Java EE Security API - JSR375: Getting Started
2 likes2,217 views
The document discusses the updates and goals of Java EE 8 Security API (JSR-375), which aims to improve the security mechanisms of Java EE by modernizing its architecture to better support cloud application developers. It outlines the need for a new JSR to address portability issues and simplifies authentication and authorization processes while integrating modern technologies like CDI and EL. The document also highlights the concepts of authentication mechanisms, identity stores, and security contexts to enhance user experience in security management.
Java EE Security API - JSR375: Getting Started
- 2. Java EE 8 : Java EE Security API
- 3. A G E N D A JAVA EE SECURITY WHY UPDATE? ALREADY AVAILABLE? JSR-375 SOTERIA CONCEPTS DEMO
- 4. • C4J • Senior Java Web Developer, Java Coach • JSR-375 • Java EE Security API Expert group member • Java EE Believer @rdebusscher http://jsfcorner.blogspot.be http://javaeesquad.blogspot.be W H O A M I RUDY DE BUSSCHER
- 5. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context W H Y U P D A T E ?
- 6. W H Y A N E W J S R ? • Java EE Security is viewed as not portable, abstract/confusing, antiquated • Doesn't fit cloud app developer paradigm: requires app server configuration
- 7. T E R M I N O L O G Y ? • What is that "something" where identities are stored? • realm (Tomcat, some hints in Servlet spec) • (auth) repository • (auth) store • login module (JAAS) • identity manager (Undertow) • authenticator (Resin, OmniSecurity, Seam security) • authentication provider (Spring Security) • Identity provider
- 8. J A V A E E S E C U R I T Y • Each JSR has his 'own' way • They look at each other, but ... • No JSR exists to address security overall • Security on the platform level
- 9. So what is standardised?
- 10. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context W H Y U P D A T E ?
- 11. J A S P I C Java Authentication Service Provider Interface for Containers • Java EE 6 • For custom logic • BASIC/FORM/DIGEST • Low Level (per request) • Verbose
- 13. Java Authorization Service Provider Contract for Containers J A C C • J2EE 1.4 ERA • C.O.M.P.L.E.X.I.T.Y • Application Server Wide • No Role Mapping specified
- 14. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context G O A L S
- 15. J S R - 3 7 5 • EG discussions started March 2015 • EG Members • EE API veterans: many JSRs, many years struggling with Security API • 3rd party security framework creators/developers • EE platform security implementers • 10/2016 : EG Updated, switch Spec Lead • March 13, 2017 : Early Draft Review • May 25, 2017 : Public review
- 16. G O A L S • Plug the portability holes • Modernize • Context Dependency Injection (CDI) • Intercept at Access Enforcement Points: POJO methods • Expression Language (EL) • Enable Access Enforcement Points with complex rules • App Developer Friendly • Common security configurations not requiring server changes • Annotation defaults not requiring XML
- 17. I D E A S • Terminology • API for Authentication Mechanism • API for Identity Store • API for Security Context • API for Password Aliasing • API for Role/Permission Assignment • API for Authorization Interceptors • + ... JAVA EE 8 JAVA EE 9
- 18. S O T E R I A • In Greek mythology, Soteria was the goddess of safety and salvation. • RI of JSR-375 • Should work on Java EE 7 • WildFly 10+ • Payara 4.1.1.161+ • TomEE 7.0.2+ • WebSphere Liberty 2016.9+
- 19. JASPIC JACC SOTERIA U S I N G Existing blocks for authentication and authorization
- 20. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
- 21. H T T P A U T H E N T I C A T I O N M E C H A N I S M • How are credentials retrieved • BASIC • FORM • classic j_security_check, ... • CustomForm • programmatic • Custom • For JAX-RS endpoints, ...
- 23. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
- 24. I D E N T I T Y S T O R E • Verify credentials • LDAP • DATABASE • with configurable queries • EMBEDDED (Soteria Only not in API) • Easy for testing with hardcoded values • Custom • Whatever your need is
- 25. @LdapIdentityStoreDefinition( url = "ldap://localhost:33389/", baseDn = "uid=ldap,ou=apps,dc=jsr375,dc=net", password = "changeOnInstall", searchBase = "dc=jsr375,dc=net", searchExpression = "(&(uid=%s)(objectClass=person))", groupBaseDn = "ou=group,dc=jsr375,dc=net" )
- 27. Demo FORM IN JSF WITH LDAP
- 28. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
- 29. T R I P L E A • Authentication • Verifying that a user is who she says she is. • Authorisation • He can execute the allowed actions within their privilege. • Accounting • Audit
- 30. M U L T I S T O R E • Authentication / Authorisation • From multiple sources! • Examples • Scenario 1 • Authentication : LDAP • Authorisation : Database
- 31. M U L T I S T O R E ( 2 ) • Scenario 2 • Authentication : OAuth2 • Authentication : Limited to certain email Domain • Authorization : ... • Scenario 3 • Authentication : ... • Authorisation : Database • Authorisation (In Test) : Extra roles/permissions
- 32. I D E N T I T Y S T O R E H A N D L E R • IdentityStoreHandler • Handles multiple defined Identity Stores • ValidationType on IdentityStore • VALIDATE • PROVIDE_GROUPS
- 33. @LdapIdentityStoreDefinition( url = "ldap://localhost:33389/", baseDn = "uid=ldap,ou=apps,dc=jsr375,dc=net", password = "changeOnInstall", searchBase = "dc=jsr375,dc=net", searchExpression = "(&(uid=%s)(objectClass=person))", groupBaseDn = "ou=group,dc=jsr375,dc=net", useFor = ValidationType.VALIDATE )
- 34. Demo MULTI STORE
- 35. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
- 36. E X T E N S I B I L I T Y interface HttpAuthenticationMechanism interface IdentityStore interface IdentityStoreHandler
- 37. • Why Update? • What is available? • JSR-375 • Concepts • Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context C O N C E P T S
- 38. S E C U R I T Y C O N T E X T Security Context Authentication Mechanism Identity Store Principal Info for Request Authorization Interceptors U S E S D A T A
- 39. Users List Subscribe and contribute [email protected] Github Soteria repository Fork and play! https://github.com/javaee-security-spec/soteria G E T I N V O L V E D
- 40. Q & A