The Java EE Security API (JSR-375) wants to simplify the implementation of security-related features in your Java EE application. Application server specific configuration changes will be no longer needed and things will be much more app developer friendly. Aligning security with the ease of development we saw in the recent version of Java EE. We will show you the basic goals and concepts behind Java EE Security API. And of course, demos with the current version of the RI, named Soteria, how you can do Authentication and Authorization.

2. What is tackled in the Java EE Security API
(Java EE 8)

3. A G E N D A
JAVA EE
SECURITY
WHY
UPDATE?
ALREADY
AVAILABLE?
JSR-375
SOTERIA
CONCEPTS
DEMO

4. • C4J
• Senior Java Web Developer, Java Coach, Information Security
• JSR-375
• Java EE Security API Expert group member
• Java EE Believer
@rdebusscher
http://jsfcorner.blogspot.be
http://javaeesquad.blogspot.be
W H O A M I
RUDY DE BUSSCHER

5. • Why Update?
• What is available?
• JSR-375
• Concepts
• Authentication Mechanism
• IdentityStore
• Authentication - Authorization
• Custom integration
• Security Context
W H Y U P D A T E ?

6. W H Y A N E W J S R ?
• Java EE Security is viewed as not portable,
abstract/confusing, antiquated
• Doesn't fit cloud app developer paradigm:
requires app server configuration

7. T E R M I N O L O G Y ?
• What is that "something" where identities are
stored?
• realm (Tomcat, some hints in Servlet spec)
• (auth) repository
• (auth) store
• login module (JAAS)
• identity manager (Undertow)
• authenticator (Resin, OmniSecurity, Seam security)
• authentication provider (Spring Security)
• Identity provider

8. J A V A E E S E C U R I T Y
• No JSR exists to address security overall
• Each JSR has his 'own' way
• They look at each other, but ...

9. So what is standardised?

10. • Why Update?
• What is available?
• JSR-375
• Concepts
• Authentication Mechanism
• IdentityStore
• Authentication - Authorization
• Custom integration
• Security Context
W H Y U P D A T E ?

11. J A S P I C
Java Authentication Service
Provider Interface for
Containers
• Java EE 6
• For custom logic
• BASIC/FORM/DIGEST
• Low Level (per request)
• Verbose

13. Java Authorization
Service Provider
Contract for Containers
J A C C
• J2EE 1.4 ERA
• C.O.M.P.L.E.X.I.T.Y
• Application Server Wide
• No Role Mapping specified

14. • Why Update?
• What is available?
• JSR-375
• Concepts
• Authentication Mechanism
• IdentityStore
• Authentication - Authorization
• Custom integration
• Security Context
G O A L S

15. J S R - 3 7 5
• EG discussions started March 2015
• EG Members
• EE API veterans: many JSRs, many years struggling with
Security API
• 3rd party security framework creators/developers
• EE platform security implementers
• October 2016
• EG Updated, switch Spec Lead

16. G O A L S
• Plug the portability holes
• Modernize
• Context Dependency Injection (CDI)
• Intercept at Access Enforcement Points: POJO methods
• Expression Language (EL)
• Enable Access Enforcement Points with complex rules
• App Developer Friendly
• Common security configurations not requiring server changes
• Annotation defaults not requiring XML

17. I D E A S
• Terminology
• API for Authentication Mechanism
• API for Identity Store
• API for Security Context
• API for Password Aliasing
• API for Role/Permission Assignment
• API for Authorization Interceptors
• + ...
JAVA EE 8
JAVA EE 9

18. S O T E R I A
• In Greek mythology, Soteria was the goddess of
safety and salvation.
• RI of JSR-375
• Should work on Java EE 7
• WildFly 10+
• Payara 4.1.1.161+
• TomEE 7.0.2+
• WebSphere Liberty 2016.9+

19. JASPIC JACC
SOTERIA
U S I N G
Existing blocks for authentication and authorization

20. OR SHOULD I PUT THE SAFE HARBOUR TEXT ...

21. • Why Update?
• What is available?
• JSR-375
• Concepts
• Authentication Mechanism
• IdentityStore
• Authentication - Authorization
• Custom integration
• Security Context
C O N C E P T S

22. H T T P A U T H E N T I C A T I O N M E C H A N I S M
• How are credentials retrieved
• BASIC
• FORM
• classic j_security_check, ...
• CustomForm
• programmatic
• Custom
• For JAX-RS endpoints, ...

23. @CustomFormAuthenticationMechanismDefinition(
loginToContinue = @LoginToContinue(
loginPage="/login.xhtml",
errorPage=""
)
)

24. • Why Update?
• What is available?
• JSR-375
• Concepts
• Authentication Mechanism
• IdentityStore
• Authentication - Authorization
• Custom integration
• Security Context
C O N C E P T S

25. I D E N T I T Y S T O R E
• Verify credentials
• LDAP
• DATABASE
• with configurable queries
• EMBEDDED
• Easy for testing with hardcoded values
• Custom
• Whatever your need is

26. @LdapIdentityStoreDefinition(
url = "ldap://localhost:33389/",
baseDn = "uid=ldap,ou=apps,dc=jsr375,dc=net",
password = "changeOnInstall",
searchBase = "dc=jsr375,dc=net",
searchExpression = "(&(uid=%s)(objectClass=person))",
groupBaseDn = "ou=group,dc=jsr375,dc=net"
)

27. C D I
• Context and Dependency Injection
concepts used for many artefacts.
• Extension to read the annotations and create
required beans.

28. • CDI -> beans.xml
• HttpAuthenticationMechanism
required to activate Soteria

29. Demo
BASIC
IN MEMORY

30. Demo
FORM IN JSF
WITH LDAP

31. • Why Update?
• What is available?
• JSR-375
• Concepts
• Authentication Mechanism
• IdentityStore
• Authentication - Authorization
• Custom integration
• Security Context
C O N C E P T S

32. T R I P L E A
• Authentication
• Verifying that a user is who she says she is.
• Authorisation
• He can execute the allowed actions within their privilege.
• Accounting
• Audit

33. M U L T I S T O R E
• Authentication / Authorisation
• From multiple sources!
• Examples
• Scenario 1
• Authentication : LDAP
• Authorisation : Database

34. M U L T I S T O R E ( 2 )
• Scenario 2
• Authentication : OAuth2
• Authentication : Limited to certain email Domain
• Authorization : ...
• Scenario 3
• Authentication : ...
• Authorisation : Database
• Authorisation (In Test) : Extra roles/permissions

35. I D E N T I T Y S T O R E H A N D L E R
• IdentityStoreHandler
• Handles multiple defined Identity Stores
• ValidationType on IdentityStore
• BOTH
• AUTHENTICATION
• AUTHORIZATION

36. @LdapIdentityStoreDefinition(
url = "ldap://localhost:33389/",
baseDn = "uid=ldap,ou=apps,dc=jsr375,dc=net",
password = "changeOnInstall",
searchBase = "dc=jsr375,dc=net",
searchExpression = "(&(uid=%s)(objectClass=person))",
groupBaseDn = "ou=group,dc=jsr375,dc=net",
authenticateOnly = true
)

37. Demo
MULTI STORE

38. • Why Update?
• What is available?
• JSR-375
• Concepts
• Authentication Mechanism
• IdentityStore
• Authentication - Authorization
• Custom integration
• Security Context
C O N C E P T S

39. E X T E N S I B I L I T Y
interface HttpAuthenticationMechanism
interface IdentityStore
interface IdentityStoreHandler

40. • Why Update?
• What is available?
• JSR-375
• Concepts
• Authentication Mechanism
• IdentityStore
• Authentication - Authorization
• Custom integration
• Security Context
C O N C E P T S

41. S E C U R I T Y C O N T E X T
Security
Context
Authentication
Mechanism
Identity
Store
Principal
Info for
Request
Authorization
Interceptors
U S E S D A T A

42. Project page
The starting point to all resources
https://java.net/projects/javaee-security-spec
Users List
Subscribe and contribute
users@javaee-security-spec.java.net
Github Soteria repository
Fork and play!
https://github.com/javaee-security-spec/soteria
G E T I N V O L V E D

43. Q & A