SlideShare ist ein Scribd-Unternehmen logo

JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015

Als PPTX, PDF herunterladen
Werner Keil
Werner Keil

JSR 375: Java EE Security API works on the following enhancements: standardize user management, syntax for indicating passwords stored in secure repositories with password aliasing, and definition and standardization of a 'role service' API with role mapping. There’s also scope for a new CDI interceptor annotation to perform application-domain rules at the method level or enhancements to authentication. Where feasible synergies with prior JSR 351 (Identity) shall also be explored. In this session we’ll present the current status of this JSR and what's going on in the JSR 375 Expert Group.

Technologie
1 von 49
Tel Aviv 16-17 December 2015 Have you seen Java EE Security API lately? werner@catmedia.us Werner Keil Twitter: @wernerkeil
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 2 Agenda • Motivations • A New JSR • Ideas • Examples and Demos • Get Involved • Q & A
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 3 Who am I? • Consultant – Coach • Creative Cosmopolitan • Open Source Evangelist • Software Architect • Apache/Eclipse Committer • JCP EC Member • JSR 363 Co Spec Lead Twitter @wernerkeil Email werner@catmedia.us
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 4 Why a Java EE Security JSR? • Java EE 8 survey results • 4500 total responses • Priorities Pie Chart
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 5 Survey Results
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 6 Survey Results – Password Aliasing • Deferred from Java EE 7
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 7 What’s wrong with Java EE Security? "The ultimate goal is to have basic security working without the need of any kind of vendor specific configuration, deployment descriptors, or whatever. ” – Arjan Tijms “[The EE security] model is problematic in cloud/PaaS environments where developers do not necessarily have easy access to non-standard vendor runtime features and a self-contained application is much easier to manage.” – Reza Rahman The community says…
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 8 What’s wrong with Java EE Security? • Java EE Security viewed as not portable, abstract/confusing, antiquated • Doesn’t fit cloud app developer paradigm: requires app server configuration • Losing value to non-standard 3rd Party Frameworks…less likely to move back to Java EE when requirements increase
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 9 What to do? • Plug the portability holes • Modernize  Context Dependency Injection (CDI) • Intercept at Access Enforcement Points: POJO methods  Expression Language (EL) • Enable Access Enforcement Points with complex rules • App Developer Friendly  Common security configurations not requiring server changes  Annotation defaults not requiring XML
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 10 JSR 375 History • August 2014: First proposed to Oracle Java EE Architects • December 2014: Approved by JCP EC • Expert Group nominations:  EE API veterans: many JSRs, many years struggling with Security API  3rd party security framework creators/developers  EE platform security implementers • March 2015: Expert Group started discussions • November 2015: JSR 375 passed Renewal Ballot
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 11 JSR 375 – Expert Group Name Representing Adam Bien Individual David Blevins Tomitribe Rudy De Busscher Individual Ivar Grimstad Individual Les Hazlewood Stormpath, Inc. Will Hopkins Oracle Werner Keil Individual Matt Konda Jemurai
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 12 JSR 375 – Expert Group Name Representing Alex Kosowski Oracle Darren Lofthouse Red Hat Jean-Louis Monteiro Tomitribe Ajay Reddy IBM Pedro Igor Silva Red Hat Les Hazlewood Stormpath, Inc. Arjan Tijms ZEEF
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 13 JSR 375 History • In first month, expert group had an EXPLOSION of activity  Lot of Brainstorming!  237 messages on EG mailing list  81 commits in GitHub playgrounds for examples and proposals  24 JIRA issues
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 14 Ideas To modernize, standardize, simplify • Terminology • API for Authentication Mechanism • API for Identity Store • API for Password Aliasing • API for Role/Permission Assignment • API for Security Context • API for Authorization
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 15 Ideas To modernize, standardize, simplify
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 16 Ideas – Terminology • EG discussions revealed inconsistency in security API terms • Different EE containers have different names for the same concepts • When “something” gets authenticated, is that something  A User? (e.g. HttpServletRequest.getUserPrincipal)  A Caller? (e.g. EJBContext.getCallerPrincipal) • What is a group?  A group of users?  A permission  Vs Role?
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 17 Ideas – Terminology • What is that “something” where identities are stored?  security provider (WebLogic)  realm (Tomcat, some hints in Servlet spec)  (auth) repository  (auth) store  login module (JAAS)  identity manager (Undertow)  authenticator (Resin, OmniSecurity, Seam Security)  authentication provider (Spring Security)  identity provider
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 18 Ideas API for Authentication Mechanism • Application manages its own users and groups • Application needs to authenticate users in order to assign Roles • Application authenticates based on application-domain models • Application needs to use an authentication method not supported on the server, like OpenID Connect • Developers want to use portable EE Authentication standard
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 19 Current Solutions API for Authentication Mechanism • Proprietary server support • 3rd Party security frameworks provide authentication • JASPIC: Java Authentication Service Provider Interface for Containers
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 20 JASPIC • Java Authentication Service Provider Interface for Containers • JSR 196, Maintenance Release 1.1, in 2013 • Standardized, portable, thin, low-level authentication framework • Extensible from within an application • Integrates with the container to build an authenticated Subject • Implement any authentication method
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 21 JASPIC Server Auth Module public interface ServerAuthModule { public void initialize(MessagePolicy requestPolicy, MessagePolicy responsePolicy, CallbackHandler handler, Map options) throws AuthException; public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject); public Class<?>[] getSupportedMessageTypes(); public AuthStatus secureResponse(MessageInfo messageInfo, Subject serviceSubject); public void cleanSubject(MessageInfo messageInfo, Subject subject); }
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 22 JASPIC Per-Application Installation
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 23 Ideas – Simple ServerAuthModule Installation
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 24 Ideas – Simple ServerAuthModule Installation @WebListener public class SamRegistrationListener implements ServletContextListener { @Override public void contextInitialized(ServletContextEvent sce) { Jaspic.registerServerAuthModule(new TokenAuthModule(), sce.getServletContext()); } @Override public void contextDestroyed(ServletContextEvent sce) { } }
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 25 Ideas – Simple ServerAuthModule Installation @Authenticator("org.acme.TokenAuthModule") @WebServlet("/SimpleServlet") @ServletSecurity(@HttpConstraint(rolesAllowed = {"manager"})) public class SimpleServlet extends HttpServlet { @Override protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.getWriter().print("my GET"); } }
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 26 Ideas – Profile Specific Helper Classes public class BasicServerAuthModule implements ServerAuthModule { public void initialize(…) throws AuthException { … } public Class<?>[] getSupportedMessageTypes() { … } public AuthStatus secureResponse(MessageInfo messageInfo, Subject serviceSubject) throws AuthException { … } public void cleanSubject(MessageInfo messageInfo, Subject subject) throws AuthException { … } public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException { final HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage(); … }
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 27 Ideas – Profile Specific Helper Classes public class BasicServerAuthModule extends HttpServerAuthModule { public AuthStatus validateHttpRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) throws AuthException { … } }
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 28 Ideas – Standardized Authenticators OpenID Connect ServerAuthModule @Authenticator("javax.security.authenticator.OpenIDConnect") @WebServlet("/SimpleServlet") @ServletSecurity(@HttpConstraint(rolesAllowed = {"manager"})) public class SimpleServlet extends HttpServlet { @Override protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.getWriter().print("my GET"); } }
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 29 Ideas – Authentication Events • Throw standardized CDI events at important moments  PreAuthenticate Event  PostAuthenticate Event  PreLogout Event  PostLogout Event
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 30 Ideas – Authentication Events • Possible use cases  Tracking number of logged-in users  Tracking failed login attempts per account  Side effects, like creating a new local user after initial successful authentication via a remote authentication provider  Loading application-specific user preferences
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 31 Current Solutions API for Identity Store • No Java EE standard support • Only proprietary server support • 3rd Party security frameworks provide user/group APIs
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 32 Ideas – Identity Store /** * <code>Credential</code> represents the credential the caller will use to authenticate. */ public interface Credential { public boolean isCleared(); public void clear(); public String getCaller(); public boolean isValid(); }
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 33 Ideas – Identity Store public interface IdentityStore { /** * Validates the given credential. * * @param credential * The credential * @return The validation result, including associated * caller roles and groups. */ public CredentialValidationResult validate(Credential credential); }
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 34 Ideas – Identity Store
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 35 Use Cases API for Role/Permission Assignment • Application manages its own users and groups • Application needs to assign roles (i.e., authorities, permissions) to users and groups, based on application- specific model • Users may be stored in app-specified repository (e.g. LDAP) • Users managed without access to server configuration
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 36 Current Solutions API for Role/Permission Assignment • No Java EE standard support • Only proprietary server support • 3rd Party security frameworks provide role/authority/permission APIs
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 37 Use Cases API for Security Context • Application needs to access the security API  To get the authenticated user  To check roles  To invoke runAs • Application needs the same API to access security context, regardless of container
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 38 Current Solutions API for Security Context • No Java EE standard support • 3rd Party security frameworks provide a security context
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 39 Demo
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 40 Use Cases API for Authorization Interceptors • Application needs to restrict specific methods to authorized users • Application-model rules are used to make access decisions • Role is insufficient
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 41 Current Solutions API for Authorization Interceptors • EE authorization has no rule based authorization, only role based • 3rd Party security frameworks provide rule, role and permission based APIs
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 42 Use Cases API for Password Aliasing • Application uses passwords to access resources like LDAP and DB • Passwords stored in annotations, deployment descriptors • Best practices dictate that passwords are never stored in clear text • Need a portable way to protect stored passwords
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 43 Current Solutions API for Password Aliasing • No Java EE support • Proprietary server support, e.g. GlassFish • 3rd Party security framework support for embedded password • encryption, not aliasing
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 44 Ideas – Password Aliasing • For annotations @DataSourceDefinition( name="java:app/jdbc/test", user="root", password="${ALIAS=password}",…) • For deployment descriptors <data-source> <name>java:app/env/testDS</name> <user>APP</user> <password>${ALIAS=password}</password> … </data-source>
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 45 Ideas – Password Aliasing
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 46 Ideas – EL Authorization Rules • Expression Language rule would have access to managed beans for SecurityContext and InvocationContext @EvaluateSecured("security.hasRoles('MANAGER') && schedule.nowIsOfficeHrs") void transferFunds() {..};
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 47 Ideas – AccessDecisionVoter • A user-defined class for making access decisions @Secured(AccountAccessDecisionVoter.class) void transferFunds() {..};
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 48 Get Involved • JSR Page: https://jcp.org/en/jsr/detail?id=375 • Java.net Project Page: https://java.net/projects/javaee-security-spec • Users Mailing List: users@javaee-security-spec.java.net • GitHub Organization: https://github.com/javaee-security-spec
Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 49 Q & A

Empfohlen

JSR 354: Money and Currency API - Short Overview
JSR 354: Money and Currency API - Short OverviewJSR 354: Money and Currency API - Short Overview
JSR 354: Money and Currency API - Short OverviewWerner Keil
 
Finally, EE Security API JSR 375
Finally, EE Security API JSR 375Finally, EE Security API JSR 375
Finally, EE Security API JSR 375Alex Kosowski
 
Java2Days - Security for JavaEE and the Cloud
Java2Days - Security for JavaEE and the CloudJava2Days - Security for JavaEE and the Cloud
Java2Days - Security for JavaEE and the CloudWerner Keil
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole
 
Geecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java VulnerabilitiesGeecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java VulnerabilitiesSteve Poole
 
Modern web application development with java ee 7
Modern web application development with java ee 7Modern web application development with java ee 7
Modern web application development with java ee 7Shekhar Gulati
 
Java EE 8: On the Horizon
Java EE 8: On the HorizonJava EE 8: On the Horizon
Java EE 8: On the HorizonJosh Juneau
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overviewRudy De Busscher
 

Empfohlen

JSR 354: Money and Currency API - Short Overview
JSR 354: Money and Currency API - Short OverviewJSR 354: Money and Currency API - Short Overview
JSR 354: Money and Currency API - Short OverviewWerner Keil
 
Finally, EE Security API JSR 375
Finally, EE Security API JSR 375Finally, EE Security API JSR 375
Finally, EE Security API JSR 375Alex Kosowski
 
Java2Days - Security for JavaEE and the Cloud
Java2Days - Security for JavaEE and the CloudJava2Days - Security for JavaEE and the Cloud
Java2Days - Security for JavaEE and the CloudWerner Keil
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole
 
Geecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java VulnerabilitiesGeecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java VulnerabilitiesSteve Poole
 
Modern web application development with java ee 7
Modern web application development with java ee 7Modern web application development with java ee 7
Modern web application development with java ee 7Shekhar Gulati
 
Java EE 8: On the Horizon
Java EE 8: On the HorizonJava EE 8: On the Horizon
Java EE 8: On the HorizonJosh Juneau
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overviewRudy De Busscher
 
Seven Points for Applying Java EE 7
Seven Points for Applying Java EE 7Seven Points for Applying Java EE 7
Seven Points for Applying Java EE 7Hirofumi Iwasaki
 
Best Way to Write SQL in Java
Best Way to Write SQL in JavaBest Way to Write SQL in Java
Best Way to Write SQL in JavaGerger
 
Java EE Revisits GoF Design Patterns
Java EE Revisits GoF Design PatternsJava EE Revisits GoF Design Patterns
Java EE Revisits GoF Design PatternsMurat Yener
 
EJB and CDI - Alignment and Strategy
EJB and CDI - Alignment and StrategyEJB and CDI - Alignment and Strategy
EJB and CDI - Alignment and StrategyDavid Delabassee
 
Java EE 8 - An instant snapshot
Java EE 8 - An instant snapshot Java EE 8 - An instant snapshot
Java EE 8 - An instant snapshot David Delabassee
 
Enterprise Java Web Application Frameworks Sample Stack Implementation
Enterprise Java Web Application Frameworks Sample Stack ImplementationEnterprise Java Web Application Frameworks Sample Stack Implementation
Enterprise Java Web Application Frameworks Sample Stack ImplementationMert Çalışkan
 
Move from J2EE to Java EE
Move from J2EE to Java EEMove from J2EE to Java EE
Move from J2EE to Java EEHirofumi Iwasaki
 
Java on Azure
Java on AzureJava on Azure
Java on AzurePhilly JUG
 
Have You Seen Java EE Lately?
Have You Seen Java EE Lately?Have You Seen Java EE Lately?
Have You Seen Java EE Lately?Reza Rahman
 
What's New in WebLogic 12.1.3 and Beyond
What's New in WebLogic 12.1.3 and BeyondWhat's New in WebLogic 12.1.3 and Beyond
What's New in WebLogic 12.1.3 and BeyondOracle
 
Java EE 8 Adopt a JSR : JSON-P 1.1 & MVC 1.0
Java EE 8 Adopt a JSR : JSON-P 1.1 & MVC 1.0Java EE 8 Adopt a JSR : JSON-P 1.1 & MVC 1.0
Java EE 8 Adopt a JSR : JSON-P 1.1 & MVC 1.0David Delabassee
 
HTTP/2 comes to Java. What Servlet 4.0 means to you. DevNexus 2015
HTTP/2 comes to Java. What Servlet 4.0 means to you. DevNexus 2015HTTP/2 comes to Java. What Servlet 4.0 means to you. DevNexus 2015
HTTP/2 comes to Java. What Servlet 4.0 means to you. DevNexus 2015Edward Burns
 
Java API for JSON Binding - Introduction and update
Java API for JSON Binding - Introduction and updateJava API for JSON Binding - Introduction and update
Java API for JSON Binding - Introduction and updateMartin Grebac
 
Android and the Seven Dwarfs from Devox'15
Android and the Seven Dwarfs from Devox'15Android and the Seven Dwarfs from Devox'15
Android and the Seven Dwarfs from Devox'15Murat Yener
 
JavaCro'15 - Java EE 8 - An instant snapshot - David Delabassee
JavaCro'15 - Java EE 8 - An instant snapshot - David DelabasseeJavaCro'15 - Java EE 8 - An instant snapshot - David Delabassee
JavaCro'15 - Java EE 8 - An instant snapshot - David DelabasseeHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
How to React to JavaScript Insecurity
How to React to JavaScript InsecurityHow to React to JavaScript Insecurity
How to React to JavaScript InsecurityKsenia Peguero
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?Ksenia Peguero
 
The Inconvenient Truth About API Security
The Inconvenient Truth About API SecurityThe Inconvenient Truth About API Security
The Inconvenient Truth About API SecurityDistil Networks
 
Oracle VM Spec Sheet
Oracle VM Spec SheetOracle VM Spec Sheet
Oracle VM Spec Sheetmarkgatkinson
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAkana
 
API Risk: Taking Your API Security to the Next Level
API Risk: Taking Your API Security to the Next LevelAPI Risk: Taking Your API Security to the Next Level
API Risk: Taking Your API Security to the Next LevelCA Technologies
 
Interoperability in a B2B Word (NordicAPIS April 2014)
Interoperability in a B2B Word (NordicAPIS April 2014)Interoperability in a B2B Word (NordicAPIS April 2014)
Interoperability in a B2B Word (NordicAPIS April 2014)Nordic APIs
 

Weitere ähnliche Inhalte

Was ist angesagt?

Seven Points for Applying Java EE 7
Seven Points for Applying Java EE 7Seven Points for Applying Java EE 7
Seven Points for Applying Java EE 7Hirofumi Iwasaki
 
Best Way to Write SQL in Java
Best Way to Write SQL in JavaBest Way to Write SQL in Java
Best Way to Write SQL in JavaGerger
 
Java EE Revisits GoF Design Patterns
Java EE Revisits GoF Design PatternsJava EE Revisits GoF Design Patterns
Java EE Revisits GoF Design PatternsMurat Yener
 
EJB and CDI - Alignment and Strategy
EJB and CDI - Alignment and StrategyEJB and CDI - Alignment and Strategy
EJB and CDI - Alignment and StrategyDavid Delabassee
 
Java EE 8 - An instant snapshot
Java EE 8 - An instant snapshot Java EE 8 - An instant snapshot
Java EE 8 - An instant snapshot David Delabassee
 
Enterprise Java Web Application Frameworks Sample Stack Implementation
Enterprise Java Web Application Frameworks Sample Stack ImplementationEnterprise Java Web Application Frameworks Sample Stack Implementation
Enterprise Java Web Application Frameworks Sample Stack ImplementationMert Çalışkan
 
Have You Seen Java EE Lately?
Have You Seen Java EE Lately?Have You Seen Java EE Lately?
Have You Seen Java EE Lately?Reza Rahman
 
What's New in WebLogic 12.1.3 and Beyond
What's New in WebLogic 12.1.3 and BeyondWhat's New in WebLogic 12.1.3 and Beyond
What's New in WebLogic 12.1.3 and BeyondOracle
 
Java EE 8 Adopt a JSR : JSON-P 1.1 & MVC 1.0
Java EE 8 Adopt a JSR : JSON-P 1.1 & MVC 1.0Java EE 8 Adopt a JSR : JSON-P 1.1 & MVC 1.0
Java EE 8 Adopt a JSR : JSON-P 1.1 & MVC 1.0David Delabassee
 
HTTP/2 comes to Java. What Servlet 4.0 means to you. DevNexus 2015
HTTP/2 comes to Java. What Servlet 4.0 means to you. DevNexus 2015HTTP/2 comes to Java. What Servlet 4.0 means to you. DevNexus 2015
HTTP/2 comes to Java. What Servlet 4.0 means to you. DevNexus 2015Edward Burns
 
Java API for JSON Binding - Introduction and update
Java API for JSON Binding - Introduction and updateJava API for JSON Binding - Introduction and update
Java API for JSON Binding - Introduction and updateMartin Grebac
 
Android and the Seven Dwarfs from Devox'15
Android and the Seven Dwarfs from Devox'15Android and the Seven Dwarfs from Devox'15
Android and the Seven Dwarfs from Devox'15Murat Yener
 
How to React to JavaScript Insecurity
How to React to JavaScript InsecurityHow to React to JavaScript Insecurity
How to React to JavaScript InsecurityKsenia Peguero
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?Ksenia Peguero
 

Was ist angesagt? (17)

Seven Points for Applying Java EE 7
Seven Points for Applying Java EE 7Seven Points for Applying Java EE 7
Seven Points for Applying Java EE 7
 
Best Way to Write SQL in Java
Best Way to Write SQL in JavaBest Way to Write SQL in Java
Best Way to Write SQL in Java
 
Java EE Revisits GoF Design Patterns
Java EE Revisits GoF Design PatternsJava EE Revisits GoF Design Patterns
Java EE Revisits GoF Design Patterns
 
EJB and CDI - Alignment and Strategy
EJB and CDI - Alignment and StrategyEJB and CDI - Alignment and Strategy
EJB and CDI - Alignment and Strategy
 
Java EE 8 - An instant snapshot
Java EE 8 - An instant snapshot Java EE 8 - An instant snapshot
Java EE 8 - An instant snapshot
 
Enterprise Java Web Application Frameworks Sample Stack Implementation
Enterprise Java Web Application Frameworks Sample Stack ImplementationEnterprise Java Web Application Frameworks Sample Stack Implementation
Enterprise Java Web Application Frameworks Sample Stack Implementation
 
Move from J2EE to Java EE
Move from J2EE to Java EEMove from J2EE to Java EE
Move from J2EE to Java EE
 
Java on Azure
Java on AzureJava on Azure
Java on Azure
 
Have You Seen Java EE Lately?
Have You Seen Java EE Lately?Have You Seen Java EE Lately?
Have You Seen Java EE Lately?
 
What's New in WebLogic 12.1.3 and Beyond
What's New in WebLogic 12.1.3 and BeyondWhat's New in WebLogic 12.1.3 and Beyond
What's New in WebLogic 12.1.3 and Beyond
 
Java EE 8 Adopt a JSR : JSON-P 1.1 & MVC 1.0
Java EE 8 Adopt a JSR : JSON-P 1.1 & MVC 1.0Java EE 8 Adopt a JSR : JSON-P 1.1 & MVC 1.0
Java EE 8 Adopt a JSR : JSON-P 1.1 & MVC 1.0
 
HTTP/2 comes to Java. What Servlet 4.0 means to you. DevNexus 2015
HTTP/2 comes to Java. What Servlet 4.0 means to you. DevNexus 2015HTTP/2 comes to Java. What Servlet 4.0 means to you. DevNexus 2015
HTTP/2 comes to Java. What Servlet 4.0 means to you. DevNexus 2015
 
Java API for JSON Binding - Introduction and update
Java API for JSON Binding - Introduction and updateJava API for JSON Binding - Introduction and update
Java API for JSON Binding - Introduction and update
 
Android and the Seven Dwarfs from Devox'15
Android and the Seven Dwarfs from Devox'15Android and the Seven Dwarfs from Devox'15
Android and the Seven Dwarfs from Devox'15
 
JavaCro'15 - Java EE 8 - An instant snapshot - David Delabassee
JavaCro'15 - Java EE 8 - An instant snapshot - David DelabasseeJavaCro'15 - Java EE 8 - An instant snapshot - David Delabassee
JavaCro'15 - Java EE 8 - An instant snapshot - David Delabassee
 
How to React to JavaScript Insecurity
How to React to JavaScript InsecurityHow to React to JavaScript Insecurity
How to React to JavaScript Insecurity
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
 

Andere mochten auch

The Inconvenient Truth About API Security
The Inconvenient Truth About API SecurityThe Inconvenient Truth About API Security
The Inconvenient Truth About API SecurityDistil Networks
 
Oracle VM Spec Sheet
Oracle VM Spec SheetOracle VM Spec Sheet
Oracle VM Spec Sheetmarkgatkinson
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAkana
 
API Risk: Taking Your API Security to the Next Level
API Risk: Taking Your API Security to the Next LevelAPI Risk: Taking Your API Security to the Next Level
API Risk: Taking Your API Security to the Next LevelCA Technologies
 
Interoperability in a B2B Word (NordicAPIS April 2014)
Interoperability in a B2B Word (NordicAPIS April 2014)Interoperability in a B2B Word (NordicAPIS April 2014)
Interoperability in a B2B Word (NordicAPIS April 2014)Nordic APIs
 
Why API Security Is More Complicated Than You Think (and Why It’s Your #1 Pri...
Why API Security Is More Complicated Than You Think (and Why It’s Your #1 Pri...Why API Security Is More Complicated Than You Think (and Why It’s Your #1 Pri...
Why API Security Is More Complicated Than You Think (and Why It’s Your #1 Pri...ProgrammableWeb
 
WSO2 - Forrester Guest Webinar: API Management is not Enough: You Need an API...
WSO2 - Forrester Guest Webinar: API Management is not Enough: You Need an API...WSO2 - Forrester Guest Webinar: API Management is not Enough: You Need an API...
WSO2 - Forrester Guest Webinar: API Management is not Enough: You Need an API...WSO2
 
The Future of B2B: Applying API-Led Connectivity to B2B/EDI - Eric Rempel, CI...
The Future of B2B: Applying API-Led Connectivity to B2B/EDI - Eric Rempel, CI...The Future of B2B: Applying API-Led Connectivity to B2B/EDI - Eric Rempel, CI...
The Future of B2B: Applying API-Led Connectivity to B2B/EDI - Eric Rempel, CI...MuleSoft
 
Progress in the API Economy - April 2014
Progress in the API Economy - April 2014Progress in the API Economy - April 2014
Progress in the API Economy - April 20143scale
 
DataPower Restful API Security
DataPower Restful API SecurityDataPower Restful API Security
DataPower Restful API SecurityJagadish Vemugunta
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API SecurityMuleSoft
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeApigee | Google Cloud
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
B2B Small Business Content Marketing: 2014 Benchmarks, Budgets and Trends - N...
B2B Small Business Content Marketing: 2014 Benchmarks, Budgets and Trends - N...B2B Small Business Content Marketing: 2014 Benchmarks, Budgets and Trends - N...
B2B Small Business Content Marketing: 2014 Benchmarks, Budgets and Trends - N...Content Marketing Institute
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Open API and API Management - Introduction and Comparison of Products: TIBCO ...
Open API and API Management - Introduction and Comparison of Products: TIBCO ...Open API and API Management - Introduction and Comparison of Products: TIBCO ...
Open API and API Management - Introduction and Comparison of Products: TIBCO ...Kai Wähner
 
How to Create a Strong Value Proposition Design for B2B - It's all about the ...
How to Create a Strong Value Proposition Design for B2B - It's all about the ...How to Create a Strong Value Proposition Design for B2B - It's all about the ...
How to Create a Strong Value Proposition Design for B2B - It's all about the ...Daniel Nilsson
 
IBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway - Common Use CasesIBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway - Common Use CasesIBM DataPower Gateway
 

Andere mochten auch (20)

The Inconvenient Truth About API Security
The Inconvenient Truth About API SecurityThe Inconvenient Truth About API Security
The Inconvenient Truth About API Security
 
Oracle VM Spec Sheet
Oracle VM Spec SheetOracle VM Spec Sheet
Oracle VM Spec Sheet
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
 
API Risk: Taking Your API Security to the Next Level
API Risk: Taking Your API Security to the Next LevelAPI Risk: Taking Your API Security to the Next Level
API Risk: Taking Your API Security to the Next Level
 
Interoperability in a B2B Word (NordicAPIS April 2014)
Interoperability in a B2B Word (NordicAPIS April 2014)Interoperability in a B2B Word (NordicAPIS April 2014)
Interoperability in a B2B Word (NordicAPIS April 2014)
 
Why API Security Is More Complicated Than You Think (and Why It’s Your #1 Pri...
Why API Security Is More Complicated Than You Think (and Why It’s Your #1 Pri...Why API Security Is More Complicated Than You Think (and Why It’s Your #1 Pri...
Why API Security Is More Complicated Than You Think (and Why It’s Your #1 Pri...
 
WSO2 - Forrester Guest Webinar: API Management is not Enough: You Need an API...
WSO2 - Forrester Guest Webinar: API Management is not Enough: You Need an API...WSO2 - Forrester Guest Webinar: API Management is not Enough: You Need an API...
WSO2 - Forrester Guest Webinar: API Management is not Enough: You Need an API...
 
How to Achieve Agile API Security
How to Achieve Agile API SecurityHow to Achieve Agile API Security
How to Achieve Agile API Security
 
The Future of B2B: Applying API-Led Connectivity to B2B/EDI - Eric Rempel, CI...
The Future of B2B: Applying API-Led Connectivity to B2B/EDI - Eric Rempel, CI...The Future of B2B: Applying API-Led Connectivity to B2B/EDI - Eric Rempel, CI...
The Future of B2B: Applying API-Led Connectivity to B2B/EDI - Eric Rempel, CI...
 
Progress in the API Economy - April 2014
Progress in the API Economy - April 2014Progress in the API Economy - April 2014
Progress in the API Economy - April 2014
 
DataPower Restful API Security
DataPower Restful API SecurityDataPower Restful API Security
DataPower Restful API Security
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital Age
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
B2B Small Business Content Marketing: 2014 Benchmarks, Budgets and Trends - N...
B2B Small Business Content Marketing: 2014 Benchmarks, Budgets and Trends - N...B2B Small Business Content Marketing: 2014 Benchmarks, Budgets and Trends - N...
B2B Small Business Content Marketing: 2014 Benchmarks, Budgets and Trends - N...
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
Open API and API Management - Introduction and Comparison of Products: TIBCO ...
Open API and API Management - Introduction and Comparison of Products: TIBCO ...Open API and API Management - Introduction and Comparison of Products: TIBCO ...
Open API and API Management - Introduction and Comparison of Products: TIBCO ...
 
Adapt or Die Sydney - API Security
Adapt or Die Sydney - API SecurityAdapt or Die Sydney - API Security
Adapt or Die Sydney - API Security
 
How to Create a Strong Value Proposition Design for B2B - It's all about the ...
How to Create a Strong Value Proposition Design for B2B - It's all about the ...How to Create a Strong Value Proposition Design for B2B - It's all about the ...
How to Create a Strong Value Proposition Design for B2B - It's all about the ...
 
IBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway - Common Use CasesIBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway - Common Use Cases
 

Ähnlich wie JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015

apidays LIVE Paris 2021 - Lessons from the API Stewardship Journey in Azure b...
apidays LIVE Paris 2021 - Lessons from the API Stewardship Journey in Azure b...apidays LIVE Paris 2021 - Lessons from the API Stewardship Journey in Azure b...
apidays LIVE Paris 2021 - Lessons from the API Stewardship Journey in Azure b...apidays
 
Application Delivery Patterns for Developers - Technical 401
Application Delivery Patterns for Developers - Technical 401Application Delivery Patterns for Developers - Technical 401
Application Delivery Patterns for Developers - Technical 401Amazon Web Services
 
Operating a High Velocity Large Organization with Spring Cloud Microservices
Operating a High Velocity Large Organization with Spring Cloud MicroservicesOperating a High Velocity Large Organization with Spring Cloud Microservices
Operating a High Velocity Large Organization with Spring Cloud MicroservicesNoriaki Tatsumi
 
Adding Realtime to your Projects
Adding Realtime to your ProjectsAdding Realtime to your Projects
Adding Realtime to your ProjectsIgnacio Martín
 
Making DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsMaking DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsHdiv Security
 
CodeOne SF 2018 "Are you deploying and operating with security in mind?"
CodeOne SF 2018 "Are you deploying and operating with security in mind?"CodeOne SF 2018 "Are you deploying and operating with security in mind?"
CodeOne SF 2018 "Are you deploying and operating with security in mind?"Daniel Bryant
 
apidays Paris 2022 - OpenAPI: An Early Design Feedback Engine, Lukas Rosensto...
apidays Paris 2022 - OpenAPI: An Early Design Feedback Engine, Lukas Rosensto...apidays Paris 2022 - OpenAPI: An Early Design Feedback Engine, Lukas Rosensto...
apidays Paris 2022 - OpenAPI: An Early Design Feedback Engine, Lukas Rosensto...apidays
 
Characerizing and Validating QoS in the Emerging IoT Network
Characerizing and Validating QoS in the Emerging IoT NetworkCharacerizing and Validating QoS in the Emerging IoT Network
Characerizing and Validating QoS in the Emerging IoT NetworkHans Ashlock
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
Enterprise Software Architecture styles
Enterprise Software Architecture stylesEnterprise Software Architecture styles
Enterprise Software Architecture stylesAraf Karsh Hamid
 
AWS User Group - Survey Results and Building APIs on AWS
AWS User Group - Survey Results and Building APIs on AWSAWS User Group - Survey Results and Building APIs on AWS
AWS User Group - Survey Results and Building APIs on AWSSebastian Krueger
 
Microservices and the Art of Taming the Dependency Hell Monster
Microservices and the Art of Taming the Dependency Hell MonsterMicroservices and the Art of Taming the Dependency Hell Monster
Microservices and the Art of Taming the Dependency Hell MonsterC4Media
 
OpenStack for VMware Administrators
OpenStack for VMware AdministratorsOpenStack for VMware Administrators
OpenStack for VMware AdministratorsTrevor Roberts Jr.
 
London Oracle Developer Meetup April 18
London Oracle Developer Meetup April 18London Oracle Developer Meetup April 18
London Oracle Developer Meetup April 18Phil Wilkins
 
Zure Azure PaaS Zero to Hero - DevOps training day
Zure Azure PaaS Zero to Hero - DevOps training dayZure Azure PaaS Zero to Hero - DevOps training day
Zure Azure PaaS Zero to Hero - DevOps training dayOkko Oulasvirta
 
SCREAM-15: Authentication and Authorization Considerations for a Multi-tenant...
SCREAM-15: Authentication and Authorization Considerations for a Multi-tenant...SCREAM-15: Authentication and Authorization Considerations for a Multi-tenant...
SCREAM-15: Authentication and Authorization Considerations for a Multi-tenant...heiland
 
Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0Dinis Cruz
 
OMA LwM2M Workshop - Julien Vermillard, OMA LwM2M Projects in Eclipse Foundation
OMA LwM2M Workshop - Julien Vermillard, OMA LwM2M Projects in Eclipse FoundationOMA LwM2M Workshop - Julien Vermillard, OMA LwM2M Projects in Eclipse Foundation
OMA LwM2M Workshop - Julien Vermillard, OMA LwM2M Projects in Eclipse FoundationOpen Mobile Alliance
 
2016 February - WebRTC Conference japan - English
2016 February - WebRTC Conference japan - English2016 February - WebRTC Conference japan - English
2016 February - WebRTC Conference japan - EnglishAlexandre Gouaillard
 

Ähnlich wie JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015 (20)

Application Delivery Patterns
Application Delivery PatternsApplication Delivery Patterns
Application Delivery Patterns
 
apidays LIVE Paris 2021 - Lessons from the API Stewardship Journey in Azure b...
apidays LIVE Paris 2021 - Lessons from the API Stewardship Journey in Azure b...apidays LIVE Paris 2021 - Lessons from the API Stewardship Journey in Azure b...
apidays LIVE Paris 2021 - Lessons from the API Stewardship Journey in Azure b...
 
Application Delivery Patterns for Developers - Technical 401
Application Delivery Patterns for Developers - Technical 401Application Delivery Patterns for Developers - Technical 401
Application Delivery Patterns for Developers - Technical 401
 
Operating a High Velocity Large Organization with Spring Cloud Microservices
Operating a High Velocity Large Organization with Spring Cloud MicroservicesOperating a High Velocity Large Organization with Spring Cloud Microservices
Operating a High Velocity Large Organization with Spring Cloud Microservices
 
Adding Realtime to your Projects
Adding Realtime to your ProjectsAdding Realtime to your Projects
Adding Realtime to your Projects
 
Making DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsMaking DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring Applications
 
CodeOne SF 2018 "Are you deploying and operating with security in mind?"
CodeOne SF 2018 "Are you deploying and operating with security in mind?"CodeOne SF 2018 "Are you deploying and operating with security in mind?"
CodeOne SF 2018 "Are you deploying and operating with security in mind?"
 
apidays Paris 2022 - OpenAPI: An Early Design Feedback Engine, Lukas Rosensto...
apidays Paris 2022 - OpenAPI: An Early Design Feedback Engine, Lukas Rosensto...apidays Paris 2022 - OpenAPI: An Early Design Feedback Engine, Lukas Rosensto...
apidays Paris 2022 - OpenAPI: An Early Design Feedback Engine, Lukas Rosensto...
 
Characerizing and Validating QoS in the Emerging IoT Network
Characerizing and Validating QoS in the Emerging IoT NetworkCharacerizing and Validating QoS in the Emerging IoT Network
Characerizing and Validating QoS in the Emerging IoT Network
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
 
Enterprise Software Architecture styles
Enterprise Software Architecture stylesEnterprise Software Architecture styles
Enterprise Software Architecture styles
 
AWS User Group - Survey Results and Building APIs on AWS
AWS User Group - Survey Results and Building APIs on AWSAWS User Group - Survey Results and Building APIs on AWS
AWS User Group - Survey Results and Building APIs on AWS
 
Microservices and the Art of Taming the Dependency Hell Monster
Microservices and the Art of Taming the Dependency Hell MonsterMicroservices and the Art of Taming the Dependency Hell Monster
Microservices and the Art of Taming the Dependency Hell Monster
 
OpenStack for VMware Administrators
OpenStack for VMware AdministratorsOpenStack for VMware Administrators
OpenStack for VMware Administrators
 
London Oracle Developer Meetup April 18
London Oracle Developer Meetup April 18London Oracle Developer Meetup April 18
London Oracle Developer Meetup April 18
 
Zure Azure PaaS Zero to Hero - DevOps training day
Zure Azure PaaS Zero to Hero - DevOps training dayZure Azure PaaS Zero to Hero - DevOps training day
Zure Azure PaaS Zero to Hero - DevOps training day
 
SCREAM-15: Authentication and Authorization Considerations for a Multi-tenant...
SCREAM-15: Authentication and Authorization Considerations for a Multi-tenant...SCREAM-15: Authentication and Authorization Considerations for a Multi-tenant...
SCREAM-15: Authentication and Authorization Considerations for a Multi-tenant...
 
Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0
 
OMA LwM2M Workshop - Julien Vermillard, OMA LwM2M Projects in Eclipse Foundation
OMA LwM2M Workshop - Julien Vermillard, OMA LwM2M Projects in Eclipse FoundationOMA LwM2M Workshop - Julien Vermillard, OMA LwM2M Projects in Eclipse Foundation
OMA LwM2M Workshop - Julien Vermillard, OMA LwM2M Projects in Eclipse Foundation
 
2016 February - WebRTC Conference japan - English
2016 February - WebRTC Conference japan - English2016 February - WebRTC Conference japan - English
2016 February - WebRTC Conference japan - English
 

Mehr von Werner Keil

Securing eHealth, eGovernment and eBanking with Java - DWX '21
Securing eHealth, eGovernment and eBanking with Java - DWX '21Securing eHealth, eGovernment and eBanking with Java - DWX '21
Securing eHealth, eGovernment and eBanking with Java - DWX '21Werner Keil
 
OpenDDR and Jakarta MVC - JavaLand 2021
OpenDDR and Jakarta MVC - JavaLand 2021OpenDDR and Jakarta MVC - JavaLand 2021
OpenDDR and Jakarta MVC - JavaLand 2021Werner Keil
 
How JSR 385 could have Saved the Mars Climate Orbiter - Zurich IoT Day 2021
How JSR 385 could have Saved the Mars Climate Orbiter - Zurich IoT Day 2021How JSR 385 could have Saved the Mars Climate Orbiter - Zurich IoT Day 2021
How JSR 385 could have Saved the Mars Climate Orbiter - Zurich IoT Day 2021Werner Keil
 
OpenDDR and Jakarta MVC - Java2Days 2020 Virtual
OpenDDR and Jakarta MVC - Java2Days 2020 VirtualOpenDDR and Jakarta MVC - Java2Days 2020 Virtual
OpenDDR and Jakarta MVC - Java2Days 2020 VirtualWerner Keil
 
NoSQL Endgame - Java2Days 2020 Virtual
NoSQL Endgame - Java2Days 2020 VirtualNoSQL Endgame - Java2Days 2020 Virtual
NoSQL Endgame - Java2Days 2020 VirtualWerner Keil
 
JCON 2020: Mobile Java Web Applications with MVC and OpenDDR
JCON 2020: Mobile Java Web Applications with MVC and OpenDDRJCON 2020: Mobile Java Web Applications with MVC and OpenDDR
JCON 2020: Mobile Java Web Applications with MVC and OpenDDRWerner Keil
 
How JSR 385 could have Saved the Mars Climate Orbiter - JFokus 2020
How JSR 385 could have Saved the Mars Climate Orbiter - JFokus 2020How JSR 385 could have Saved the Mars Climate Orbiter - JFokus 2020
How JSR 385 could have Saved the Mars Climate Orbiter - JFokus 2020Werner Keil
 
Money, Money, Money, can be funny with JSR 354 (Devoxx BE)
Money, Money, Money, can be funny with JSR 354 (Devoxx BE)Money, Money, Money, can be funny with JSR 354 (Devoxx BE)
Money, Money, Money, can be funny with JSR 354 (Devoxx BE)Werner Keil
 
Money, Money, Money, can be funny with JSR 354 (DWX 2019)
Money, Money, Money, can be funny with JSR 354 (DWX 2019)Money, Money, Money, can be funny with JSR 354 (DWX 2019)
Money, Money, Money, can be funny with JSR 354 (DWX 2019)Werner Keil
 
NoSQL: The first New Jakarta EE Specification (DWX 2019)
NoSQL: The first New Jakarta EE Specification (DWX 2019)NoSQL: The first New Jakarta EE Specification (DWX 2019)
NoSQL: The first New Jakarta EE Specification (DWX 2019)Werner Keil
 
How JSR 385 could have Saved the Mars Climate Orbiter - Adopt-a-JSR Day
How JSR 385 could have Saved the Mars Climate Orbiter - Adopt-a-JSR DayHow JSR 385 could have Saved the Mars Climate Orbiter - Adopt-a-JSR Day
How JSR 385 could have Saved the Mars Climate Orbiter - Adopt-a-JSR DayWerner Keil
 
JNoSQL: The Definitive Solution for Java and NoSQL Databases
JNoSQL: The Definitive Solution for Java and NoSQL DatabasesJNoSQL: The Definitive Solution for Java and NoSQL Databases
JNoSQL: The Definitive Solution for Java and NoSQL DatabasesWerner Keil
 
Eclipse JNoSQL: The Definitive Solution for Java and NoSQL Databases
Eclipse JNoSQL: The Definitive Solution for Java and NoSQL DatabasesEclipse JNoSQL: The Definitive Solution for Java and NoSQL Databases
Eclipse JNoSQL: The Definitive Solution for Java and NoSQL DatabasesWerner Keil
 
Physikal - Using Kotlin for Clean Energy - KUG Munich
Physikal - Using Kotlin for Clean Energy - KUG MunichPhysikal - Using Kotlin for Clean Energy - KUG Munich
Physikal - Using Kotlin for Clean Energy - KUG MunichWerner Keil
 
Physikal - JSR 363 and Kotlin for Clean Energy - Java2Days 2017
Physikal - JSR 363 and Kotlin for Clean Energy - Java2Days 2017Physikal - JSR 363 and Kotlin for Clean Energy - Java2Days 2017
Physikal - JSR 363 and Kotlin for Clean Energy - Java2Days 2017Werner Keil
 
Performance Monitoring for the Cloud - Java2Days 2017
Performance Monitoring for the Cloud - Java2Days 2017Performance Monitoring for the Cloud - Java2Days 2017
Performance Monitoring for the Cloud - Java2Days 2017Werner Keil
 
Eclipse Science F2F 2016 - JSR 363
Eclipse Science F2F 2016 - JSR 363Eclipse Science F2F 2016 - JSR 363
Eclipse Science F2F 2016 - JSR 363Werner Keil
 
Apache DeviceMap - Web-Dev-BBQ Stuttgart
Apache DeviceMap - Web-Dev-BBQ StuttgartApache DeviceMap - Web-Dev-BBQ Stuttgart
Apache DeviceMap - Web-Dev-BBQ StuttgartWerner Keil
 
The First IoT JSR: Units of Measurement - JUG Berlin-Brandenburg
The First IoT JSR: Units of Measurement - JUG Berlin-BrandenburgThe First IoT JSR: Units of Measurement - JUG Berlin-Brandenburg
The First IoT JSR: Units of Measurement - JUG Berlin-BrandenburgWerner Keil
 
JavaLand: Quantified Social - Fitness-Geräte und -Portale mit Agorava
JavaLand: Quantified Social - Fitness-Geräte und -Portale mit AgoravaJavaLand: Quantified Social - Fitness-Geräte und -Portale mit Agorava
JavaLand: Quantified Social - Fitness-Geräte und -Portale mit AgoravaWerner Keil
 

Mehr von Werner Keil (20)

Securing eHealth, eGovernment and eBanking with Java - DWX '21
Securing eHealth, eGovernment and eBanking with Java - DWX '21Securing eHealth, eGovernment and eBanking with Java - DWX '21
Securing eHealth, eGovernment and eBanking with Java - DWX '21
 
OpenDDR and Jakarta MVC - JavaLand 2021
OpenDDR and Jakarta MVC - JavaLand 2021OpenDDR and Jakarta MVC - JavaLand 2021
OpenDDR and Jakarta MVC - JavaLand 2021
 
How JSR 385 could have Saved the Mars Climate Orbiter - Zurich IoT Day 2021
How JSR 385 could have Saved the Mars Climate Orbiter - Zurich IoT Day 2021How JSR 385 could have Saved the Mars Climate Orbiter - Zurich IoT Day 2021
How JSR 385 could have Saved the Mars Climate Orbiter - Zurich IoT Day 2021
 
OpenDDR and Jakarta MVC - Java2Days 2020 Virtual
OpenDDR and Jakarta MVC - Java2Days 2020 VirtualOpenDDR and Jakarta MVC - Java2Days 2020 Virtual
OpenDDR and Jakarta MVC - Java2Days 2020 Virtual
 
NoSQL Endgame - Java2Days 2020 Virtual
NoSQL Endgame - Java2Days 2020 VirtualNoSQL Endgame - Java2Days 2020 Virtual
NoSQL Endgame - Java2Days 2020 Virtual
 
JCON 2020: Mobile Java Web Applications with MVC and OpenDDR
JCON 2020: Mobile Java Web Applications with MVC and OpenDDRJCON 2020: Mobile Java Web Applications with MVC and OpenDDR
JCON 2020: Mobile Java Web Applications with MVC and OpenDDR
 
How JSR 385 could have Saved the Mars Climate Orbiter - JFokus 2020
How JSR 385 could have Saved the Mars Climate Orbiter - JFokus 2020How JSR 385 could have Saved the Mars Climate Orbiter - JFokus 2020
How JSR 385 could have Saved the Mars Climate Orbiter - JFokus 2020
 
Money, Money, Money, can be funny with JSR 354 (Devoxx BE)
Money, Money, Money, can be funny with JSR 354 (Devoxx BE)Money, Money, Money, can be funny with JSR 354 (Devoxx BE)
Money, Money, Money, can be funny with JSR 354 (Devoxx BE)
 
Money, Money, Money, can be funny with JSR 354 (DWX 2019)
Money, Money, Money, can be funny with JSR 354 (DWX 2019)Money, Money, Money, can be funny with JSR 354 (DWX 2019)
Money, Money, Money, can be funny with JSR 354 (DWX 2019)
 
NoSQL: The first New Jakarta EE Specification (DWX 2019)
NoSQL: The first New Jakarta EE Specification (DWX 2019)NoSQL: The first New Jakarta EE Specification (DWX 2019)
NoSQL: The first New Jakarta EE Specification (DWX 2019)
 
How JSR 385 could have Saved the Mars Climate Orbiter - Adopt-a-JSR Day
How JSR 385 could have Saved the Mars Climate Orbiter - Adopt-a-JSR DayHow JSR 385 could have Saved the Mars Climate Orbiter - Adopt-a-JSR Day
How JSR 385 could have Saved the Mars Climate Orbiter - Adopt-a-JSR Day
 
JNoSQL: The Definitive Solution for Java and NoSQL Databases
JNoSQL: The Definitive Solution for Java and NoSQL DatabasesJNoSQL: The Definitive Solution for Java and NoSQL Databases
JNoSQL: The Definitive Solution for Java and NoSQL Databases
 
Eclipse JNoSQL: The Definitive Solution for Java and NoSQL Databases
Eclipse JNoSQL: The Definitive Solution for Java and NoSQL DatabasesEclipse JNoSQL: The Definitive Solution for Java and NoSQL Databases
Eclipse JNoSQL: The Definitive Solution for Java and NoSQL Databases
 
Physikal - Using Kotlin for Clean Energy - KUG Munich
Physikal - Using Kotlin for Clean Energy - KUG MunichPhysikal - Using Kotlin for Clean Energy - KUG Munich
Physikal - Using Kotlin for Clean Energy - KUG Munich
 
Physikal - JSR 363 and Kotlin for Clean Energy - Java2Days 2017
Physikal - JSR 363 and Kotlin for Clean Energy - Java2Days 2017Physikal - JSR 363 and Kotlin for Clean Energy - Java2Days 2017
Physikal - JSR 363 and Kotlin for Clean Energy - Java2Days 2017
 
Performance Monitoring for the Cloud - Java2Days 2017
Performance Monitoring for the Cloud - Java2Days 2017Performance Monitoring for the Cloud - Java2Days 2017
Performance Monitoring for the Cloud - Java2Days 2017
 
Eclipse Science F2F 2016 - JSR 363
Eclipse Science F2F 2016 - JSR 363Eclipse Science F2F 2016 - JSR 363
Eclipse Science F2F 2016 - JSR 363
 
Apache DeviceMap - Web-Dev-BBQ Stuttgart
Apache DeviceMap - Web-Dev-BBQ StuttgartApache DeviceMap - Web-Dev-BBQ Stuttgart
Apache DeviceMap - Web-Dev-BBQ Stuttgart
 
The First IoT JSR: Units of Measurement - JUG Berlin-Brandenburg
The First IoT JSR: Units of Measurement - JUG Berlin-BrandenburgThe First IoT JSR: Units of Measurement - JUG Berlin-Brandenburg
The First IoT JSR: Units of Measurement - JUG Berlin-Brandenburg
 
JavaLand: Quantified Social - Fitness-Geräte und -Portale mit Agorava
JavaLand: Quantified Social - Fitness-Geräte und -Portale mit AgoravaJavaLand: Quantified Social - Fitness-Geräte und -Portale mit Agorava
JavaLand: Quantified Social - Fitness-Geräte und -Portale mit Agorava
 

Kürzlich hochgeladen

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 

Kürzlich hochgeladen (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015

  • 1. Tel Aviv 16-17 December 2015 Have you seen Java EE Security API lately? werner@catmedia.us Werner Keil Twitter: @wernerkeil
  • 2. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 2 Agenda • Motivations • A New JSR • Ideas • Examples and Demos • Get Involved • Q & A
  • 3. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 3 Who am I? • Consultant – Coach • Creative Cosmopolitan • Open Source Evangelist • Software Architect • Apache/Eclipse Committer • JCP EC Member • JSR 363 Co Spec Lead Twitter @wernerkeil Email werner@catmedia.us
  • 4. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 4 Why a Java EE Security JSR? • Java EE 8 survey results • 4500 total responses • Priorities Pie Chart
  • 5. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 5 Survey Results
  • 6. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 6 Survey Results – Password Aliasing • Deferred from Java EE 7
  • 7. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 7 What’s wrong with Java EE Security? "The ultimate goal is to have basic security working without the need of any kind of vendor specific configuration, deployment descriptors, or whatever. ” – Arjan Tijms “[The EE security] model is problematic in cloud/PaaS environments where developers do not necessarily have easy access to non-standard vendor runtime features and a self-contained application is much easier to manage.” – Reza Rahman The community says…
  • 8. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 8 What’s wrong with Java EE Security? • Java EE Security viewed as not portable, abstract/confusing, antiquated • Doesn’t fit cloud app developer paradigm: requires app server configuration • Losing value to non-standard 3rd Party Frameworks…less likely to move back to Java EE when requirements increase
  • 9. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 9 What to do? • Plug the portability holes • Modernize  Context Dependency Injection (CDI) • Intercept at Access Enforcement Points: POJO methods  Expression Language (EL) • Enable Access Enforcement Points with complex rules • App Developer Friendly  Common security configurations not requiring server changes  Annotation defaults not requiring XML
  • 10. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 10 JSR 375 History • August 2014: First proposed to Oracle Java EE Architects • December 2014: Approved by JCP EC • Expert Group nominations:  EE API veterans: many JSRs, many years struggling with Security API  3rd party security framework creators/developers  EE platform security implementers • March 2015: Expert Group started discussions • November 2015: JSR 375 passed Renewal Ballot
  • 11. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 11 JSR 375 – Expert Group Name Representing Adam Bien Individual David Blevins Tomitribe Rudy De Busscher Individual Ivar Grimstad Individual Les Hazlewood Stormpath, Inc. Will Hopkins Oracle Werner Keil Individual Matt Konda Jemurai
  • 12. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 12 JSR 375 – Expert Group Name Representing Alex Kosowski Oracle Darren Lofthouse Red Hat Jean-Louis Monteiro Tomitribe Ajay Reddy IBM Pedro Igor Silva Red Hat Les Hazlewood Stormpath, Inc. Arjan Tijms ZEEF
  • 13. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 13 JSR 375 History • In first month, expert group had an EXPLOSION of activity  Lot of Brainstorming!  237 messages on EG mailing list  81 commits in GitHub playgrounds for examples and proposals  24 JIRA issues
  • 14. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 14 Ideas To modernize, standardize, simplify • Terminology • API for Authentication Mechanism • API for Identity Store • API for Password Aliasing • API for Role/Permission Assignment • API for Security Context • API for Authorization
  • 15. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 15 Ideas To modernize, standardize, simplify
  • 16. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 16 Ideas – Terminology • EG discussions revealed inconsistency in security API terms • Different EE containers have different names for the same concepts • When “something” gets authenticated, is that something  A User? (e.g. HttpServletRequest.getUserPrincipal)  A Caller? (e.g. EJBContext.getCallerPrincipal) • What is a group?  A group of users?  A permission  Vs Role?
  • 17. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 17 Ideas – Terminology • What is that “something” where identities are stored?  security provider (WebLogic)  realm (Tomcat, some hints in Servlet spec)  (auth) repository  (auth) store  login module (JAAS)  identity manager (Undertow)  authenticator (Resin, OmniSecurity, Seam Security)  authentication provider (Spring Security)  identity provider
  • 18. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 18 Ideas API for Authentication Mechanism • Application manages its own users and groups • Application needs to authenticate users in order to assign Roles • Application authenticates based on application-domain models • Application needs to use an authentication method not supported on the server, like OpenID Connect • Developers want to use portable EE Authentication standard
  • 19. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 19 Current Solutions API for Authentication Mechanism • Proprietary server support • 3rd Party security frameworks provide authentication • JASPIC: Java Authentication Service Provider Interface for Containers
  • 20. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 20 JASPIC • Java Authentication Service Provider Interface for Containers • JSR 196, Maintenance Release 1.1, in 2013 • Standardized, portable, thin, low-level authentication framework • Extensible from within an application • Integrates with the container to build an authenticated Subject • Implement any authentication method
  • 21. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 21 JASPIC Server Auth Module public interface ServerAuthModule { public void initialize(MessagePolicy requestPolicy, MessagePolicy responsePolicy, CallbackHandler handler, Map options) throws AuthException; public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject); public Class<?>[] getSupportedMessageTypes(); public AuthStatus secureResponse(MessageInfo messageInfo, Subject serviceSubject); public void cleanSubject(MessageInfo messageInfo, Subject subject); }
  • 22. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 22 JASPIC Per-Application Installation
  • 23. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 23 Ideas – Simple ServerAuthModule Installation
  • 24. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 24 Ideas – Simple ServerAuthModule Installation @WebListener public class SamRegistrationListener implements ServletContextListener { @Override public void contextInitialized(ServletContextEvent sce) { Jaspic.registerServerAuthModule(new TokenAuthModule(), sce.getServletContext()); } @Override public void contextDestroyed(ServletContextEvent sce) { } }
  • 25. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 25 Ideas – Simple ServerAuthModule Installation @Authenticator("org.acme.TokenAuthModule") @WebServlet("/SimpleServlet") @ServletSecurity(@HttpConstraint(rolesAllowed = {"manager"})) public class SimpleServlet extends HttpServlet { @Override protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.getWriter().print("my GET"); } }
  • 26. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 26 Ideas – Profile Specific Helper Classes public class BasicServerAuthModule implements ServerAuthModule { public void initialize(…) throws AuthException { … } public Class<?>[] getSupportedMessageTypes() { … } public AuthStatus secureResponse(MessageInfo messageInfo, Subject serviceSubject) throws AuthException { … } public void cleanSubject(MessageInfo messageInfo, Subject subject) throws AuthException { … } public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException { final HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage(); … }
  • 27. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 27 Ideas – Profile Specific Helper Classes public class BasicServerAuthModule extends HttpServerAuthModule { public AuthStatus validateHttpRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) throws AuthException { … } }
  • 28. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 28 Ideas – Standardized Authenticators OpenID Connect ServerAuthModule @Authenticator("javax.security.authenticator.OpenIDConnect") @WebServlet("/SimpleServlet") @ServletSecurity(@HttpConstraint(rolesAllowed = {"manager"})) public class SimpleServlet extends HttpServlet { @Override protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.getWriter().print("my GET"); } }
  • 29. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 29 Ideas – Authentication Events • Throw standardized CDI events at important moments  PreAuthenticate Event  PostAuthenticate Event  PreLogout Event  PostLogout Event
  • 30. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 30 Ideas – Authentication Events • Possible use cases  Tracking number of logged-in users  Tracking failed login attempts per account  Side effects, like creating a new local user after initial successful authentication via a remote authentication provider  Loading application-specific user preferences
  • 31. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 31 Current Solutions API for Identity Store • No Java EE standard support • Only proprietary server support • 3rd Party security frameworks provide user/group APIs
  • 32. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 32 Ideas – Identity Store /** * <code>Credential</code> represents the credential the caller will use to authenticate. */ public interface Credential { public boolean isCleared(); public void clear(); public String getCaller(); public boolean isValid(); }
  • 33. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 33 Ideas – Identity Store public interface IdentityStore { /** * Validates the given credential. * * @param credential * The credential * @return The validation result, including associated * caller roles and groups. */ public CredentialValidationResult validate(Credential credential); }
  • 34. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 34 Ideas – Identity Store
  • 35. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 35 Use Cases API for Role/Permission Assignment • Application manages its own users and groups • Application needs to assign roles (i.e., authorities, permissions) to users and groups, based on application- specific model • Users may be stored in app-specified repository (e.g. LDAP) • Users managed without access to server configuration
  • 36. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 36 Current Solutions API for Role/Permission Assignment • No Java EE standard support • Only proprietary server support • 3rd Party security frameworks provide role/authority/permission APIs
  • 37. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 37 Use Cases API for Security Context • Application needs to access the security API  To get the authenticated user  To check roles  To invoke runAs • Application needs the same API to access security context, regardless of container
  • 38. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 38 Current Solutions API for Security Context • No Java EE standard support • 3rd Party security frameworks provide a security context
  • 39. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 39 Demo
  • 40. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 40 Use Cases API for Authorization Interceptors • Application needs to restrict specific methods to authorized users • Application-model rules are used to make access decisions • Role is insufficient
  • 41. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 41 Current Solutions API for Authorization Interceptors • EE authorization has no rule based authorization, only role based • 3rd Party security frameworks provide rule, role and permission based APIs
  • 42. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 42 Use Cases API for Password Aliasing • Application uses passwords to access resources like LDAP and DB • Passwords stored in annotations, deployment descriptors • Best practices dictate that passwords are never stored in clear text • Need a portable way to protect stored passwords
  • 43. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 43 Current Solutions API for Password Aliasing • No Java EE support • Proprietary server support, e.g. GlassFish • 3rd Party security framework support for embedded password • encryption, not aliasing
  • 44. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 44 Ideas – Password Aliasing • For annotations @DataSourceDefinition( name="java:app/jdbc/test", user="root", password="${ALIAS=password}",…) • For deployment descriptors <data-source> <name>java:app/env/testDS</name> <user>APP</user> <password>${ALIAS=password}</password> … </data-source>
  • 45. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 45 Ideas – Password Aliasing
  • 46. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 46 Ideas – EL Authorization Rules • Expression Language rule would have access to managed beans for SecurityContext and InvocationContext @EvaluateSecured("security.hasRoles('MANAGER') && schedule.nowIsOfficeHrs") void transferFunds() {..};
  • 47. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 47 Ideas – AccessDecisionVoter • A user-defined class for making access decisions @Secured(AccountAccessDecisionVoter.class) void transferFunds() {..};
  • 48. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 48 Get Involved • JSR Page: https://jcp.org/en/jsr/detail?id=375 • Java.net Project Page: https://java.net/projects/javaee-security-spec • Users Mailing List: users@javaee-security-spec.java.net • GitHub Organization: https://github.com/javaee-security-spec
  • 49. Tel Aviv 16-17 December 2015 – Werner Keil 1/3/2016 49 Q & A