Modern Application and Microservices Security from EE6 JASPIC to the EE8 Security API

slideshare.net/mjremijan github.com/mjremijan/thoth-jaspic github.com/mjremijan/thoth-security-api
From JASPIC to Security API
Modern Application Security
Michael Remijan
System Architect,
Federal Reserve Bank St. Louis
JavaOne 2017 CON5954 Modern Application and Microservices Security from EE6 JASPIC to the EE8 Security API Moscone West Room 2024 Tues 03 Oct 2017
@mjremijan

About Me

Where I work?
@since 2014
• Federal Reserve Bank St. Louis

What I do?
@since 1999
• Java EE
• Architect
• Scrum Master
• Tech Lead
• Developer

What I write?
@since 2014
• EJB in Action Second Edition
• EJB 3.2 – EE7 & EE8
@since 2010
• http://mjremijan.blogspot.com

What I teach?
@since 2009
• Adjunct Instructor
• Java I
• Java II

What’s the goal of this presentation?
• Get you to think: Java EE Security
• EE 7 or 8

What are we going to talk about?
• I just need to put my code somewhere to build “User”

History of EE Security
Servlet JASPIC (JSR 196) Security API (JSR 375)
https://readlearncode.com/java-ee/java-ee-past-present-and-future/
Pre-Modern Era Modern Era Post-Modern Era

Pre-Modern era architecture
• Desktop ->Web
• 1 Application
• How do you
implement
Security?
http://www.softwaretestingclass.com/what-is-difference-between-two-tier-and-three-tier-architecture/

Pre-Modern era…A tale of EE Security

https://ivanursul.com/spring-security-avoiding-basic-authentication-window-in-your-browser

http://www.security-expert.be/

• Sound familiar?
• Most common introduction to EE Security
• Quickly abandoned
• Inflexible
• A lot of server configuration
• There is no where to put my code!

Modern era architecture
• Multiple applications
• Add another tier
• Identity-management
• SSO
• Federation…
• How do you
implement
Security?
https://blogs.vmware.com/vfabric/2013/03/putting-the-single-back-in-single-sign-on-sso.html

Modern era…A tale of EE Security
• Create account
• Email
• OpenId
• OAuth2…
• Account activation
• Login (multi-factor)
• Validate location
• Account locking
• Password reset (reCaptica)
• Account disabling
• Password expiration

What is this?

Consuming authorization HEADER

• Does @WebFilter Work?
• Nope!
• EE Server enforces security before @WebFilter
• Other options to consume the HEADER?
• Where else can I put my code?

This is where JASPIC comes in
• Move your code out of @WebFilter
• Put it into the JASPIC API
• Probably something you haven’t heard of

Java EE6+ JASPIC
• @since 2009
• JSR-196 Java Authentication Service Provider Interface for
Containers (JASPIC)
• ServerAuthModule (interface)
• Executed by EE Server before enforcing any security

Java EE6+ JASPIC
• How do you register JASPIC ServerAuthModule?
• It’s a 5 step process
Tijms, A. (2012, November 7). Implementing container authentication in Java EE with JASPIC.
Retrieved from http://arjan-tijms.omnifaces.org/2012/11/implementing-container-authentication.html

Register JASPIC ServerAuthModule?
Step #1
• Create:
@WebListener
MyContextListener implements ServletContextListener
• Get factory-factory-factory AuthConfigFactory
• Register factory-factory AuthConfigProvider

Step #2
• Create
MyAuthConfigProvider implements AuthConfigProvider
• Register factory ServerAuthConfig

Step #3
• Create
MyServerAuthConfig implements ServerAuthConfig
• Creates delegator ServerAuthContext

Step #4
• Create
MyServerAuthContext implements ServerAuthContext
• Creates authentication module ServerAuthModule

Step #5
• Create
MyServerAuthModule implements ServerAuthModule
• This is where you finally put your code
• Building a Principal
• Getting roles/groups
• EE6 goal was flexibility

How do you secure EE Components?
• Use standard EE security to secure components:
• Servlet
• JSP
• JSF/AJAX
• JAX-RS
• EJB

Securing Servlet
web.xml
EMPTY
glassfish-web.xml

Securing JSP
glassfish-web.xml
web.xml
EMPTY

Securing JSF Page & AJAX call
glassfish-web.xml
web.xml

Securing JSF @Named bean
glassfish-web.xml

Securing JAX-RS #1
web.xml
glassfish-web.xml

Securing JAX-RS #2
glassfish-web.xml
web.xml
EMPTY
Bien, A. (2015, December 07). What Is Faster--EJBs Or CDI? A JMH Benchmark. Retrieved from
http://adambien.blog/roller/abien/entry/what_is_faster_ejbs_or

Securing JAX-RS #3
web.xml
EMPTY
glassfish-web.xml

Securing JAX-RS #4
• What about JWT?
• JAX-RS has its own @PreMatching filters DecodeToken
In
ServerAuthModule

Securing EJB
glassfish-web.xml
web.xml
EMPTY

So what’s the catch?
• JASPIC ignored when EE6 came out
• Overshadowed
• Web-Profile
• CDI
• JAX-RS
• Pre-EE8
• Full-profile only
• Vender support of open standard is tricky
• Tijms, A (2016, December 04). The state of portable authentication in Java
EE, end 2016 update. Retrieved from http://arjan-
tijms.omnifaces.org/2016/12/the-state-of-portable-authentication-in.html

Are we still living in the modern era?
• Kinda, sorta
• Still have multiple
applications, but…

Post-Modern era…
• Security is
needed
everywhere!

Post-Modern era security with EE8
• JSR 375 Java EE Security 1.0
• Soteria RI
• Goals
• Modernization
• Simplification

What’s new in SecurityAPI?
Establishes some common definitions
• IdentityStore
• Caller data
• Credentials
• Groups
• Authentication mechanism
• How the caller interacts with the server
• Typically UI Rendering
http://arjan-tijms.omnifaces.org/p/whats-new-in-java-ee-security-api-10.html

IdentityStore
Built-in Identity Stores
• @EmbeddedIdentityStoreDefinition
• @DataBaseIdentityStoreDefinition
• @LdapIdentityStoreDefinition
Build your own
• Implement IdentityStore
• Embed into your application
• Auto-registration
• Multiple implementations with different responsibilities

IdentityStore –Validate caller

IdentityStore – Groups A,B,C...

Authentication Mechanism
Built-in authentication mechanisms
1. @BasicAuthenticationMechanismDefinition
2. Digest
3. Client-cert
4. @FormAuthenticationMechanismDefinition
@CustomFormAuthenticationMechanismDefinition
Build your own
• Implement HttpAuthenticationMechanism
• Embed into your application
• Auto-registration
• Replaces JASPIC ServerAuthModule
http://arjan-tijms.omnifaces.org/p/whats-new-in-java-ee-security-api-10.html

Authentication Mechanism

Conclusions
• EE6 JASPIC brought flexibility to EE security
• Gave you a place to put your code
• ServerAuthModule
• EE8 Security API brought simplification to EE security
• HttpAuthenticationMechanism
• Both give full control over creating a Principal and roles/groups
• SoThink EE Security!

Thank you
mjremijan@yahoo.com
@mjremijan
http://mjremijan.blogspot.com
https://github.com/mjremijan
http://www.slideshare.net/mjremijan

Modern Application and Microservices Security from EE6 JASPIC to the EE8 Security API

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Modern Application and Microservices Security from EE6 JASPIC to the EE8 Security API

Ähnlich wie Modern Application and Microservices Security from EE6 JASPIC to the EE8 Security API (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Modern Application and Microservices Security from EE6 JASPIC to the EE8 Security API

Hinweis der Redaktion