What is tackled in the Java EE Security API (Java EE 8)

What is tackled in the Java EE Security API (Java EE 8)

A G E N D A JAVA EESECURITY

WHY UPDATE?

ALREADYAVAILABLE?

JSR-375 SOTERIA

CONCEPTSDEMO

• C4J • Senior Java Web Developer, Java Coach, Information Security

• JSR-375 • Java EE Security API Expert group member

• Java EE Believer @rdebusscher

http://jsfcorner.blogspot.be http://javaeesquad.blogspot.be

W H O A M I

RUDY DE BUSSCHER

• Why Update? • What is available? • JSR-375 • Concepts

• Authentication Mechanism • IdentityStore • Authentication - Authorization • Custom integration • Security Context

W H Y U P D A T E ?

W H Y A N E W J S R ?• Java EE Security is viewed as not portable,

abstract/confusing, antiquated • Doesn't fit cloud app developer paradigm:

requires app server configuration

T E R M I N O L O G Y ?• What is that "something" where identities are

stored? • realm (Tomcat, some hints in Servlet spec) • (auth) repository • (auth) store • login module (JAAS) • identity manager (Undertow) • authenticator (Resin, OmniSecurity, Seam security) • authentication provider (Spring Security) • Identity provider

J A V A E E S E C U R I T Y

• No JSR exists to address security overall • Each JSR has his 'own' way

• They look at each other, but ...

So what is standardised?



W H Y U P D A T E ?

J A S P I CJava Authentication Service Provider Interface for Containers• Java EE 6 • For custom logic

• BASIC/FORM/DIGEST • Low Level (per request) • Verbose

Java Authorization Service Provider Contract for Containers

J A C C

• J2EE 1.4 ERA • C.O.M.P.L.E.X.I.T.Y • Application Server Wide • No Role Mapping specified



G O A L S

J S R - 3 7 5• EG discussions started March 2015 • EG Members

• EE API veterans: many JSRs, many years struggling with Security API

• 3rd party security framework creators/developers • EE platform security implementers

• October 2016 • EG Updated, switch Spec Lead

G O A L S• Plug the portability holes • Modernize

• Context Dependency Injection (CDI) • Intercept at Access Enforcement Points: POJO methods • Expression Language (EL) • Enable Access Enforcement Points with complex rules

• App Developer Friendly • Common security configurations not requiring server changes • Annotation defaults not requiring XML

I D E A S

• Terminology • API for Authentication Mechanism • API for Identity Store • API for Security Context

• API for Password Aliasing • API for Role/Permission Assignment • API for Authorization Interceptors • + ...

JAVA EE 8

JAVA EE 9

S O T E R I A• In Greek mythology, Soteria was the goddess of

safety and salvation. • RI of JSR-375 • Should work on Java EE 7

• WildFly 10+ • Payara 4.1.1.161+ • TomEE 7.0.2+ • WebSphere Liberty 2016.9+

JASPIC JACC

SOTERIA

U S I N GExisting blocks for authentication and authorization

OR SHOULD I PUT THE SAFE HARBOUR TEXT ...



C O N C E P T S

H T T P A U T H E N T I C A T I O N M E C H A N I S M

• How are credentials retrieved • BASIC • FORM

• classic j_security_check, ... • CustomForm

• programmatic • Custom

• For JAX-RS endpoints, ...

@CustomFormAuthenticationMechanismDefinition( loginToContinue = @LoginToContinue( loginPage="/login.xhtml", errorPage="" ) )



C O N C E P T S

I D E N T I T Y S T O R E• Verify credentials

• LDAP • DATABASE

• with configurable queries • EMBEDDED

• Easy for testing with hardcoded values • Custom

• Whatever your need is

@LdapIdentityStoreDefinition( url = "ldap://localhost:33389/", baseDn = "uid=ldap,ou=apps,dc=jsr375,dc=net", password = "changeOnInstall", searchBase = "dc=jsr375,dc=net", searchExpression = "(&(uid=%s)(objectClass=person))", groupBaseDn = "ou=group,dc=jsr375,dc=net")

C D I• Context and Dependency Injection

concepts used for many artefacts.

• Extension to read the annotations and create required beans.

• CDI -> beans.xml • HttpAuthenticationMechanism

required to activate Soteria

Demo

BASICIN MEMORY

Demo

FORM IN JSF

WITH LDAP



C O N C E P T S

T R I P L E A• Authentication

• Verifying that a user is who she says she is.

• Authorisation • He can execute the allowed actions within their privilege.

• Accounting • Audit

M U L T I S T O R E• Authentication / Authorisation

• From multiple sources!

• Examples • Scenario 1 • Authentication : LDAP • Authorisation : Database

M U L T I S T O R E ( 2 )• Scenario 2 • Authentication : OAuth2 • Authentication : Limited to certain email Domain • Authorization : ...

• Scenario 3 • Authentication : ... • Authorisation : Database • Authorisation (In Test) : Extra roles/permissions

I D E N T I T Y S T O R E H A N D L E R• IdentityStoreHandler

• Handles multiple defined Identity Stores

• ValidationType on IdentityStore • BOTH • AUTHENTICATION • AUTHORIZATION

@LdapIdentityStoreDefinition( url = "ldap://localhost:33389/", baseDn = "uid=ldap,ou=apps,dc=jsr375,dc=net", password = "changeOnInstall", searchBase = "dc=jsr375,dc=net", searchExpression = "(&(uid=%s)(objectClass=person))", groupBaseDn = "ou=group,dc=jsr375,dc=net", authenticateOnly = true)

Demo

MULTI STORE



C O N C E P T S

E X T E N S I B I L I T Yinterface HttpAuthenticationMechanism

interface IdentityStore

interface IdentityStoreHandler



C O N C E P T S

S E C U R I T Y C O N T E X T

Security Context

AuthenticationMechanism

Identity Store

PrincipalInfo for Request

AuthorizationInterceptors

U S E S D A T A

Project page The starting point to all resources https://java.net/projects/javaee-security-spec

Users List Subscribe and contribute [email protected]

Github Soteria repository Fork and play! https://github.com/javaee-security-spec/soteria

G E T I N V O L V E D

https://github.com/javaee-security-spec/soteria

Q & A

Technology

What is tackled in the Java EE Security API (Java EE 8)