new security apis for java ee - rainfocuscon3544 @ivar_grimstad new security apis for java ee ivar...

Report

Post on 10-Mar-2020

14 Views

Category:

Documents

0 Downloads

Preview:

Click to see full reader

TRANSCRIPT

@ivar_grimstadCON3544

New Security APIs for Java EEIvar Grimstad

Principal Consultant, Cybercom Sweden

JSR 375

JCP Award Winner 2017

@ivar_grimstad

https://github.com/ivargrimstad

https://www.linkedin.com/in/ivargrimstad

http://lanyrd.com/profile/ivargrimstad/

@ivar_grimstadCON3544

History, Future, Status

Java EE Security API 1.0

Demo

@ivar_grimstadCON3544

JSR 375

@ivar_grimstadCON3544

The Expert Group

@ivar_grimstadCON3544

Will Hopkins

@ivar_grimstadCON3544

Adam Bien David Blevins (Tomitribe)

Rudy De Bussher Ivar Grimstad

Les Hazlewood (Stormpath, Inc.) Will Hopkins (Oracle)

Werner Keil Matt Konda (Jemurai)

Alexander Kosowski (Oracle) Darran Lofthouse (Red Hat)

Jean-Louis Monteiro (Tomitribe Ajay Reddy (IBM)

Pedro Igor Silva (Red Hat Arjan Tijms

@ivar_grimstadCON3544

Contributors

@ivar_grimstadCON3544

Guillermo Gonzáles de Agüero John Hogan

Elder Morales Faith Mutluay

Reza Rahman Ashley Richardson

@ivar_grimstadCON3544

Special Credits

@ivar_grimstadCON3544

Arjan Tijms

@ivar_grimstadCON3544

Common Principles

@ivar_grimstadCON3544

Simplify security programming modelEnable developers to manage securityLayered APIs delegate to othersUse CDI where appropriate

@ivar_grimstadCON3544

Terminology

@ivar_grimstadCON3544

Authentication Mechanism

@ivar_grimstadCON3544

Caller Caller Principal

@ivar_grimstadCON3544

Identity Store

@ivar_grimstadCON3544

General

@ivar_grimstadCON3544

Group-To-Role-Mapping

@ivar_grimstadCON3544

Caller Principal Types

@ivar_grimstadCON3544

Expression Language Support

@ivar_grimstadCON3544

Authentication Mechanism

@ivar_grimstadCON3544

HttpAuthenticationMechanism

@ivar_grimstadCON3544

packagejavax.security.enterprise.authentication.mechanism.http;

AuthenticationStatusvalidateRequest(HttpServletRequestrequest,HttpServletResponseresponse,HttpMessageContexthttpMessageContext)throwsAuthenticationException;

AuthenticationStatussecureResponse(HttpServletRequestrequest,HttpServletResponseresponse,HttpMessageContexthttpMessageContext)throwsAuthenticationException;

voidcleanSubject(HttpServletRequestrequest,HttpServletResponseresponse,HttpMessageContexthttpMessageContext);}

@ivar_grimstadCON3544

packagejavax.security.enterprise.authentication.mechanism.http;

AuthenticationStatusvalidateRequest(HttpServletRequestrequest,HttpServletResponseresponse,HttpMessageContexthttpMessageContext)throwsAuthenticationException;

AuthenticationStatussecureResponse(HttpServletRequestrequest,HttpServletResponseresponse,HttpMessageContexthttpMessageContext)throwsAuthenticationException;

voidcleanSubject(HttpServletRequestrequest,HttpServletResponseresponse,HttpMessageContexthttpMessageContext);}

@ivar_grimstadCON3544

packagejavax.security.enterprise.authentication.mechanism.http;

AuthenticationStatusvalidateRequest(HttpServletRequestrequest,HttpServletResponseresponse,HttpMessageContexthttpMessageContext)throwsAuthenticationException;

AuthenticationStatussecureResponse(HttpServletRequestrequest,HttpServletResponseresponse,HttpMessageContexthttpMessageContext)throwsAuthenticationException;

voidcleanSubject(HttpServletRequestrequest,HttpServletResponseresponse,HttpMessageContexthttpMessageContext);}

@ivar_grimstadCON3544

packagejavax.security.enterprise.authentication.mechanism.http;

AuthenticationStatusvalidateRequest(HttpServletRequestrequest,HttpServletResponseresponse,HttpMessageContexthttpMessageContext)throwsAuthenticationException;

AuthenticationStatussecureResponse(HttpServletRequestrequest,HttpServletResponseresponse,HttpMessageContexthttpMessageContext)throwsAuthenticationException;

voidcleanSubject(HttpServletRequestrequest,HttpServletResponseresponse,HttpMessageContexthttpMessageContext);}

@ivar_grimstadCON3544

packagejavax.security.enterprise.authentication.mechanism.http;

AuthenticationStatusvalidateRequest(HttpServletRequestrequest,HttpServletResponseresponse,HttpMessageContexthttpMessageContext)throwsAuthenticationException;

AuthenticationStatussecureResponse(HttpServletRequestrequest,HttpServletResponseresponse,HttpMessageContexthttpMessageContext)throwsAuthenticationException;

voidcleanSubject(HttpServletRequestrequest,HttpServletResponseresponse,HttpMessageContexthttpMessageContext);}

@ivar_grimstadCON3544

Annotations and Built-In HttpAuthenticationMechanisms

@ivar_grimstadCON3544

@BasicAuthenticationMechanismDefinition

@FormAuthenticationMechanismDefinition

@CustomFormAuthenticationMechanismDefinition

@ivar_grimstadCON3544

@LoginToContinue

@ivar_grimstadCON3544

@RememberMe

@ivar_grimstadCON3544

@AutoApplySession

@ivar_grimstadCON3544

Identity Store

@ivar_grimstadCON3544

packagejavax.enterprise.security.identitystore;

publicinterfaceIdentityStore{

enumValidationType{VALIDATE,PROVIDE_GROUPS}

CredentialValidationResultvalidate(Credentialcredential);

SetgetCallerGroups(CredentialValidationResultvalidationResult);

intpriority();

SetvalidationTypes();}

@ivar_grimstadCON3544

packagejavax.enterprise.security.identitystore;

publicinterfaceIdentityStore{

enumValidationType{VALIDATE,PROVIDE_GROUPS}

CredentialValidationResultvalidate(Credentialcredential);

SetgetCallerGroups(CredentialValidationResultvalidationResult);

intpriority();

SetvalidationTypes();}

@ivar_grimstadCON3544

packagejavax.enterprise.security.identitystore;

publicinterfaceIdentityStore{

enumValidationType{VALIDATE,PROVIDE_GROUPS}

CredentialValidationResultvalidate(Credentialcredential);

SetgetCallerGroups(CredentialValidationResultvalidationResult);

intpriority();

SetvalidationTypes();}

@ivar_grimstadCON3544

packagejavax.enterprise.security.identitystore;

publicinterfaceIdentityStore{

enumValidationType{VALIDATE,PROVIDE_GROUPS}

CredentialValidationResultvalidate(Credentialcredential);

SetgetCallerGroups(CredentialValidationResultvalidationResult);

intpriority();

SetvalidationTypes();}

@ivar_grimstadCON3544

packagejavax.enterprise.security.identitystore;

publicinterfaceIdentityStore{

enumValidationType{VALIDATE,PROVIDE_GROUPS}

CredentialValidationResultvalidate(Credentialcredential);

SetgetCallerGroups(CredentialValidationResultvalidationResult);

intpriority();

SetvalidationTypes();}

@ivar_grimstadCON3544

packagejavax.enterprise.security.identitystore;

publicinterfaceIdentityStore{

enumValidationType{VALIDATE,PROVIDE_GROUPS}

CredentialValidationResultvalidate(Credentialcredential);

SetgetCallerGroups(CredentialValidationResultvalidationResult);

intpriority();

SetvalidationTypes();}

@ivar_grimstadCON3544

Annotations and Built-In IdentityStores

@ivar_grimstadCON3544

@LdapIdentityStoreDefinition @DatabaseIdentityStoreDefinition

@ivar_grimstadCON3544

Security Context

@ivar_grimstadCON3544

packagejavax.security.enterprise;

publicinterfaceSecurityContext{PrincipalgetCallerPrincipal();SetgetPrincipalsByType(ClasspType);booleanisCallerInRole(Stringrole);

booleanhasAccessToWebResource(Stringresource,String...methods);

AuthenticationStatusauthenticate(HttpServletRequestrequestHttpServletResponseresponse,AuthenticationParametersparameters);}

@ivar_grimstadCON3544

packagejavax.security.enterprise;

publicinterfaceSecurityContext{PrincipalgetCallerPrincipal();SetgetPrincipalsByType(ClasspType);booleanisCallerInRole(Stringrole);

booleanhasAccessToWebResource(Stringresource,String...methods);

AuthenticationStatusauthenticate(HttpServletRequestrequestHttpServletResponseresponse,AuthenticationParametersparameters);}

@ivar_grimstadCON3544

packagejavax.security.enterprise;

publicinterfaceSecurityContext{PrincipalgetCallerPrincipal();SetgetPrincipalsByType(ClasspType);booleanisCallerInRole(Stringrole);

booleanhasAccessToWebResource(Stringresource,String...methods);

AuthenticationStatusauthenticate(HttpServletRequestrequestHttpServletResponseresponse,AuthenticationParametersparameters);}

@ivar_grimstadCON3544

packagejavax.security.enterprise;

publicinterfaceSecurityContext{PrincipalgetCallerPrincipal();SetgetPrincipalsByType(ClasspType);booleanisCallerInRole(Stringrole);

booleanhasAccessToWebResource(Stringresource,String...methods);

AuthenticationStatusauthenticate(HttpServletRequestrequestHttpServletResponseresponse,AuthenticationParametersparameters);}

@ivar_grimstadCON3544

packagejavax.security.enterprise;

publicinterfaceSecurityContext{PrincipalgetCallerPrincipal();SetgetPrincipalsByType(ClasspType);booleanisCallerInRole(Stringrole);

booleanhasAccessToWebResource(Stringresource,String...methods);

AuthenticationStatusauthenticate(HttpServletRequestrequestHttpServletResponseresponse,AuthenticationParametersparameters);}

@ivar_grimstadCON3544

packagejavax.security.enterprise;

publicinterfaceSecurityContext{PrincipalgetCallerPrincipal();SetgetPrincipalsByType(ClasspType);booleanisCallerInRole(Stringrole);

booleanhasAccessToWebResource(Stringresource,String...methods);

AuthenticationStatusauthenticate(HttpServletRequestrequestHttpServletResponseresponse,AuthenticationParametersparameters);}

@ivar_grimstadCON3544

@WebServlet(“/protectedServlet")@ServletSecurity(@HttpConstraint(rolesAllowed="foo"))publicclassProtectedServletextendsHttpServlet{...}

securityContext.hasAccessToWebResource("/protectedServlet",GET);

@ivar_grimstadCON3544

packagejavax.security.enterprise;

publicinterfaceSecurityContext{PrincipalgetCallerPrincipal();SetgetPrincipalsByType(ClasspType);booleanisCallerInRole(Stringrole);

booleanhasAccessToWebResource(Stringresource,String...methods);

AuthenticationStatusauthenticate(HttpServletRequestrequestHttpServletResponseresponse,AuthenticationParametersparameters);}

@ivar_grimstadCON3544

Demo !

@ivar_grimstadCON3544

Summary

@ivar_grimstadCON3544

<dependency><groupId>javax</groupId><artifactId>javaee-web-api</artifactId><version>8.0</version><scope>provided</scope></dependency>

@ivar_grimstadCON3544

What’s NEXT?

@ivar_grimstadCON3544

Candidates for Focus in Java EE 9Security in Packaging, Configuration, BuildMicroservices Security

@ivar_grimstadCON3544

@ivar_grimstadCON3544

JSR Page https://jcp.org/en/jsr/detail?id=375

Java EE https://github.com/javaee/security-api https://github.com/javaee/security-spec https://github.com/javaee/security-soteria

Samples https://github.com/javaee/security-examples

https://jcp.org/en/jsr/detail?id=375
https://github.com/javaee/security-api
https://github.com/javaee/security-spec
https://github.com/javaee/security-soteria
https://github.com/javaee/security-examples

@ivar_grimstadCON3544

Demo https://github.com/ivargrimstad/security-samples

https://github.com/ivargrimstad/security-samples

@ivar_grimstadCON3544

cybercom.com

http://cybercom.com

top related

html hypermedia apis and adaptive web design - nordic apis
Documents
oracle banking apis installer pre-requisite setup...
Documents
apis for scripting - 2014 - perforce · apis for scripting...
Documents
#serverless @ivar grimstad file#serverless @ivar_grimstad...
Documents
orange amea apis presentation for telecom apis 2014
Technology
reusable apis
Technology
fluorocompounds apis
Documents
klasifikasi sayap lebah apis cerana dan apis …
Documents
poetic apis
Sports
news... · ee e) e o e) ee ee 9 (2) ee e) 2) o ee e) ee 2...
Documents
webinos apis
Technology
apis and restful apis
Education
กองกลาง สป.มท. · 2018. 8. 2. · 9...
Documents
mashups & apis
Technology
growth hacking apis (nordic apis conference 2014)
Software
managing private, partner & public apis (nordic apis april...
Software
info... · ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee...
Documents
how i built an access management system using...
Documents
 · e) ee 2) zd 221 22 2 ee c: ee 2) ee ee ee 2- ee e) ee...
Documents
microprofile - a brief introduction - s3.us.cloud-object...
Documents