The definitive guide to security in Jakarta EE securing Java-based enterprise applications with Jakarta security, authorization, authentication and more
Refer to this definitive and authoritative book to understand the Jakarta EE Security Spec, with Jakarta Authentication & Authorization as its underlying official foundation. Jakarta EE Security implementations are discussed, such as Soteria and Open Liberty, along with the build-in modules and...
| Otros Autores: | , , |
|---|---|
| Formato: | Libro electrónico |
| Idioma: | Inglés |
| Publicado: |
New York, New York :
Apress L. P.
[2022]
|
| Edición: | [First edition] |
| Materias: | |
| Ver en Biblioteca Universitat Ramon Llull: | https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009657416506719 |
Tabla de Contenidos:
- Intro
- Table of Contents
- About the Authors
- About the Technical Reviewer
- Chapter 1: Security History
- The Beginning
- Enter Jakarta EE
- Enter Jakarta Authorization
- Enter Jakarta Authentication
- Foreshadowing Shiro Part I - IL DRBAC
- Enter Spring Security
- Where is Jakarta Authentication? Enter JAuth
- Foreshadowing Shiro Part II - JSecurity
- Jakarta Authentication - Edging closer
- Jakarta Authentication - Finally in Jakarta EE
- Enter OmniSecurity
- Enter Jakarta Security
- Chapter 2: Jakarta EE Foundations
- Physical Security
- Technological Security
- Application Security
- OS Security
- Network Security
- Policies and Procedures
- Key Principles of Security
- Features of a Security Mechanism
- Distributed Multitiered Applications
- Single-Tier vs. Multitiered Applications
- The Jakarta EE Approach
- Security in Jakarta EE
- Simple Application Security Walkthrough
- Looking Ahead
- Authentication
- Something You Know
- Something You Have
- Something You Are
- Latest Trends in Authentication Methods
- Authentication Examples in Practice
- Authenticating Users Programmatically
- Authorization
- Access Control Lists
- Access Control Models
- Discretionary Access Control (DAC)
- Mandatory Access Control (MAC)
- Role-Based Access Control (RBAC)
- RBAC (Role-Based Access Control)
- Benefits of RBAC
- RBAC - Key Principles
- RBAC in Jakarta EE
- Users, Groups, and Roles
- What Is a User?
- What Is a Group?
- What Is a Role?
- Digital Certificates
- What Is a Digital Certificate
- Introduction to TLS
- Who Can Issue Certificates?
- Self-Signing a Certificate
- Certificate Authority
- Looking Ahead
- Authentication Mechanisms
- What Is an Authentication Mechanism?
- What Does an Authentication Mechanism Specify?
- Jakarta EE Authentication Mechanisms
- Basic Authentication.
- What Is
- How It Works
- How to Configure It
- Form-Based Authentication
- What Is
- How It Works
- How to Configure It
- Digest Authentication
- What Is
- How It Works
- How to Configure It
- Client Authentication
- What Is
- How It Works
- How to Configure It
- Custom Form Authentication
- What Is
- How to Define It
- Identity Stores
- What Is an Identity Store?
- What Is the Purpose of an Identity Store?
- Identity Store and Jakarta EE
- IdentityStore - Theory of Operation
- Validating Credentials
- Retrieving Caller Information
- Declaring Capabilities
- How to Validate a User Credential
- Looking Ahead
- Chapter 3: Jakarta Authentication
- What Is Jakarta Authentication?
- Jakarta Authentication in Jakarta EE
- The Authentication Mechanism
- The Basic Authentication Mechanism
- The Form Authentication Mechanism
- Jakarta Authentication's ServerAuthModule
- Example ServerAuthModule
- Example ServerAuthModule - GlassFish
- Example ServerAuthModule - Tomcat
- Example ServerAuthModule - Basic
- Example ServerAuthModule - Basic with Container Identity Store
- Obtaining Key Stores and Trust Stores
- Semi-auto Register Session
- Creating a Session
- Continuing a Session
- Using a Custom Principal
- Wrapping the Request and Response
- The Message Policy
- The AuthConfigProvider
- Case Study - Implementation-Specific Identity Stores
- Tomcat
- Jetty
- Undertow
- JBoss EAP/WildFly
- Resin
- GlassFish
- Open Liberty
- WebLogic
- Chapter 4: Jakarta Authorization
- What Is Jakarta Authorization?
- Jakarta Authorization in Jakarta EE
- Java SE Types Used
- java.security.CodeSource
- java.security.ProtectionDomain
- java.security.Policy
- java.security.PermissionCollection
- The Authorization Module
- PolicyConfigurationFactory
- PolicyConfiguration
- Collecting and Managing Permissions.
- A State Machine That Controls the Life Cycle of This Permission Collector
- Linking Permissions of Multiple Modules and Utilities
- Processing Permissions After Collecting
- Policy
- Transforming Security Constraints to Permissions
- Authorization Queries
- Get All Users Roles
- Has Access
- Role Mapping
- Alternative Mappings
- Groups to Permission Mapping
- Principal to Permission Mapping
- Chapter 5: Jakarta Security
- What Is Jakarta Security?
- Jakarta Security in Jakarta EE
- The HttpAuthenticationMechanism
- Example HttpAuthenticationMechanism
- Example IdentityStore
- Security Flow
- Default Authentication Mechanisms
- The Basic Authentication Mechanism
- The Form Authentication Mechanism
- The Custom Form Authentication Mechanism
- Providing Our Custom Jakarta Faces Code
- Caller-Initiated Authentication
- Default Identity Stores
- The Database Identity Store
- The LDAP Identity Store
- Identity Stores Using Application Services
- Authentication Mechanism Interceptors
- Auto Apply Session
- Remember Me
- Activating Remember-Me Service
- Logging Out
- Custom Principals
- Jakarta Security and Tomcat
- Simplified Custom Authorization Rules
- Dynamically Adding an Interceptor to a Built-in CDI Bean
- Chapter 6: Java SE Underpinnings
- Java Authentication and Authorization Service (JAAS)
- Common Classes
- Subject
- Key Features
- Retrieving a Subject
- Principals
- Retrieving Principals Associated with a Subject
- Credentials
- JAAS Authentication
- LoginContext
- Key Features
- Theory of Operation
- Parameters Explained
- LoginModule
- Key Features
- How to Implement a LoginModule
- initialize()
- login()
- commit()
- CallBackHandler
- Configuration
- Parameters Explained
- How to Run the JAAS Authentication Example
- JAAS Authorization
- JAAS Authorization in Three Steps.
- The Policy File
- Runtime Configuration
- Performing Restricted Actions As an Authenticated Subject
- Introduction to Cryptography
- Key Concepts in Cryptography
- Two Basic Encryption Methods
- Symmetric Encryption
- Key Characteristics
- Asymmetric Encryption
- Key Characteristics
- Symmetric vs. Asymmetric Encryption
- X.509 Digital Certificates
- Key Features of an X.509 Certificate
- Common Applications of X.509
- Key Pairs and Signatures
- Certificate File Name Extensions
- Certificate Chains
- What Is a Certificate Chain?
- How It Works
- Properties
- Anatomy of an X.509 Certificate
- Sample Certificate
- How to Generate, Manage, and Sign X.509 Certificates
- Programmatically
- Keytool As a Certificate Life Cycle Management Tool
- Background for the Code Examples
- Generating Key Pair
- Publishing Your Public Key
- Importing Certificate
- Digital Signature
- Loading Private Key
- Initiating Signature
- Updating the Signature with the Message Bytes
- Saving the Signature into a File
- Verifying a Digital Signature
- JCE Providers
- The Need for JCE Providers
- Available JCE Providers
- Bundled with the JDK
- Write a Custom Provider Yourself
- External JCE Providers
- IAIK-JCE
- Key Features[11]
- Less Popular JCE Providers
- Bouncy Castle
- How to Install a JCE Provider
- How JCE Providers Work
- How to Encrypt with Cipher Class
- Cipher Instantiation
- Cipher Initialization
- Performing Encryption and Decryption
- Asymmetric Encryption
- Bouncy Castle
- Architecture of Bouncy Castle
- Creating a Cipher
- Using the JCE Like
- Using the Lightweight API
- Asymmetric Encryption
- Key Generation and Key Agreement (Public Key Infrastructure (PKI)) and Message Authentication Code
- How PKI Works
- Key Generation
- Generating Symmetric Keys
- Generating Asymmetric Keys.
- Elliptic Curve Cryptography
- What Is Elliptic Curve Cryptography?
- What Is ECC Used For?
- Advantages
- How Secure Is It?
- How Is ECC Different from RSA?
- What Is an Elliptic Curve Digital Signature?
- Key Agreement
- In Action
- Message Authentication Codes
- MessageDigests and Hash Functions
- How to Compute Secure Hash Functions
- The Need for MACs
- How MAC Works
- Two Types of MAC
- Best Practices on MACs
- PKI Conclusions
- TLS in Java and TLS 1.3
- What Is TLS
- Why TLS Is Important
- Benefits of TLS 1.3
- How TLS Works
- Tools and Algorithms That Can Be Used
- TLS Protocol Details
- The Record Protocol
- Handshake
- TLS in Java
- JSSE API
- Obtaining an SSLSocketFactory
- Obtaining an SSLSocket
- In Action
- Takeaways on TLS
- Java SE Underpinnings Outro
- References
- Appendix 1. Commonly Used AuthPermissions in JAAS
- Appendix 2. Supported Algorithms Provided by SunJCE (Bundled JCE Provider)
- Appendix 3. Supported Algorithms by Bouncy Castle
- Chapter 7: Jakarta EE Implementations
- Overview
- Specification Usage
- Contribution Activity
- Implementation Usage
- Implementation Components
- GlassFish
- Authentication
- Passwords
- Master Password and Keystores
- Understanding Master Password Synchronization
- Default Master Password
- Saving the Master Password to a File
- Using the Master Password Creating a Domain
- Administration Password
- Encoded Passwords
- Web Browsers and Password Storage
- Authentication Realms
- Create an Authentication Realm
- List Authentication Realms
- Update an Authentication Realm
- Delete an Authentication Realm
- Exousia
- Configuring Exousia in GlassFish
- Manage Authorization Providers from the Admin Console
- Manage Authorization Providers from the Command Line
- Using Exousia with Tomcat
- Soteria
- A Very Brief History.
- Authentication Mechanisms.
