View
12.375
Download
6
Category
Preview:
Citation preview
What is tackled in the Java EE Security API (Java EE 8)
A G E N D A JAVA EESECURITY
WHY UPDATE?
ALREADYAVAILABLE?
JSR-375 SOTERIA
CONCEPTSDEMO
• C4J • Senior Java Web Developer, Java Coach, Information Security
• JSR-375 • Java EE Security API Expert group member
• Java EE Believer @rdebusscher
http://jsfcorner.blogspot.be http://javaeesquad.blogspot.be
W H O A M I
RUDY DE BUSSCHER
• Why Update? • What is available? • JSR-375 • Concepts
• Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context
W H Y U P D A T E ?
W H Y A N E W J S R ?• Java EE Security is viewed as not portable,
abstract/confusing, antiquated • Doesn't fit cloud app developer paradigm:
requires app server configuration
T E R M I N O L O G Y ?• What is that "something" where identities are
stored? • realm (Tomcat, some hints in Servlet spec) • (auth) repository • (auth) store • login module (JAAS) • identity manager (Undertow) • authenticator (Resin, OmniSecurity, Seam security) • authentication provider (Spring Security) • Identity provider
J A V A E E S E C U R I T Y
• No JSR exists to address security overall • Each JSR has his 'own' way
• They look at each other, but ...
So what is standardised?
• Why Update? • What is available? • JSR-375 • Concepts
• Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context
W H Y U P D A T E ?
J A S P I CJava Authentication Service Provider Interface for Containers• Java EE 6 • For custom logic
• BASIC/FORM/DIGEST • Low Level (per request) • Verbose
Java Authorization Service Provider Contract for Containers
J A C C
• J2EE 1.4 ERA • C.O.M.P.L.E.X.I.T.Y • Application Server Wide • No Role Mapping specified
• Why Update? • What is available? • JSR-375 • Concepts
• Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context
G O A L S
J S R - 3 7 5• EG discussions started March 2015 • EG Members
• EE API veterans: many JSRs, many years struggling with Security API
• 3rd party security framework creators/developers • EE platform security implementers
• October 2016 • EG Updated, switch Spec Lead
G O A L S• Plug the portability holes • Modernize
• Context Dependency Injection (CDI) • Intercept at Access Enforcement Points: POJO methods • Expression Language (EL) • Enable Access Enforcement Points with complex rules
• App Developer Friendly • Common security configurations not requiring server changes • Annotation defaults not requiring XML
I D E A S
• Terminology • API for Authentication Mechanism • API for Identity Store • API for Security Context
• API for Password Aliasing • API for Role/Permission Assignment • API for Authorization Interceptors • + ...
JAVA EE 8
JAVA EE 9
S O T E R I A• In Greek mythology, Soteria was the goddess of
safety and salvation. • RI of JSR-375 • Should work on Java EE 7
• WildFly 10+ • Payara 4.1.1.161+ • TomEE 7.0.2+ • WebSphere Liberty 2016.9+
JASPIC JACC
SOTERIA
U S I N GExisting blocks for authentication and authorization
OR SHOULD I PUT THE SAFE HARBOUR TEXT ...
• Why Update? • What is available? • JSR-375 • Concepts
• Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context
C O N C E P T S
H T T P A U T H E N T I C A T I O N M E C H A N I S M
• How are credentials retrieved • BASIC • FORM
• classic j_security_check, ... • CustomForm
• programmatic • Custom
• For JAX-RS endpoints, ...
@CustomFormAuthenticationMechanismDefinition( loginToContinue = @LoginToContinue( loginPage="/login.xhtml", errorPage="" ) )
• Why Update? • What is available? • JSR-375 • Concepts
• Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context
C O N C E P T S
I D E N T I T Y S T O R E• Verify credentials
• LDAP • DATABASE
• with configurable queries • EMBEDDED
• Easy for testing with hardcoded values • Custom
• Whatever your need is
@LdapIdentityStoreDefinition( url = "ldap://localhost:33389/", baseDn = "uid=ldap,ou=apps,dc=jsr375,dc=net", password = "changeOnInstall", searchBase = "dc=jsr375,dc=net", searchExpression = "(&(uid=%s)(objectClass=person))", groupBaseDn = "ou=group,dc=jsr375,dc=net")
C D I• Context and Dependency Injection
concepts used for many artefacts.
• Extension to read the annotations and create required beans.
• CDI -> beans.xml • HttpAuthenticationMechanism
required to activate Soteria
Demo
BASICIN MEMORY
Demo
FORM IN JSF
WITH LDAP
• Why Update? • What is available? • JSR-375 • Concepts
• Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context
C O N C E P T S
T R I P L E A• Authentication
• Verifying that a user is who she says she is.
• Authorisation • He can execute the allowed actions within their privilege.
• Accounting • Audit
M U L T I S T O R E• Authentication / Authorisation
• From multiple sources!
• Examples • Scenario 1 • Authentication : LDAP • Authorisation : Database
M U L T I S T O R E ( 2 )• Scenario 2 • Authentication : OAuth2 • Authentication : Limited to certain email Domain • Authorization : ...
• Scenario 3 • Authentication : ... • Authorisation : Database • Authorisation (In Test) : Extra roles/permissions
I D E N T I T Y S T O R E H A N D L E R• IdentityStoreHandler
• Handles multiple defined Identity Stores
• ValidationType on IdentityStore • BOTH • AUTHENTICATION • AUTHORIZATION
@LdapIdentityStoreDefinition( url = "ldap://localhost:33389/", baseDn = "uid=ldap,ou=apps,dc=jsr375,dc=net", password = "changeOnInstall", searchBase = "dc=jsr375,dc=net", searchExpression = "(&(uid=%s)(objectClass=person))", groupBaseDn = "ou=group,dc=jsr375,dc=net", authenticateOnly = true)
Demo
MULTI STORE
• Why Update? • What is available? • JSR-375 • Concepts
• Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context
C O N C E P T S
E X T E N S I B I L I T Yinterface HttpAuthenticationMechanism
interface IdentityStore
interface IdentityStoreHandler
• Why Update? • What is available? • JSR-375 • Concepts
• Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context
C O N C E P T S
S E C U R I T Y C O N T E X T
Security Context
AuthenticationMechanism
Identity Store
PrincipalInfo for Request
AuthorizationInterceptors
U S E S D A T A
Project page The starting point to all resources https://java.net/projects/javaee-security-spec
Users List Subscribe and contribute users@javaee-security-spec.java.net
Github Soteria repository Fork and play! https://github.com/javaee-security-spec/soteria
G E T I N V O L V E D
Q & A
Recommended