The definitive guide to security in Jakarta EE : securing Java-based enterprise applications with Jakarta security, authorization, authentication and more / Arjan Tijms, Teo Bais, Werner Keil.

Format:

Book

Author/Creator:

Tijms, Arjan, author.

Bais, Teo, author.

Keil, Werner, author.

Language:

English

Subjects (All):

Java (Computer program language).

Computer security.

Cloud computing.

Application software--Development.

Application software.

Physical Description:

1 online resource (652 pages) : color illustrations

Edition:

[First edition].

Place of Publication:

New York, New York : Apress L. P., [2022]

Summary:

Refer to this definitive and authoritative book to understand the Jakarta EE Security Spec, with Jakarta Authentication & Authorization as its underlying official foundation. Jakarta EE Security implementations are discussed, such as Soteria and Open Liberty, along with the build-in modules and Jakarta EE Security third-party modules, such as Payara Yubikey & OIDC, and OmniFaces JWT-Auth. The book discusses Jakarta EE Security in relation to SE underpinnings and provides a detailed explanation of how client-cert authentication over HTTPS takes place, how certifications work, and how LDAP-like names are mapped to caller/user names. General (web) security best practices are presented, such as not storing passwords in plaintext, using HTTPS, sanitizing inputs to DB queries, encoding output, and explanations of various (web) attacks and common vulnerabilities are included. Practical examples of securing applications discuss common needs such as letting users explicitly log in, sign up, verify email safely, explicitly log in to access protected pages, and go direct to the log in page. Common issues are covered such as abandoning an authentication dialog halfway and later accessing protected pages again. What You Will Learn Know what Jakarta/Java EE security includes and how to get started learning and using this technology for today's and tomorrow's enterprise Java applications Secure applications: traditional server-side web apps built with JSF (Faces) as well as applications based on client-side frameworks (such as Angular) and JAX-RS Work with the daunting number of security APIs in Jakarta EE Understand how EE security evolved Who This Book Is For Java developers using Jakarta EE and writing applications that need to be secured (every application). Basic knowledge of Servlets and CDI is assumed. Library writers and component providers who wish to provide additional authentication mechanisms for Jakarta EE also will find the book useful.

Contents:

Intro

Table of Contents

About the Authors

About the Technical Reviewer

Chapter 1: Security History

The Beginning

Enter Jakarta EE

Enter Jakarta Authorization

Enter Jakarta Authentication

Foreshadowing Shiro Part I - IL DRBAC

Enter Spring Security

Where is Jakarta Authentication? Enter JAuth

Foreshadowing Shiro Part II - JSecurity

Jakarta Authentication - Edging closer

Jakarta Authentication - Finally in Jakarta EE

Enter OmniSecurity

Enter Jakarta Security

Chapter 2: Jakarta EE Foundations

Physical Security

Technological Security

Application Security

OS Security

Network Security

Policies and Procedures

Key Principles of Security

Features of a Security Mechanism

Distributed Multitiered Applications

Single-Tier vs. Multitiered Applications

The Jakarta EE Approach

Security in Jakarta EE

Simple Application Security Walkthrough

Looking Ahead

Authentication

Something You Know

Something You Have

Something You Are

Latest Trends in Authentication Methods

Authentication Examples in Practice

Authenticating Users Programmatically

Authorization

Access Control Lists

Access Control Models

Discretionary Access Control (DAC)

Mandatory Access Control (MAC)

Role-Based Access Control (RBAC)

RBAC (Role-Based Access Control)

Benefits of RBAC

RBAC - Key Principles

RBAC in Jakarta EE

Users, Groups, and Roles

What Is a User?

What Is a Group?

What Is a Role?

Digital Certificates

What Is a Digital Certificate

Introduction to TLS

Who Can Issue Certificates?

Self-Signing a Certificate

Certificate Authority

Authentication Mechanisms

What Is an Authentication Mechanism?

What Does an Authentication Mechanism Specify?

Jakarta EE Authentication Mechanisms

Basic Authentication.

What Is

How It Works

How to Configure It

Form-Based Authentication

What Is

Digest Authentication

Client Authentication

Custom Form Authentication

How to Define It

Identity Stores

What Is an Identity Store?

What Is the Purpose of an Identity Store?

Identity Store and Jakarta EE

IdentityStore - Theory of Operation

Validating Credentials

Retrieving Caller Information

Declaring Capabilities

How to Validate a User Credential

Chapter 3: Jakarta Authentication

What Is Jakarta Authentication?

Jakarta Authentication in Jakarta EE

The Authentication Mechanism

The Basic Authentication Mechanism

The Form Authentication Mechanism

Jakarta Authentication's ServerAuthModule

Example ServerAuthModule

Example ServerAuthModule - GlassFish

Example ServerAuthModule - Tomcat

Example ServerAuthModule - Basic

Example ServerAuthModule - Basic with Container Identity Store

Obtaining Key Stores and Trust Stores

Semi-auto Register Session

Creating a Session

Continuing a Session

Using a Custom Principal

Wrapping the Request and Response

The Message Policy

The AuthConfigProvider

Case Study - Implementation-Specific Identity Stores

Tomcat

Jetty

Undertow

JBoss EAP/WildFly

Resin

GlassFish

Open Liberty

WebLogic

Chapter 4: Jakarta Authorization

What Is Jakarta Authorization?

Jakarta Authorization in Jakarta EE

Java SE Types Used

java.security.CodeSource

java.security.ProtectionDomain

java.security.Policy

java.security.PermissionCollection

The Authorization Module

PolicyConfigurationFactory

PolicyConfiguration

Collecting and Managing Permissions.

A State Machine That Controls the Life Cycle of This Permission Collector

Linking Permissions of Multiple Modules and Utilities

Processing Permissions After Collecting

Policy

Transforming Security Constraints to Permissions

Authorization Queries

Get All Users Roles

Has Access

Role Mapping

Alternative Mappings

Groups to Permission Mapping

Principal to Permission Mapping

Chapter 5: Jakarta Security

What Is Jakarta Security?

Jakarta Security in Jakarta EE

The HttpAuthenticationMechanism

Example HttpAuthenticationMechanism

Example IdentityStore

Security Flow

Default Authentication Mechanisms

The Custom Form Authentication Mechanism

Providing Our Custom Jakarta Faces Code

Caller-Initiated Authentication

Default Identity Stores

The Database Identity Store

The LDAP Identity Store

Identity Stores Using Application Services

Authentication Mechanism Interceptors

Auto Apply Session

Remember Me

Activating Remember-Me Service

Logging Out

Custom Principals

Jakarta Security and Tomcat

Simplified Custom Authorization Rules

Dynamically Adding an Interceptor to a Built-in CDI Bean

Chapter 6: Java SE Underpinnings

Java Authentication and Authorization Service (JAAS)

Common Classes

Subject

Key Features

Retrieving a Subject

Principals

Retrieving Principals Associated with a Subject

Credentials

JAAS Authentication

LoginContext

Theory of Operation

Parameters Explained

LoginModule

How to Implement a LoginModule

initialize()

login()

commit()

CallBackHandler

Configuration

How to Run the JAAS Authentication Example

JAAS Authorization

JAAS Authorization in Three Steps.

The Policy File

Runtime Configuration

Performing Restricted Actions As an Authenticated Subject

Introduction to Cryptography

Key Concepts in Cryptography

Two Basic Encryption Methods

Symmetric Encryption

Key Characteristics

Asymmetric Encryption

Symmetric vs. Asymmetric Encryption

X.509 Digital Certificates

Key Features of an X.509 Certificate

Common Applications of X.509

Key Pairs and Signatures

Certificate File Name Extensions

Certificate Chains

What Is a Certificate Chain?

Properties

Anatomy of an X.509 Certificate

Sample Certificate

How to Generate, Manage, and Sign X.509 Certificates

Programmatically

Keytool As a Certificate Life Cycle Management Tool

Background for the Code Examples

Generating Key Pair

Publishing Your Public Key

Importing Certificate

Digital Signature

Loading Private Key

Initiating Signature

Updating the Signature with the Message Bytes

Saving the Signature into a File

Verifying a Digital Signature

JCE Providers

The Need for JCE Providers

Available JCE Providers

Bundled with the JDK

Write a Custom Provider Yourself

External JCE Providers

IAIK-JCE

Key Features[11]

Less Popular JCE Providers

Bouncy Castle

How to Install a JCE Provider

How JCE Providers Work

How to Encrypt with Cipher Class

Cipher Instantiation

Cipher Initialization

Performing Encryption and Decryption

Architecture of Bouncy Castle

Creating a Cipher

Using the JCE Like

Using the Lightweight API

Key Generation and Key Agreement (Public Key Infrastructure (PKI)) and Message Authentication Code

How PKI Works

Key Generation

Generating Symmetric Keys

Generating Asymmetric Keys.

Elliptic Curve Cryptography

What Is Elliptic Curve Cryptography?

What Is ECC Used For?

Advantages

How Secure Is It?

How Is ECC Different from RSA?

What Is an Elliptic Curve Digital Signature?

Key Agreement

In Action

Message Authentication Codes

MessageDigests and Hash Functions

How to Compute Secure Hash Functions

The Need for MACs

How MAC Works

Two Types of MAC

Best Practices on MACs

PKI Conclusions

TLS in Java and TLS 1.3

What Is TLS

Why TLS Is Important

Benefits of TLS 1.3

How TLS Works

Tools and Algorithms That Can Be Used

TLS Protocol Details

The Record Protocol

Handshake

TLS in Java

JSSE API

Obtaining an SSLSocketFactory

Obtaining an SSLSocket

Takeaways on TLS

Java SE Underpinnings Outro

References

Appendix 1. Commonly Used AuthPermissions in JAAS

Appendix 2. Supported Algorithms Provided by SunJCE (Bundled JCE Provider)

Appendix 3. Supported Algorithms by Bouncy Castle

Chapter 7: Jakarta EE Implementations

Overview

Specification Usage

Contribution Activity

Implementation Usage

Implementation Components

Passwords

Master Password and Keystores

Understanding Master Password Synchronization

Default Master Password

Saving the Master Password to a File

Using the Master Password Creating a Domain

Administration Password

Encoded Passwords

Web Browsers and Password Storage

Authentication Realms

Create an Authentication Realm

List Authentication Realms

Update an Authentication Realm

Delete an Authentication Realm

Exousia

Configuring Exousia in GlassFish

Manage Authorization Providers from the Admin Console

Manage Authorization Providers from the Command Line

Using Exousia with Tomcat

Soteria

A Very Brief History.

Authentication Mechanisms.

Notes:

Includes index.

Description based on print version record.

Other Format:

Print version: Tijms, Arjan The Definitive Guide to Security in Jakarta EE

ISBN:

9781484279458

148427945X

OCLC:

1311402417