere!SSL Everywhere!
SSL Everywhere!
Simon Haslam
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
Taswar Bhatti
 
7.1. SDLC try me to implenment
7.1. SDLC try me to implenment7.1. SDLC try me to implenment
7.1. SDLC try me to implenment
defconmoscow
 
Secure all things with CBSecurity 3
Secure all things with CBSecurity 3Secure all things with CBSecurity 3
Secure all things with CBSecurity 3
Ortus Solutions, Corp
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RS
Payara
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
Geoffrey Vandiest
 
Passwordless Development using Azure Identity
Passwordless Development using Azure IdentityPasswordless Development using Azure Identity
Passwordless Development using Azure Identity
Sarah Dutkiewicz
 
Isaca sql server 2008 r2 security & auditing
Isaca sql server 2008 r2 security & auditingIsaca sql server 2008 r2 security & auditing
Isaca sql server 2008 r2 security & auditingAntonios Chatzipavlis
 
World Azure Day Mobile Services Presentation
World Azure Day Mobile Services PresentationWorld Azure Day Mobile Services Presentation
World Azure Day Mobile Services Presentation
Dmitri Artamonov
 

Similar to What is tackled in the Java EE Security API (Java EE 8) (20)

Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
WebLogic authentication debugging
WebLogic authentication debuggingWebLogic authentication debugging
WebLogic authentication debugging
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
 
STATE OF THE ART AUTHENTICATION MIT JAVA EE 8
STATE OF THE ART AUTHENTICATION MIT JAVA EE 8STATE OF THE ART AUTHENTICATION MIT JAVA EE 8
STATE OF THE ART AUTHENTICATION MIT JAVA EE 8
 
Don't Loose Sleep - Secure Your Rest - php[tek] 2017
Don't Loose Sleep - Secure Your Rest - php[tek] 2017Don't Loose Sleep - Secure Your Rest - php[tek] 2017
Don't Loose Sleep - Secure Your Rest - php[tek] 2017
 
Enterprise-class security with PostgreSQL - 1
Enterprise-class security with PostgreSQL - 1Enterprise-class security with PostgreSQL - 1
Enterprise-class security with PostgreSQL - 1
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache Shiro
 
State of the art authentication mit Java EE 8
State of the art authentication mit Java EE 8State of the art authentication mit Java EE 8
State of the art authentication mit Java EE 8
 
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTCon Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
 
SSL Everywhere!
SSL Everywhere!SSL Everywhere!
SSL Everywhere!
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
 
7.1. SDLC try me to implenment
7.1. SDLC try me to implenment7.1. SDLC try me to implenment
7.1. SDLC try me to implenment
 
Secure all things with CBSecurity 3
Secure all things with CBSecurity 3Secure all things with CBSecurity 3
Secure all things with CBSecurity 3
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RS
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Passwordless Development using Azure Identity
Passwordless Development using Azure IdentityPasswordless Development using Azure Identity
Passwordless Development using Azure Identity
 
Isaca sql server 2008 r2 security & auditing
Isaca sql server 2008 r2 security & auditingIsaca sql server 2008 r2 security & auditing
Isaca sql server 2008 r2 security & auditing
 
World Azure Day Mobile Services Presentation
World Azure Day Mobile Services PresentationWorld Azure Day Mobile Services Presentation
World Azure Day Mobile Services Presentation
 

More from Rudy De Busscher

jakarta-integration-testing.pdf
jakarta-integration-testing.pdfjakarta-integration-testing.pdf
jakarta-integration-testing.pdf
Rudy De Busscher
 
core-profile_jakartaOne2022.pdf
core-profile_jakartaOne2022.pdfcore-profile_jakartaOne2022.pdf
core-profile_jakartaOne2022.pdf
Rudy De Busscher
 
MicroStream-WithoutDatabase.pdf
MicroStream-WithoutDatabase.pdfMicroStream-WithoutDatabase.pdf
MicroStream-WithoutDatabase.pdf
Rudy De Busscher
 
Jakarta EE 8 on JDK17
Jakarta EE 8 on JDK17Jakarta EE 8 on JDK17
Jakarta EE 8 on JDK17
Rudy De Busscher
 
How Class Data Sharing Can Speed up Your Jakarta EE Application Startup
How Class Data Sharing Can Speed up Your Jakarta EE Application StartupHow Class Data Sharing Can Speed up Your Jakarta EE Application Startup
How Class Data Sharing Can Speed up Your Jakarta EE Application Startup
Rudy De Busscher
 
Creating a Kubernetes Operator in Java
Creating a Kubernetes Operator in JavaCreating a Kubernetes Operator in Java
Creating a Kubernetes Operator in Java
Rudy De Busscher
 
Finally, easy integration testing with Testcontainers
Finally, easy integration testing with TestcontainersFinally, easy integration testing with Testcontainers
Finally, easy integration testing with Testcontainers
Rudy De Busscher
 
Control and monitor_microservices_with_microprofile
Control and monitor_microservices_with_microprofileControl and monitor_microservices_with_microprofile
Control and monitor_microservices_with_microprofile
Rudy De Busscher
 
Transactions in micro-services (fall 2019)
Transactions in micro-services (fall 2019)Transactions in micro-services (fall 2019)
Transactions in micro-services (fall 2019)
Rudy De Busscher
 
Transactions in micro-services (summer 2019)
Transactions in micro-services (summer 2019)Transactions in micro-services (summer 2019)
Transactions in micro-services (summer 2019)
Rudy De Busscher
 
Monitor Micro-service with MicroProfile metrics
Monitor Micro-service with MicroProfile metricsMonitor Micro-service with MicroProfile metrics
Monitor Micro-service with MicroProfile metrics
Rudy De Busscher
 
Gradual migration to MicroProfile
Gradual migration to MicroProfileGradual migration to MicroProfile
Gradual migration to MicroProfile
Rudy De Busscher
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RS
Rudy De Busscher
 
From Monolith to micro-services and back : The Self Contained Systems
From Monolith to micro-services and back : The Self Contained SystemsFrom Monolith to micro-services and back : The Self Contained Systems
From Monolith to micro-services and back : The Self Contained Systems
Rudy De Busscher
 
Extending Arquillian graphene
Extending Arquillian graphene Extending Arquillian graphene
Extending Arquillian graphene
Rudy De Busscher
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
Rudy De Busscher
 

More from Rudy De Busscher (16)

jakarta-integration-testing.pdf
jakarta-integration-testing.pdfjakarta-integration-testing.pdf
jakarta-integration-testing.pdf
 
core-profile_jakartaOne2022.pdf
core-profile_jakartaOne2022.pdfcore-profile_jakartaOne2022.pdf
core-profile_jakartaOne2022.pdf
 
MicroStream-WithoutDatabase.pdf
MicroStream-WithoutDatabase.pdfMicroStream-WithoutDatabase.pdf
MicroStream-WithoutDatabase.pdf
 
Jakarta EE 8 on JDK17
Jakarta EE 8 on JDK17Jakarta EE 8 on JDK17
Jakarta EE 8 on JDK17
 
How Class Data Sharing Can Speed up Your Jakarta EE Application Startup
How Class Data Sharing Can Speed up Your Jakarta EE Application StartupHow Class Data Sharing Can Speed up Your Jakarta EE Application Startup
How Class Data Sharing Can Speed up Your Jakarta EE Application Startup
 
Creating a Kubernetes Operator in Java
Creating a Kubernetes Operator in JavaCreating a Kubernetes Operator in Java
Creating a Kubernetes Operator in Java
 
Finally, easy integration testing with Testcontainers
Finally, easy integration testing with TestcontainersFinally, easy integration testing with Testcontainers
Finally, easy integration testing with Testcontainers
 
Control and monitor_microservices_with_microprofile
Control and monitor_microservices_with_microprofileControl and monitor_microservices_with_microprofile
Control and monitor_microservices_with_microprofile
 
Transactions in micro-services (fall 2019)
Transactions in micro-services (fall 2019)Transactions in micro-services (fall 2019)
Transactions in micro-services (fall 2019)
 
Transactions in micro-services (summer 2019)
Transactions in micro-services (summer 2019)Transactions in micro-services (summer 2019)
Transactions in micro-services (summer 2019)
 
Monitor Micro-service with MicroProfile metrics
Monitor Micro-service with MicroProfile metricsMonitor Micro-service with MicroProfile metrics
Monitor Micro-service with MicroProfile metrics
 
Gradual migration to MicroProfile
Gradual migration to MicroProfileGradual migration to MicroProfile
Gradual migration to MicroProfile
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RS
 
From Monolith to micro-services and back : The Self Contained Systems
From Monolith to micro-services and back : The Self Contained SystemsFrom Monolith to micro-services and back : The Self Contained Systems
From Monolith to micro-services and back : The Self Contained Systems
 
Extending Arquillian graphene
Extending Arquillian graphene Extending Arquillian graphene
Extending Arquillian graphene
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
 

Recently uploaded

A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 

Recently uploaded (20)

A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 

What is tackled in the Java EE Security API (Java EE 8)

  • 1.
  • 2. What is tackled in the Java EE Security API (Java EE 8)
  • 3. A G E N D A JAVA EE SECURITY WHY 
 UPDATE? ALREADY
 AVAILABLE? JSR-375
 SOTERIA CONCEPTS DEMO
  • 4. • C4J • Senior Java Web Developer, Java Coach, Information Security • JSR-375 • Java EE Security API Expert group member • Java EE Believer @rdebusscher http://jsfcorner.blogspot.be http://javaeesquad.blogspot.be W H O A M I RUDY DE BUSSCHER
  • 5. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context W H Y U P D A T E ?
  • 6. W H Y A N E W J S R ? • Java EE Security is viewed as not portable, abstract/confusing, antiquated • Doesn't fit cloud app developer paradigm: requires app server configuration
  • 7. T E R M I N O L O G Y ? • What is that "something" where identities are stored? • realm (Tomcat, some hints in Servlet spec) • (auth) repository • (auth) store • login module (JAAS) • identity manager (Undertow) • authenticator (Resin, OmniSecurity, Seam security) • authentication provider (Spring Security) • Identity provider
  • 8. J A V A E E S E C U R I T Y • No JSR exists to address security overall • Each JSR has his 'own' way • They look at each other, but ...
  • 9. So what is standardised?
  • 10. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context W H Y U P D A T E ?
  • 11. J A S P I C Java Authentication Service Provider Interface for Containers • Java EE 6 • For custom logic • BASIC/FORM/DIGEST • Low Level (per request) • Verbose
  • 12.
  • 13. Java Authorization Service Provider Contract for Containers J A C C • J2EE 1.4 ERA • C.O.M.P.L.E.X.I.T.Y • Application Server Wide • No Role Mapping specified
  • 14. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context G O A L S
  • 15. J S R - 3 7 5 • EG discussions started March 2015 • EG Members • EE API veterans: many JSRs, many years struggling with Security API • 3rd party security framework creators/developers • EE platform security implementers • October 2016 • EG Updated, switch Spec Lead
  • 16. G O A L S • Plug the portability holes • Modernize • Context Dependency Injection (CDI) • Intercept at Access Enforcement Points: POJO methods • Expression Language (EL) • Enable Access Enforcement Points with complex rules • App Developer Friendly • Common security configurations not requiring server changes • Annotation defaults not requiring XML
  • 17. I D E A S • Terminology • API for Authentication Mechanism • API for Identity Store • API for Security Context • API for Password Aliasing • API for Role/Permission Assignment • API for Authorization Interceptors • + ... JAVA EE 8 JAVA EE 9
  • 18. S O T E R I A • In Greek mythology, Soteria was the goddess of safety and salvation. • RI of JSR-375 • Should work on Java EE 7 • WildFly 10+ • Payara 4.1.1.161+ • TomEE 7.0.2+ • WebSphere Liberty 2016.9+
  • 19. JASPIC JACC SOTERIA U S I N G Existing blocks for authentication and authorization
  • 20. OR SHOULD I PUT THE SAFE HARBOUR TEXT ...
  • 21. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
  • 22. H T T P A U T H E N T I C A T I O N M E C H A N I S M • How are credentials retrieved • BASIC • FORM • classic j_security_check, ... • CustomForm • programmatic • Custom • For JAX-RS endpoints, ...
  • 24. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
  • 25. I D E N T I T Y S T O R E • Verify credentials • LDAP • DATABASE • with configurable queries • EMBEDDED • Easy for testing with hardcoded values • Custom • Whatever your need is
  • 26. @LdapIdentityStoreDefinition(
 url = "ldap://localhost:33389/",
 baseDn = "uid=ldap,ou=apps,dc=jsr375,dc=net",
 password = "changeOnInstall",
 searchBase = "dc=jsr375,dc=net",
 searchExpression = "(&(uid=%s)(objectClass=person))",
 groupBaseDn = "ou=group,dc=jsr375,dc=net"
 )
  • 27. C D I • Context and Dependency Injection
 concepts used for many artefacts. • Extension to read the annotations and create required beans.
  • 28. • CDI -> beans.xml • HttpAuthenticationMechanism required to activate Soteria
  • 31. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
  • 32. T R I P L E A • Authentication • Verifying that a user is who she says she is. • Authorisation • He can execute the allowed actions within their privilege. • Accounting • Audit
  • 33. M U L T I S T O R E • Authentication / Authorisation • From multiple sources! • Examples • Scenario 1 • Authentication : LDAP • Authorisation : Database
  • 34. M U L T I S T O R E ( 2 ) • Scenario 2 • Authentication : OAuth2 • Authentication : Limited to certain email Domain • Authorization : ... • Scenario 3 • Authentication : ... • Authorisation : Database • Authorisation (In Test) : Extra roles/permissions
  • 35. I D E N T I T Y S T O R E H A N D L E R • IdentityStoreHandler • Handles multiple defined Identity Stores • ValidationType on IdentityStore • BOTH • AUTHENTICATION • AUTHORIZATION
  • 36. @LdapIdentityStoreDefinition(
 url = "ldap://localhost:33389/",
 baseDn = "uid=ldap,ou=apps,dc=jsr375,dc=net",
 password = "changeOnInstall",
 searchBase = "dc=jsr375,dc=net",
 searchExpression = "(&(uid=%s)(objectClass=person))",
 groupBaseDn = "ou=group,dc=jsr375,dc=net", authenticateOnly = true
 )
  • 38. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
  • 39. E X T E N S I B I L I T Y interface HttpAuthenticationMechanism interface IdentityStore interface IdentityStoreHandler
  • 40. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
  • 41. S E C U R I T Y C O N T E X T Security
 Context Authentication
 Mechanism Identity
 Store Principal
 Info for
 Request Authorization
 Interceptors U S E S D A T A
  • 42. Project page The starting point to all resources https://java.net/projects/javaee-security-spec Users List Subscribe and contribute users@javaee-security-spec.java.net Github Soteria repository Fork and play! https://github.com/javaee-security-spec/soteria G E T I N V O L V E D
  • 43. Q & A