From JASPIC to Security API Modern Application Security
- Slides: 54
From JASPIC to Security API Modern Application Security Michael Remijan System Architect, Federal Reserve Bank St. Louis @mjremijan Java. One 2017 CON 5954 Modern Application and Microservices Security from EE 6 JASPIC to the EE 8 Security API Moscone West Room 2024 Tues 03 Oct 2017 slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
About Me slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Where I work? @since 2014 • Federal Reserve Bank St. Louis slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
What I do? @since 1999 • Java EE • • Architect Scrum Master Tech Lead Developer slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
What I write? @since 2014 • EJB in Action Second Edition • EJB 3. 2 – EE 7 & EE 8 @since 2010 • http: //mjremijan. blogspot. com slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
What I teach? @since 2009 • Adjunct Instructor • Java II slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
What’s the goal of this presentation? • Get you to think: Java EE Security • EE 7 or 8 slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
What are we going to talk about? • I just need to put my code somewhere to build “User” slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
History of EE Security Servlet JASPIC (JSR 196) Security API (JSR 375) Pre-Modern Era Post-Modern Era https: //readlearncode. com/java-ee-past-present-and-future/ slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Pre-Modern era architecture • Desktop -> Web • 1 Application • How do you implement Security? http: //www. softwaretestingclass. com/what-is-difference-between-two-tier-and-three-tier-architecture/ slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Pre-Modern era…A tale of EE Security slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Pre-Modern era…A tale of EE Security slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Pre-Modern era…A tale of EE Security slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Pre-Modern era…A tale of EE Security slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Pre-Modern era…A tale of EE Security https: //ivanursul. com/spring-security-avoiding-basic-authentication-window-in-your-browser slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Pre-Modern era…A tale of EE Security http: //www. security-expert. be/ slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Pre-Modern era…A tale of EE Security • Sound familiar? • Most common introduction to EE Security • Quickly abandoned • Inflexible • A lot of server configuration • There is no where to put my code! slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Modern era architecture • Multiple applications • Add another tier • Identity-management • SSO • Federation… • How do you implement Security? https: //blogs. vmware. com/vfabric/2013/03/putting-the-single-back-in-single-sign-on-sso. html slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Modern era…A tale of EE Security • Create account • Email • Open. Id • OAuth 2… • Account activation • Login (multi-factor) • Validate location • • Account locking Password reset (re. Captica) Account disabling Password expiration slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Modern era…A tale of EE Security What is this? slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Modern era…A tale of EE Security slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Consuming authorization HEADER slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Consuming authorization HEADER • Does @Web. Filter Work? • Nope! • EE Server enforces security before @Web. Filter • Other options to consume the HEADER? • Where else can I put my code? slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Consuming authorization HEADER This is where JASPIC comes in • Move your code out of @Web. Filter • Put it into the JASPIC API • Probably something you haven’t heard of slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Java EE 6+ JASPIC • @since 2009 • JSR-196 Java Authentication Service Provider Interface for Containers (JASPIC) • Server. Auth. Module (interface) • Executed by EE Server before enforcing any security slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Java EE 6+ JASPIC • How do you register JASPIC Server. Auth. Module? • It’s a 5 step process Tijms, A. (2012, November 7). Implementing container authentication in Java EE with JASPIC. Retrieved from http: //arjan-tijms. omnifaces. org/2012/11/implementing-container-authentication. html slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Register JASPIC Server. Auth. Module? Step #1 • Create: @Web. Listener My. Context. Listener implements Servlet. Context. Listener • Get factory-factory Auth. Config. Factory • Register factory-factory Auth. Config. Provider Tijms, A. (2012, November 7). Implementing container authentication in Java EE with JASPIC. Retrieved from http: //arjan-tijms. omnifaces. org/2012/11/implementing-container-authentication. html slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Register JASPIC Server. Auth. Module? Step #2 • Create My. Auth. Config. Provider implements Auth. Config. Provider • Register factory Server. Auth. Config Tijms, A. (2012, November 7). Implementing container authentication in Java EE with JASPIC. Retrieved from http: //arjan-tijms. omnifaces. org/2012/11/implementing-container-authentication. html slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Register JASPIC Server. Auth. Module? Step #3 • Create My. Server. Auth. Config implements Server. Auth. Config • Creates delegator Server. Auth. Context Tijms, A. (2012, November 7). Implementing container authentication in Java EE with JASPIC. Retrieved from http: //arjan-tijms. omnifaces. org/2012/11/implementing-container-authentication. html slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Register JASPIC Server. Auth. Module? Step #4 • Create My. Server. Auth. Context implements Server. Auth. Context • Creates authentication module Server. Auth. Module Tijms, A. (2012, November 7). Implementing container authentication in Java EE with JASPIC. Retrieved from http: //arjan-tijms. omnifaces. org/2012/11/implementing-container-authentication. html slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Register JASPIC Server. Auth. Module? Step #5 • Create My. Server. Auth. Module implements Server. Auth. Module • This is where you finally put your code • Building a Principal • Getting roles/groups • EE 6 goal was flexibility Tijms, A. (2012, November 7). Implementing container authentication in Java EE with JASPIC. Retrieved from http: //arjan-tijms. omnifaces. org/2012/11/implementing-container-authentication. html slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
How do you secure EE Components? • Use standard EE security to secure components: • • • Servlet JSP JSF/AJAX JAX-RS EJB slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Securing Servlet web. xml EMPTY glassfish-web. xml slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Securing JSP glassfish-web. xml EMPTY slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Securing JSF Page & AJAX call web. xml glassfish-web. xml slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Securing JSF @Named bean glassfish-web. xml slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Securing JAX-RS #1 web. xml glassfish-web. xml slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Securing JAX-RS #2 glassfish-web. xml EMPTY Bien, A. (2015, December 07). What Is Faster--EJBs Or CDI? A JMH Benchmark. Retrieved from http: //adambien. blog/roller/abien/entry/what_is_faster_ejbs_or slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Securing JAX-RS #3 glassfish-web. xml EMPTY slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Securing JAX-RS #4 • What about JWT? • JAX-RS has its own @Pre. Matching filters slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic Decode Token In Server. Auth. Module github. com/mjremijan/thoth-security-api
Securing EJB glassfish-web. xml EMPTY slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
So what’s the catch? • JASPIC ignored when EE 6 came out • Overshadowed • Web-Profile • CDI • JAX-RS • Pre-EE 8 • Full-profile only • Vender support of open standard is tricky • Tijms, A (2016, December 04). The state of portable authentication in Java EE, end 2016 update. Retrieved from http: //arjan-tijms. omnifaces. org/2016/12/the-state-of-portableauthentication-in. html slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Are we still living in the modern era? • Kinda, sorta • Still have multiple applications, but… slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Post-Modern era… • Security is needed everywhere! slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Post-Modern era security with EE 8 • JSR 375 Java EE Security 1. 0 • Soteria RI • Goals • Modernization • Simplification slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
What’s new in Security API? Establishes some common definitions • Identity. Store • Caller data • Credentials • Groups • Authentication mechanism • How the caller interacts with the server • Typically UI Rendering http: //arjan-tijms. omnifaces. org/p/whats-new-in-java-ee-security-api-10. html slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Identity. Store Built-in Identity Stores • @Embedded. Identity. Store. Definition • @Data. Base. Identity. Store. Definition • @Ldap. Identity. Store. Definition Build your own • Implement Identity. Store • Embed into your application • Auto-registration • Multiple implementations with different responsibilities slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Identity. Store – Validate caller slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Identity. Store – Groups A, B, C. . . slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Authentication Mechanism Built-in authentication mechanisms 1. 2. 3. 4. @Basic. Authentication. Mechanism. Definition Digest Client-cert @Form. Authentication. Mechanism. Definition @Custom. Form. Authentication. Mechanism. Definition Build your own • Implement Http. Authentication. Mechanism • Embed into your application • Auto-registration • Replaces JASPIC Server. Auth. Module http: //arjan-tijms. omnifaces. org/p/whats-new-in-java-ee-security-api-10. html slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Authentication Mechanism slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Conclusions • EE 6 JASPIC brought flexibility to EE security • Gave you a place to put your code • Server. Auth. Module • EE 8 Security API brought simplification to EE security • Http. Authentication. Mechanism • Both give full control over creating a Principal and roles/groups • So Think EE Security! slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Thank you mjremijan@yahoo. com @mjremijan http: //mjremijan. blogspot. com https: //github. com/mjremijan http: //www. slideshare. net/mjremijan github. com/mjremijan/thoth-jaspic github. com/mjremijan/thoth-security-api
Private securty
Modern network security
Modern security devices
Explain the pgp scenarios for application layer security
Penta security web application firewall
Bufsiz
Fortify sourceanalyzer command line options
Jasig cas
Multilevel security model
Owasp asvs levels
Advanced application and middleware security
Osi security architecture model with neat diagram
Guide to network security
Wireless security in cryptography
Visa international security model in information security
Electronic mail security in network security
What is nstissc security model
E commerce security meaning
Seven touchpoints for software security
Security guide to network security fundamentals
Security guide to network security fundamentals
Geotools api
Workforceready.eu
Wan mbn mode set
Jenis wesel kereta api
Usit interface
Knime api
Unix apis
Us bank api
Twitter
Digium phone api
Netflix api rest
Openclinica web service
Organigramma gruppo api
Whizard api
Smsapi.pl
Allscripts unity api
Smart card api
Pada sambungan rel kereta api
Api lesneven
Jelaskan arti air dalam lambang-lambang roh kudus
Seal flush plan 11
Delphi rest api
Google data visualization api
Nprinting ports
Dapnet frequenz
Ape scuola primaria
Ciclo vitale dell'ape scuola primaria
Penjodoh bilangan tangkai
Pengenalan alat pemadam api
Paletic
Eld.sefl
Ose api
Ogc api features
Octopus deploy api documentation
