new security apis for java ee - rainfocuscon3544 @ivar_grimstad new security apis for java ee ivar...
TRANSCRIPT
@ivar_grimstadCON3544
New Security APIs for Java EEIvar Grimstad
Principal Consultant, Cybercom Sweden
JSR 375
JCP Award Winner 2017
@ivar_grimstad
https://github.com/ivargrimstad
https://www.linkedin.com/in/ivargrimstad
http://lanyrd.com/profile/ivargrimstad/
@ivar_grimstadCON3544
History, Future, Status
Java EE Security API 1.0
Demo
@ivar_grimstadCON3544
JSR 375
@ivar_grimstadCON3544
The Expert Group
@ivar_grimstadCON3544
Will Hopkins
@ivar_grimstadCON3544
Adam Bien David Blevins (Tomitribe)
Rudy De Bussher Ivar Grimstad
Les Hazlewood (Stormpath, Inc.) Will Hopkins (Oracle)
Werner Keil Matt Konda (Jemurai)
Alexander Kosowski (Oracle) Darran Lofthouse (Red Hat)
Jean-Louis Monteiro (Tomitribe Ajay Reddy (IBM)
Pedro Igor Silva (Red Hat Arjan Tijms
@ivar_grimstadCON3544
Contributors
@ivar_grimstadCON3544
Guillermo Gonzáles de Agüero John Hogan
Elder Morales Faith Mutluay
Reza Rahman Ashley Richardson
@ivar_grimstadCON3544
Special Credits
@ivar_grimstadCON3544
Arjan Tijms
@ivar_grimstadCON3544
Common Principles
@ivar_grimstadCON3544
Simplify security programming modelEnable developers to manage securityLayered APIs delegate to othersUse CDI where appropriate
@ivar_grimstadCON3544
Terminology
@ivar_grimstadCON3544
Authentication Mechanism
@ivar_grimstadCON3544
Caller Caller Principal
@ivar_grimstadCON3544
Identity Store
@ivar_grimstadCON3544
General
@ivar_grimstadCON3544
Group-To-Role-Mapping
@ivar_grimstadCON3544
Caller Principal Types
@ivar_grimstadCON3544
Expression Language Support
@ivar_grimstadCON3544
Authentication Mechanism
@ivar_grimstadCON3544
HttpAuthenticationMechanism
@ivar_grimstadCON3544
packagejavax.security.enterprise.authentication.mechanism.http;
AuthenticationStatusvalidateRequest(HttpServletRequestrequest,HttpServletResponseresponse,HttpMessageContexthttpMessageContext)throwsAuthenticationException;
AuthenticationStatussecureResponse(HttpServletRequestrequest,HttpServletResponseresponse,HttpMessageContexthttpMessageContext)throwsAuthenticationException;
voidcleanSubject(HttpServletRequestrequest,HttpServletResponseresponse,HttpMessageContexthttpMessageContext);}
@ivar_grimstadCON3544
packagejavax.security.enterprise.authentication.mechanism.http;
AuthenticationStatusvalidateRequest(HttpServletRequestrequest,HttpServletResponseresponse,HttpMessageContexthttpMessageContext)throwsAuthenticationException;
AuthenticationStatussecureResponse(HttpServletRequestrequest,HttpServletResponseresponse,HttpMessageContexthttpMessageContext)throwsAuthenticationException;
voidcleanSubject(HttpServletRequestrequest,HttpServletResponseresponse,HttpMessageContexthttpMessageContext);}
@ivar_grimstadCON3544
packagejavax.security.enterprise.authentication.mechanism.http;
AuthenticationStatusvalidateRequest(HttpServletRequestrequest,HttpServletResponseresponse,HttpMessageContexthttpMessageContext)throwsAuthenticationException;
AuthenticationStatussecureResponse(HttpServletRequestrequest,HttpServletResponseresponse,HttpMessageContexthttpMessageContext)throwsAuthenticationException;
voidcleanSubject(HttpServletRequestrequest,HttpServletResponseresponse,HttpMessageContexthttpMessageContext);}
@ivar_grimstadCON3544
packagejavax.security.enterprise.authentication.mechanism.http;
AuthenticationStatusvalidateRequest(HttpServletRequestrequest,HttpServletResponseresponse,HttpMessageContexthttpMessageContext)throwsAuthenticationException;
AuthenticationStatussecureResponse(HttpServletRequestrequest,HttpServletResponseresponse,HttpMessageContexthttpMessageContext)throwsAuthenticationException;
voidcleanSubject(HttpServletRequestrequest,HttpServletResponseresponse,HttpMessageContexthttpMessageContext);}
@ivar_grimstadCON3544
packagejavax.security.enterprise.authentication.mechanism.http;
AuthenticationStatusvalidateRequest(HttpServletRequestrequest,HttpServletResponseresponse,HttpMessageContexthttpMessageContext)throwsAuthenticationException;
AuthenticationStatussecureResponse(HttpServletRequestrequest,HttpServletResponseresponse,HttpMessageContexthttpMessageContext)throwsAuthenticationException;
voidcleanSubject(HttpServletRequestrequest,HttpServletResponseresponse,HttpMessageContexthttpMessageContext);}
@ivar_grimstadCON3544
Annotations and Built-In HttpAuthenticationMechanisms
@ivar_grimstadCON3544
@BasicAuthenticationMechanismDefinition
@FormAuthenticationMechanismDefinition
@CustomFormAuthenticationMechanismDefinition
@ivar_grimstadCON3544
@LoginToContinue
@ivar_grimstadCON3544
@RememberMe
@ivar_grimstadCON3544
@AutoApplySession
@ivar_grimstadCON3544
Identity Store
@ivar_grimstadCON3544
packagejavax.enterprise.security.identitystore;
publicinterfaceIdentityStore{
enumValidationType{VALIDATE,PROVIDE_GROUPS}
CredentialValidationResultvalidate(Credentialcredential);
SetgetCallerGroups(CredentialValidationResultvalidationResult);
intpriority();
SetvalidationTypes();}
@ivar_grimstadCON3544
packagejavax.enterprise.security.identitystore;
publicinterfaceIdentityStore{
enumValidationType{VALIDATE,PROVIDE_GROUPS}
CredentialValidationResultvalidate(Credentialcredential);
SetgetCallerGroups(CredentialValidationResultvalidationResult);
intpriority();
SetvalidationTypes();}
@ivar_grimstadCON3544
packagejavax.enterprise.security.identitystore;
publicinterfaceIdentityStore{
enumValidationType{VALIDATE,PROVIDE_GROUPS}
CredentialValidationResultvalidate(Credentialcredential);
SetgetCallerGroups(CredentialValidationResultvalidationResult);
intpriority();
SetvalidationTypes();}
@ivar_grimstadCON3544
packagejavax.enterprise.security.identitystore;
publicinterfaceIdentityStore{
enumValidationType{VALIDATE,PROVIDE_GROUPS}
CredentialValidationResultvalidate(Credentialcredential);
SetgetCallerGroups(CredentialValidationResultvalidationResult);
intpriority();
SetvalidationTypes();}
@ivar_grimstadCON3544
packagejavax.enterprise.security.identitystore;
publicinterfaceIdentityStore{
enumValidationType{VALIDATE,PROVIDE_GROUPS}
CredentialValidationResultvalidate(Credentialcredential);
SetgetCallerGroups(CredentialValidationResultvalidationResult);
intpriority();
SetvalidationTypes();}
@ivar_grimstadCON3544
packagejavax.enterprise.security.identitystore;
publicinterfaceIdentityStore{
enumValidationType{VALIDATE,PROVIDE_GROUPS}
CredentialValidationResultvalidate(Credentialcredential);
SetgetCallerGroups(CredentialValidationResultvalidationResult);
intpriority();
SetvalidationTypes();}
@ivar_grimstadCON3544
Annotations and Built-In IdentityStores
@ivar_grimstadCON3544
@LdapIdentityStoreDefinition @DatabaseIdentityStoreDefinition
@ivar_grimstadCON3544
Security Context
@ivar_grimstadCON3544
packagejavax.security.enterprise;
publicinterfaceSecurityContext{PrincipalgetCallerPrincipal();SetgetPrincipalsByType(ClasspType);booleanisCallerInRole(Stringrole);
booleanhasAccessToWebResource(Stringresource,String...methods);
AuthenticationStatusauthenticate(HttpServletRequestrequestHttpServletResponseresponse,AuthenticationParametersparameters);}
@ivar_grimstadCON3544
packagejavax.security.enterprise;
publicinterfaceSecurityContext{PrincipalgetCallerPrincipal();SetgetPrincipalsByType(ClasspType);booleanisCallerInRole(Stringrole);
booleanhasAccessToWebResource(Stringresource,String...methods);
AuthenticationStatusauthenticate(HttpServletRequestrequestHttpServletResponseresponse,AuthenticationParametersparameters);}
@ivar_grimstadCON3544
packagejavax.security.enterprise;
publicinterfaceSecurityContext{PrincipalgetCallerPrincipal();SetgetPrincipalsByType(ClasspType);booleanisCallerInRole(Stringrole);
booleanhasAccessToWebResource(Stringresource,String...methods);
AuthenticationStatusauthenticate(HttpServletRequestrequestHttpServletResponseresponse,AuthenticationParametersparameters);}
@ivar_grimstadCON3544
packagejavax.security.enterprise;
publicinterfaceSecurityContext{PrincipalgetCallerPrincipal();SetgetPrincipalsByType(ClasspType);booleanisCallerInRole(Stringrole);
booleanhasAccessToWebResource(Stringresource,String...methods);
AuthenticationStatusauthenticate(HttpServletRequestrequestHttpServletResponseresponse,AuthenticationParametersparameters);}
@ivar_grimstadCON3544
packagejavax.security.enterprise;
publicinterfaceSecurityContext{PrincipalgetCallerPrincipal();SetgetPrincipalsByType(ClasspType);booleanisCallerInRole(Stringrole);
booleanhasAccessToWebResource(Stringresource,String...methods);
AuthenticationStatusauthenticate(HttpServletRequestrequestHttpServletResponseresponse,AuthenticationParametersparameters);}
@ivar_grimstadCON3544
packagejavax.security.enterprise;
publicinterfaceSecurityContext{PrincipalgetCallerPrincipal();SetgetPrincipalsByType(ClasspType);booleanisCallerInRole(Stringrole);
booleanhasAccessToWebResource(Stringresource,String...methods);
AuthenticationStatusauthenticate(HttpServletRequestrequestHttpServletResponseresponse,AuthenticationParametersparameters);}
@ivar_grimstadCON3544
@WebServlet(“/protectedServlet")@ServletSecurity(@HttpConstraint(rolesAllowed="foo"))publicclassProtectedServletextendsHttpServlet{...}
securityContext.hasAccessToWebResource("/protectedServlet",GET);
@ivar_grimstadCON3544
packagejavax.security.enterprise;
publicinterfaceSecurityContext{PrincipalgetCallerPrincipal();SetgetPrincipalsByType(ClasspType);booleanisCallerInRole(Stringrole);
booleanhasAccessToWebResource(Stringresource,String...methods);
AuthenticationStatusauthenticate(HttpServletRequestrequestHttpServletResponseresponse,AuthenticationParametersparameters);}
@ivar_grimstadCON3544
Demo !
@ivar_grimstadCON3544
Summary
@ivar_grimstadCON3544
<dependency><groupId>javax</groupId><artifactId>javaee-web-api</artifactId><version>8.0</version><scope>provided</scope></dependency>
@ivar_grimstadCON3544
What’s NEXT?
@ivar_grimstadCON3544
Candidates for Focus in Java EE 9Security in Packaging, Configuration, BuildMicroservices Security
@ivar_grimstadCON3544
@ivar_grimstadCON3544
JSR Page https://jcp.org/en/jsr/detail?id=375
Java EE https://github.com/javaee/security-api https://github.com/javaee/security-spec https://github.com/javaee/security-soteria
Samples https://github.com/javaee/security-examples
@ivar_grimstadCON3544
Demo https://github.com/ivargrimstad/security-samples