Introduction
============
Refer to this definitive and authoritative book to understand the Jakarta EE Security Spec, with Jakarta Authentication & Authorization as its underlying official foundation. Jakarta EE Security implementations are discussed, such as Soteria and Open Liberty, along with the build-in modules and Jakarta EE Security third-party modules, such as Payara Yubikey & OIDC, and OmniFaces JWT-Auth.
The book discusses Jakarta EE Security in relation to SE underpinnings and provides a detailed explanation of how client-cert authentication over HTTPS takes place, how certifications work, and how LDAP-like names are mapped to caller/user names. General (web) security best practices are presented, such as not storing passwords in plaintext, using HTTPS, sanitizing inputs to DB queries, encoding output, and explanations of various (web) attacks and common vulnerabilities are included.
Practical examples of securing applications discuss common needs such as letting users explicitly log in, sign up, verify email safely, explicitly log in to access protected pages, and go direct to the log in page. Common issues are covered such as abandoning an authentication dialog halfway and later accessing protected pages again.
What You Will Learn
===================
Know what Jakarta/Java EE security includes and how to get started learning and using this technology for today's and tomorrow's enterprise Java applications
Secure applications: traditional server-side web apps built with JSF (Faces) as well as applications based on client-side frameworks (such as Angular) and JAX-RS
Work with the daunting number of security APIs in Jakarta EE
Understand how EE security evolved
-----------------
About the authors
=================
Arjan Tijms was a JSF (JSR 372) and Security API (JSR 375) EG member, and is currently project lead for a number of Jakarta projects, including Jakarta- Security, Authentication, Authorization, and Faces and Expression Language. He is the co-creator of the popular OmniFaces library for JSF that was a 2015 Duke’s Choice Award winner, and is the author of two books: The Definitive Guide to JSF- and Pro CDI 2 in Java EE 8. Arjan holds an MSc degree in computer science from the University of Leiden, The Netherlands. He has been involved with Jakarta EE Security since 2010, has created a set of tests that most well-known vendors use (IBM, Oracle, Red Hat) to improve their offerings, was part of the JSR 375 (EE Security) EG, and has been the main architect of the security API and its initial RI implementation Soteria. Arjan has also written and certified the MicroProfile JWT implementation for Payara. He was mentored by Sun's (later Oracle's) security expert Ron Monzillo. He wrote a large series of blog posts about EE Security that have attracted a lot of views.
Werner Keil is a cloud architect, Eclipse RCP, and a microservice expert for a large bank. He helps Global 500 Enterprises across industries and leading IT vendors. He worked for over 30 years as an IT manager, PM, coach, and SW architect and consultant for the finance, mobile, media, transport, and public sectors. Werner develops enterprise systems using Java, Java/Jakarta EE, Oracle, IBM, Spring or Microsoft technologies, JavaScript, Node, Angular, and dynamic or functional languages. He is a Committer at Apache Foundation, and Eclipse Foundation, a Babel Language Champion, UOMo Project Lead, and active member of the Java Community Process in JSRs such as 321 (Trusted Java), 344 (JSF 2.2), 354 (Money, also Maintenance Lead), 358/364 (JCP.next), 362 (Portlet 3), 363 (Unit-API 1), 365 (CDI 2), 366 (Java EE 8), 375 (Java EE Security), 380 (Bean Validation 2), and 385 (Unit-API 2, also Spec Lead), and was the longest serving Individual Member of the Executive Committee for nine years in a row until 2017. Werner is currently the Community representative in the Jakarta EE Specification Committee. He was among the first five Jakarta EE Ambassadors when it was founded as Java EE Guardians, and is a member of its Leadership Council.
Teo Bais is a Software Development Manager, Scrum Master, and Programmer who contributes to the prosperity of the (software) community in several ways. He is the founder and leader of Utrecht Java User Group, which counts over 2600 members and has hosted over 45 events and amazing speakers (among others, James Gosling, Uncle Bob, and over 20 Java Champions), and is running 3 programs: Devoxx4kids, Speaker Incubator and uJCP. Teo served JSR-385 (JSR of the Year 2019) as an EG Member and was nominated as JCP Participant of the Year in 2019. Teo Bais enjoys sharing his knowledge as a public speaker to help others achieve their goals in career and life.
Author(s): Arjan Tijms, Teo Bais, Werner Keil
Edition: 1
Publisher: Springer
Year: 2022
Language: English
Pages: 638
Tags: java18 java17 openjdk EE4J oracle full-stack jakarta web apps backend security java eclipse netbeans
Table of Contents
About the Authors
About the Technical Reviewer
Chapter 1: Security History
The Beginning
Enter Jakarta EE
Enter Jakarta Authorization
Enter Jakarta Authentication
Foreshadowing Shiro Part I - IL DRBAC
Enter Spring Security
Where is Jakarta Authentication? Enter JAuth
Foreshadowing Shiro Part II - JSecurity
Jakarta Authentication - Edging closer
Jakarta Authentication - Finally in Jakarta EE
Enter OmniSecurity
Enter Jakarta Security
Chapter 2: Jakarta EE Foundations
Physical Security
Technological Security
Application Security
OS Security
Network Security
Policies and Procedures
Key Principles of Security
Features of a Security Mechanism
Distributed Multitiered Applications
Single-Tier vs. Multitiered Applications
The Jakarta EE Approach
Security in Jakarta EE
Simple Application Security Walkthrough
Looking Ahead
Authentication
Something You Know
Something You Have
Something You Are
Latest Trends in Authentication Methods
Authentication Examples in Practice
Authenticating Users Programmatically
Authorization
Access Control Lists
Access Control Models
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Role-Based Access Control (RBAC)
RBAC (Role-Based Access Control)
Benefits of RBAC
RBAC – Key Principles
RBAC in Jakarta EE
Users, Groups, and Roles
What Is a User?
What Is a Group?
What Is a Role?
Digital Certificates
What Is a Digital Certificate
Introduction to TLS
Who Can Issue Certificates?
Self-Signing a Certificate
Certificate Authority
Looking Ahead
Authentication Mechanisms
What Is an Authentication Mechanism?
What Does an Authentication Mechanism Specify?
Jakarta EE Authentication Mechanisms
Basic Authentication
What Is
How It Works
How to Configure It
Form-Based Authentication
What Is
How It Works
How to Configure It
Digest Authentication
What Is
How It Works
How to Configure It
Client Authentication
What Is
How It Works
How to Configure It
Custom Form Authentication
What Is
How to Define It
Identity Stores
What Is an Identity Store?
What Is the Purpose of an Identity Store?
Identity Store and Jakarta EE
IdentityStore – Theory of Operation
Validating Credentials
Retrieving Caller Information
Declaring Capabilities
How to Validate a User Credential
Looking Ahead
Chapter 3: Jakarta Authentication
What Is Jakarta Authentication?
Jakarta Authentication in Jakarta EE
The Authentication Mechanism
The Basic Authentication Mechanism
The Form Authentication Mechanism
Jakarta Authentication’s ServerAuthModule
Example ServerAuthModule
Example ServerAuthModule – GlassFish
Example ServerAuthModule – Tomcat
Example ServerAuthModule – Basic
Example ServerAuthModule – Basic with Container Identity Store
Obtaining Key Stores and Trust Stores
Semi-auto Register Session
Creating a Session
Continuing a Session
Using a Custom Principal
Wrapping the Request and Response
The Message Policy
The AuthConfigProvider
Case Study – Implementation-Specific Identity Stores
Tomcat
Jetty
Undertow
JBoss EAP/WildFly
Resin
GlassFish
Open Liberty
WebLogic
Chapter 4: Jakarta Authorization
What Is Jakarta Authorization?
Jakarta Authorization in Jakarta EE
Java SE Types Used
java.security.CodeSource
java.security.ProtectionDomain
java.security.Policy
java.security.PermissionCollection
The Authorization Module
PolicyConfigurationFactory
PolicyConfiguration
Collecting and Managing Permissions
A State Machine That Controls the Life Cycle of This Permission Collector
Linking Permissions of Multiple Modules and Utilities
Processing Permissions After Collecting
Policy
Transforming Security Constraints to Permissions
Authorization Queries
Get All Users Roles
Has Access
Role Mapping
Alternative Mappings
Groups to Permission Mapping
Principal to Permission Mapping
Chapter 5: Jakarta Security
What Is Jakarta Security?
Jakarta Security in Jakarta EE
The HttpAuthenticationMechanism
Example HttpAuthenticationMechanism
Example IdentityStore
Security Flow
Default Authentication Mechanisms
The Basic Authentication Mechanism
The Form Authentication Mechanism
The Custom Form Authentication Mechanism
Providing Our Custom Jakarta Faces Code
Caller-Initiated Authentication
Default Identity Stores
The Database Identity Store
The LDAP Identity Store
Identity Stores Using Application Services
Authentication Mechanism Interceptors
Auto Apply Session
Remember Me
Activating Remember-Me Service
Logging Out
Custom Principals
Jakarta Security and Tomcat
Simplified Custom Authorization Rules
Dynamically Adding an Interceptor to a Built-in CDI Bean
Chapter 6: Java SE Underpinnings
Java Authentication and Authorization Service (JAAS)
Common Classes
Subject
Key Features
Retrieving a Subject
Principals
Retrieving Principals Associated with a Subject
Credentials
JAAS Authentication
LoginContext
Key Features
Theory of Operation
Parameters Explained
LoginModule
Key Features
How to Implement a LoginModule
initialize()
login()
commit()
CallBackHandler
Configuration
Parameters Explained
How to Run the JAAS Authentication Example
JAAS Authorization
JAAS Authorization in Three Steps
The Policy File
Runtime Configuration
Performing Restricted Actions As an Authenticated Subject
Introduction to Cryptography
Key Concepts in Cryptography
Two Basic Encryption Methods
Symmetric Encryption
Key Characteristics
Asymmetric Encryption
Key Characteristics
Symmetric vs. Asymmetric Encryption
X.509 Digital Certificates
Key Features of an X.509 Certificate
Common Applications of X.509
Key Pairs and Signatures
Certificate File Name Extensions
Certificate Chains
What Is a Certificate Chain?
How It Works
Properties
Anatomy of an X.509 Certificate
Sample Certificate
How to Generate, Manage, and Sign X.509 Certificates
Programmatically
Keytool As a Certificate Life Cycle Management Tool
Background for the Code Examples
Generating Key Pair
Publishing Your Public Key
Importing Certificate
Digital Signature
Loading Private Key
Initiating Signature
Updating the Signature with the Message Bytes
Saving the Signature into a File
Verifying a Digital Signature
JCE Providers
The Need for JCE Providers
Available JCE Providers
Bundled with the JDK
Write a Custom Provider Yourself
External JCE Providers
IAIK-JCE
Key Features[11]
Less Popular JCE Providers
Bouncy Castle
How to Install a JCE Provider
How JCE Providers Work
How to Encrypt with Cipher Class
Cipher Instantiation
Cipher Initialization
Performing Encryption and Decryption
Asymmetric Encryption
Bouncy Castle
Architecture of Bouncy Castle
Creating a Cipher
Using the JCE Like
Using the Lightweight API
Asymmetric Encryption
Key Generation and Key Agreement (Public Key Infrastructure (PKI)) and Message Authentication Code
How PKI Works
Key Generation
Generating Symmetric Keys
Generating Asymmetric Keys
Elliptic Curve Cryptography
What Is Elliptic Curve Cryptography?
What Is ECC Used For?
Advantages
How Secure Is It?
How Is ECC Different from RSA?
What Is an Elliptic Curve Digital Signature?
Key Agreement
In Action
Message Authentication Codes
MessageDigests and Hash Functions
How to Compute Secure Hash Functions
The Need for MACs
How MAC Works
Two Types of MAC
Best Practices on MACs
PKI Conclusions
TLS in Java and TLS 1.3
What Is TLS
Why TLS Is Important
Benefits of TLS 1.3
How TLS Works
Tools and Algorithms That Can Be Used
TLS Protocol Details
The Record Protocol
Handshake
TLS in Java
JSSE API
Obtaining an SSLSocketFactory
Obtaining an SSLSocket
In Action
Takeaways on TLS
Java SE Underpinnings Outro
References
Appendix 1. Commonly Used AuthPermissions in JAAS
Appendix 2. Supported Algorithms Provided by SunJCE (Bundled JCE Provider)
Appendix 3. Supported Algorithms by Bouncy Castle
Chapter 7: Jakarta EE Implementations
Overview
Specification Usage
Contribution Activity
Implementation Usage
Implementation Components
GlassFish
Authentication
Passwords
Master Password and Keystores
Understanding Master Password Synchronization
Default Master Password
Saving the Master Password to a File
Using the Master Password Creating a Domain
Administration Password
Encoded Passwords
Web Browsers and Password Storage
Authentication Realms
Create an Authentication Realm
List Authentication Realms
Update an Authentication Realm
Delete an Authentication Realm
Exousia
Configuring Exousia in GlassFish
Manage Authorization Providers from the Admin Console
Manage Authorization Providers from the Command Line
Using Exousia with Tomcat
Soteria
A Very Brief History
Authentication Mechanisms
Supported Runtimes
Example Configuration
WildFly
Authentication
ServerAuthModule
Programmatic Configuration
Authorization
Creating a Custom Policy Provider
Security
Open Liberty/WebSphere Liberty
User Registry
LTPA keys
Disable LTPA Cookies for TAI
REST API Access Roles
Jakarta EE Security Packages Used
Develop Dependent Features
Example Application
Tomcat/TomEE
Authentication
Static Configuration
AuthConfigProvider
ServerAuthModule
Dynamic Configuration
Authorization
What Is a Realm?
Using tomcat-users.xml
Security
Chapter 8: MicroProfile JWT
What Is JWT?
Use Cases
Why Do We Need JWT?
How Does It Work?
JWT Structure
Header
Payload
“iss” (Issuer) Claim
“sub” (Subject) Claim
“aud” (Audience) Claim
“exp” (Expiration Time) Claim
“nbf” (Not Before) Claim
“iat” (Issued At) Claim
“jti” (JWT ID) Claim
Signature
The Trouble with HS256
Obtaining the Public Key
MicroProfile in Relation to Jakarta EE
MP-JWT As an Authentication Mechanism for Jakarta EE
Why Do We Need MicroProfile JWT?
Using JWT Bearer Tokens to Protect Services
Mapping MP-JWT Tokens to Jakarta EE Container APIs
CDI Injection Requirements
Injecting JsonWebToken
Injecting Claims As Raw, ClaimValue, or JSON-P Types
Jakarta REST Container API Integration
jakarta.ws.rs.core.SecurityContext.getUserPrincipal()
jakarta.ws.rs.core.SecurityContext#isUserInRole(String)
Using Jakarta Annotations
Other Jakarta EE Integration
Jakarta Security
Jakarta Authentication
Jakarta Enterprise Beans
Jakarta Servlet
Overriding @LoginConfig from web.xml login-config
jakarta.servlet.http.HttpServletRequest.getUserPrincipal()
jakarta.servlet.http.HttpServletRequest#isUserInRole(String)
Example Application
Role Handling
Running the Tests
Future Improvements
Conclusion
Appendix A:
Spring Security
What Is Spring Security?
Brief History
Overview
Concepts
Authentication
Authorization
Servlet Filters
Components
ACL
CSRF Protection
Security Interceptor
Tag Library
User Details and Service
XML Namespace
Spring Security Reactive
Example Application
Servlet
Reactive
Comparison to Jakarta EE Security
Appendix B:
Apache Shiro
What Is Shiro?
Brief History
Overview
Subject
SecurityManager
Realm
Features
Primary Features
Authentication
Steps to Authenticate a Subject
Collect the Subject’s submitted principals and credentials
Authorization
Permissions
Granularity
Users
Roles
Session Management
Cryptography
Simplicity
Cipher Features
Hash Features
Comparison to JAAS
Using Shiro with Jakarta EE
Servlets
Form-Based Authentication
Remember Me
Behavior on Session Expiration
Synchronous POST Without Remember Me
Synchronous POST with Remember Me
Asynchronous POST Without Remember Me
Asynchronous POST with Remember Me
Using a JSF Form
Programmatic Login
Programmatic Logout
Make Shiro JSF Ajax Aware
Configuring JDBC Realm
JPA Model and EJB Service
Register User
Hashing the Password
Using Shiro with Spring
Spring Security
Outlook
Appendix C:
Identity Management
Java Identity API
A Very Brief History
Why Was It Needed?
Overview of Java Identity API
Usage of the Identity API
Lessons Learned from the Identity API
Keycloak
What Is Keycloak?
Brief History
Overview of Keycloak
Concepts
Authentication
Password Policies
Authentication Flow
Authorization
Credentials
Realm
Features
Clients
Events
User Federation
Using Keycloak with Jakarta EE
JSP
Jakarta REST
Using Keycloak with Spring
Spring Security
Shibboleth
What Is Shibboleth?
Origin of the Term
Brief History
Overview of Shibboleth
Interactions
Using Shibboleth with Jakarta EE
Summary
Index
