From JASPIC to Security API Modern Application Security
- Slides: 54
From JASPIC to Security API Modern Application Security Michael Remijan System Architect, Federal Reserve Bank St. Louis @mjremijan Java. One 2017 CON 5954 Modern Application and Microservices Security from EE 6 JASPIC to the EE 8 Security API Moscone West Room 2024 Tues 03 Oct 2017 slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
About Me slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Where I work? @since 2014 • Federal Reserve Bank St. Louis slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
What I do? @since 1999 • Java EE • • Architect Scrum Master Tech Lead Developer slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
What I write? @since 2014 • EJB in Action Second Edition • EJB 3. 2 – EE 7 & EE 8 @since 2010 • http: //mjremijan. blogspot. com slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
What I teach? @since 2009 • Adjunct Instructor • Java II slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
What’s the goal of this presentation? • Get you to think: Java EE Security • EE 7 or 8 slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
What are we going to talk about? • I just need to put my code somewhere to build “User” slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
History of EE Security Servlet JASPIC (JSR 196) Security API (JSR 375) Pre-Modern Era Post-Modern Era https: //readlearncode. com/java-ee-past-present-and-future/ slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Pre-Modern era architecture • Desktop -> Web • 1 Application • How do you implement Security? http: //www. softwaretestingclass. com/what-is-difference-between-two-tier-and-three-tier-architecture/ slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Pre-Modern era…A tale of EE Security slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Pre-Modern era…A tale of EE Security slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Pre-Modern era…A tale of EE Security slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Pre-Modern era…A tale of EE Security slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Pre-Modern era…A tale of EE Security https: //ivanursul. com/spring-security-avoiding-basic-authentication-window-in-your-browser slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Pre-Modern era…A tale of EE Security http: //www. security-expert. be/ slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Pre-Modern era…A tale of EE Security • Sound familiar? • Most common introduction to EE Security • Quickly abandoned • Inflexible • A lot of server configuration • There is no where to put my code! slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Modern era architecture • Multiple applications • Add another tier • Identity-management • SSO • Federation… • How do you implement Security? https: //blogs. vmware. com/vfabric/2013/03/putting-the-single-back-in-single-sign-on-sso. html slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Modern era…A tale of EE Security • Create account • Email • Open. Id • OAuth 2… • Account activation • Login (multi-factor) • Validate location • • Account locking Password reset (re. Captica) Account disabling Password expiration slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Modern era…A tale of EE Security What is this? slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Modern era…A tale of EE Security slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Consuming authorization HEADER slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Consuming authorization HEADER • Does @Web. Filter Work? • Nope! • EE Server enforces security before @Web. Filter • Other options to consume the HEADER? • Where else can I put my code? slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Consuming authorization HEADER This is where JASPIC comes in • Move your code out of @Web. Filter • Put it into the JASPIC API • Probably something you haven’t heard of slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Java EE 6+ JASPIC • @since 2009 • JSR-196 Java Authentication Service Provider Interface for Containers (JASPIC) • Server. Auth. Module (interface) • Executed by EE Server before enforcing any security slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Java EE 6+ JASPIC • How do you register JASPIC Server. Auth. Module? • It’s a 5 step process Tijms, A. (2012, November 7). Implementing container authentication in Java EE with JASPIC. Retrieved from http: //arjan-tijms. omnifaces. org/2012/11/implementing-container-authentication. html slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Register JASPIC Server. Auth. Module? Step #1 • Create: @Web. Listener My. Context. Listener implements Servlet. Context. Listener • Get factory-factory Auth. Config. Factory • Register factory-factory Auth. Config. Provider Tijms, A. (2012, November 7). Implementing container authentication in Java EE with JASPIC. Retrieved from http: //arjan-tijms. omnifaces. org/2012/11/implementing-container-authentication. html slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Register JASPIC Server. Auth. Module? Step #2 • Create My. Auth. Config. Provider implements Auth. Config. Provider • Register factory Server. Auth. Config Tijms, A. (2012, November 7). Implementing container authentication in Java EE with JASPIC. Retrieved from http: //arjan-tijms. omnifaces. org/2012/11/implementing-container-authentication. html slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Register JASPIC Server. Auth. Module? Step #3 • Create My. Server. Auth. Config implements Server. Auth. Config • Creates delegator Server. Auth. Context Tijms, A. (2012, November 7). Implementing container authentication in Java EE with JASPIC. Retrieved from http: //arjan-tijms. omnifaces. org/2012/11/implementing-container-authentication. html slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Register JASPIC Server. Auth. Module? Step #4 • Create My. Server. Auth. Context implements Server. Auth. Context • Creates authentication module Server. Auth. Module Tijms, A. (2012, November 7). Implementing container authentication in Java EE with JASPIC. Retrieved from http: //arjan-tijms. omnifaces. org/2012/11/implementing-container-authentication. html slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Register JASPIC Server. Auth. Module? Step #5 • Create My. Server. Auth. Module implements Server. Auth. Module • This is where you finally put your code • Building a Principal • Getting roles/groups • EE 6 goal was flexibility Tijms, A. (2012, November 7). Implementing container authentication in Java EE with JASPIC. Retrieved from http: //arjan-tijms. omnifaces. org/2012/11/implementing-container-authentication. html slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
How do you secure EE Components? • Use standard EE security to secure components: • • • Servlet JSP JSF/AJAX JAX-RS EJB slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Securing Servlet web. xml EMPTY glassfish-web. xml slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Securing JSP glassfish-web. xml EMPTY slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Securing JSF Page & AJAX call web. xml glassfish-web. xml slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Securing JSF @Named bean glassfish-web. xml slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Securing JAX-RS #1 web. xml glassfish-web. xml slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Securing JAX-RS #2 glassfish-web. xml EMPTY Bien, A. (2015, December 07). What Is Faster--EJBs Or CDI? A JMH Benchmark. Retrieved from http: //adambien. blog/roller/abien/entry/what_is_faster_ejbs_or slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Securing JAX-RS #3 glassfish-web. xml EMPTY slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Securing JAX-RS #4 • What about JWT? • JAX-RS has its own @Pre. Matching filters slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic Decode Token In Server. Auth. Module github. com/mjremijan/thoth-security-api
Securing EJB glassfish-web. xml EMPTY slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
So what’s the catch? • JASPIC ignored when EE 6 came out • Overshadowed • Web-Profile • CDI • JAX-RS • Pre-EE 8 • Full-profile only • Vender support of open standard is tricky • Tijms, A (2016, December 04). The state of portable authentication in Java EE, end 2016 update. Retrieved from http: //arjan-tijms. omnifaces. org/2016/12/the-state-of-portableauthentication-in. html slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Are we still living in the modern era? • Kinda, sorta • Still have multiple applications, but… slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Post-Modern era… • Security is needed everywhere! slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Post-Modern era security with EE 8 • JSR 375 Java EE Security 1. 0 • Soteria RI • Goals • Modernization • Simplification slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
What’s new in Security API? Establishes some common definitions • Identity. Store • Caller data • Credentials • Groups • Authentication mechanism • How the caller interacts with the server • Typically UI Rendering http: //arjan-tijms. omnifaces. org/p/whats-new-in-java-ee-security-api-10. html slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Identity. Store Built-in Identity Stores • @Embedded. Identity. Store. Definition • @Data. Base. Identity. Store. Definition • @Ldap. Identity. Store. Definition Build your own • Implement Identity. Store • Embed into your application • Auto-registration • Multiple implementations with different responsibilities slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Identity. Store – Validate caller slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Identity. Store – Groups A, B, C. . . slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Authentication Mechanism Built-in authentication mechanisms 1. 2. 3. 4. @Basic. Authentication. Mechanism. Definition Digest Client-cert @Form. Authentication. Mechanism. Definition @Custom. Form. Authentication. Mechanism. Definition Build your own • Implement Http. Authentication. Mechanism • Embed into your application • Auto-registration • Replaces JASPIC Server. Auth. Module http: //arjan-tijms. omnifaces. org/p/whats-new-in-java-ee-security-api-10. html slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Authentication Mechanism slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Conclusions • EE 6 JASPIC brought flexibility to EE security • Gave you a place to put your code • Server. Auth. Module • EE 8 Security API brought simplification to EE security • Http. Authentication. Mechanism • Both give full control over creating a Principal and roles/groups • So Think EE Security! slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Thank you mjremijan@yahoo. com @mjremijan http: //mjremijan. blogspot. com https: //github. com/mjremijan http: //www. slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api