The definitive guide to security in Jakarta EE : securing Java-based enterprise applications with Jakarta security, authorization, authentication and more / / Arjan Tijms, Teo Bais, Werner Keil
(Visualizza in formato marc)
(Visualizza in BIBFRAME)
| Autore: |
Tijms Arjan
|
| Titolo: |
The definitive guide to security in Jakarta EE : securing Java-based enterprise applications with Jakarta security, authorization, authentication and more / / Arjan Tijms, Teo Bais, Werner Keil
|
| Pubblicazione: | New York, New York : , : Apress L. P., , [2022] |
| ©2022 | |
| Edizione: | [First edition]. |
| Descrizione fisica: | 1 online resource (652 pages) : color illustrations |
| Disciplina: | 005.8 |
| Soggetto topico: | Java (Computer program language) |
| Computer security | |
| Cloud computing | |
| Application software - Development | |
| Persona (resp. second.): | BaisTeo |
| KeilWerner | |
| Note generali: | Includes index. |
| Nota di bibliografia: | Includes index. |
| Nota di contenuto: | Intro -- Table of Contents -- About the Authors -- About the Technical Reviewer -- Chapter 1: Security History -- The Beginning -- Enter Jakarta EE -- Enter Jakarta Authorization -- Enter Jakarta Authentication -- Foreshadowing Shiro Part I - IL DRBAC -- Enter Spring Security -- Where is Jakarta Authentication? Enter JAuth -- Foreshadowing Shiro Part II - JSecurity -- Jakarta Authentication - Edging closer -- Jakarta Authentication - Finally in Jakarta EE -- Enter OmniSecurity -- Enter Jakarta Security -- Chapter 2: Jakarta EE Foundations -- Physical Security -- Technological Security -- Application Security -- OS Security -- Network Security -- Policies and Procedures -- Key Principles of Security -- Features of a Security Mechanism -- Distributed Multitiered Applications -- Single-Tier vs. Multitiered Applications -- The Jakarta EE Approach -- Security in Jakarta EE -- Simple Application Security Walkthrough -- Looking Ahead -- Authentication -- Something You Know -- Something You Have -- Something You Are -- Latest Trends in Authentication Methods -- Authentication Examples in Practice -- Authenticating Users Programmatically -- Authorization -- Access Control Lists -- Access Control Models -- Discretionary Access Control (DAC) -- Mandatory Access Control (MAC) -- Role-Based Access Control (RBAC) -- RBAC (Role-Based Access Control) -- Benefits of RBAC -- RBAC - Key Principles -- RBAC in Jakarta EE -- Users, Groups, and Roles -- What Is a User? -- What Is a Group? -- What Is a Role? -- Digital Certificates -- What Is a Digital Certificate -- Introduction to TLS -- Who Can Issue Certificates? -- Self-Signing a Certificate -- Certificate Authority -- Looking Ahead -- Authentication Mechanisms -- What Is an Authentication Mechanism? -- What Does an Authentication Mechanism Specify? -- Jakarta EE Authentication Mechanisms -- Basic Authentication. |
| What Is -- How It Works -- How to Configure It -- Form-Based Authentication -- What Is -- How It Works -- How to Configure It -- Digest Authentication -- What Is -- How It Works -- How to Configure It -- Client Authentication -- What Is -- How It Works -- How to Configure It -- Custom Form Authentication -- What Is -- How to Define It -- Identity Stores -- What Is an Identity Store? -- What Is the Purpose of an Identity Store? -- Identity Store and Jakarta EE -- IdentityStore - Theory of Operation -- Validating Credentials -- Retrieving Caller Information -- Declaring Capabilities -- How to Validate a User Credential -- Looking Ahead -- Chapter 3: Jakarta Authentication -- What Is Jakarta Authentication? -- Jakarta Authentication in Jakarta EE -- The Authentication Mechanism -- The Basic Authentication Mechanism -- The Form Authentication Mechanism -- Jakarta Authentication's ServerAuthModule -- Example ServerAuthModule -- Example ServerAuthModule - GlassFish -- Example ServerAuthModule - Tomcat -- Example ServerAuthModule - Basic -- Example ServerAuthModule - Basic with Container Identity Store -- Obtaining Key Stores and Trust Stores -- Semi-auto Register Session -- Creating a Session -- Continuing a Session -- Using a Custom Principal -- Wrapping the Request and Response -- The Message Policy -- The AuthConfigProvider -- Case Study - Implementation-Specific Identity Stores -- Tomcat -- Jetty -- Undertow -- JBoss EAP/WildFly -- Resin -- GlassFish -- Open Liberty -- WebLogic -- Chapter 4: Jakarta Authorization -- What Is Jakarta Authorization? -- Jakarta Authorization in Jakarta EE -- Java SE Types Used -- java.security.CodeSource -- java.security.ProtectionDomain -- java.security.Policy -- java.security.PermissionCollection -- The Authorization Module -- PolicyConfigurationFactory -- PolicyConfiguration -- Collecting and Managing Permissions. | |
| A State Machine That Controls the Life Cycle of This Permission Collector -- Linking Permissions of Multiple Modules and Utilities -- Processing Permissions After Collecting -- Policy -- Transforming Security Constraints to Permissions -- Authorization Queries -- Get All Users Roles -- Has Access -- Role Mapping -- Alternative Mappings -- Groups to Permission Mapping -- Principal to Permission Mapping -- Chapter 5: Jakarta Security -- What Is Jakarta Security? -- Jakarta Security in Jakarta EE -- The HttpAuthenticationMechanism -- Example HttpAuthenticationMechanism -- Example IdentityStore -- Security Flow -- Default Authentication Mechanisms -- The Basic Authentication Mechanism -- The Form Authentication Mechanism -- The Custom Form Authentication Mechanism -- Providing Our Custom Jakarta Faces Code -- Caller-Initiated Authentication -- Default Identity Stores -- The Database Identity Store -- The LDAP Identity Store -- Identity Stores Using Application Services -- Authentication Mechanism Interceptors -- Auto Apply Session -- Remember Me -- Activating Remember-Me Service -- Logging Out -- Custom Principals -- Jakarta Security and Tomcat -- Simplified Custom Authorization Rules -- Dynamically Adding an Interceptor to a Built-in CDI Bean -- Chapter 6: Java SE Underpinnings -- Java Authentication and Authorization Service (JAAS) -- Common Classes -- Subject -- Key Features -- Retrieving a Subject -- Principals -- Retrieving Principals Associated with a Subject -- Credentials -- JAAS Authentication -- LoginContext -- Key Features -- Theory of Operation -- Parameters Explained -- LoginModule -- Key Features -- How to Implement a LoginModule -- initialize() -- login() -- commit() -- CallBackHandler -- Configuration -- Parameters Explained -- How to Run the JAAS Authentication Example -- JAAS Authorization -- JAAS Authorization in Three Steps. | |
| The Policy File -- Runtime Configuration -- Performing Restricted Actions As an Authenticated Subject -- Introduction to Cryptography -- Key Concepts in Cryptography -- Two Basic Encryption Methods -- Symmetric Encryption -- Key Characteristics -- Asymmetric Encryption -- Key Characteristics -- Symmetric vs. Asymmetric Encryption -- X.509 Digital Certificates -- Key Features of an X.509 Certificate -- Common Applications of X.509 -- Key Pairs and Signatures -- Certificate File Name Extensions -- Certificate Chains -- What Is a Certificate Chain? -- How It Works -- Properties -- Anatomy of an X.509 Certificate -- Sample Certificate -- How to Generate, Manage, and Sign X.509 Certificates -- Programmatically -- Keytool As a Certificate Life Cycle Management Tool -- Background for the Code Examples -- Generating Key Pair -- Publishing Your Public Key -- Importing Certificate -- Digital Signature -- Loading Private Key -- Initiating Signature -- Updating the Signature with the Message Bytes -- Saving the Signature into a File -- Verifying a Digital Signature -- JCE Providers -- The Need for JCE Providers -- Available JCE Providers -- Bundled with the JDK -- Write a Custom Provider Yourself -- External JCE Providers -- IAIK-JCE -- Key Features[11] -- Less Popular JCE Providers -- Bouncy Castle -- How to Install a JCE Provider -- How JCE Providers Work -- How to Encrypt with Cipher Class -- Cipher Instantiation -- Cipher Initialization -- Performing Encryption and Decryption -- Asymmetric Encryption -- Bouncy Castle -- Architecture of Bouncy Castle -- Creating a Cipher -- Using the JCE Like -- Using the Lightweight API -- Asymmetric Encryption -- Key Generation and Key Agreement (Public Key Infrastructure (PKI)) and Message Authentication Code -- How PKI Works -- Key Generation -- Generating Symmetric Keys -- Generating Asymmetric Keys. | |
| Elliptic Curve Cryptography -- What Is Elliptic Curve Cryptography? -- What Is ECC Used For? -- Advantages -- How Secure Is It? -- How Is ECC Different from RSA? -- What Is an Elliptic Curve Digital Signature? -- Key Agreement -- In Action -- Message Authentication Codes -- MessageDigests and Hash Functions -- How to Compute Secure Hash Functions -- The Need for MACs -- How MAC Works -- Two Types of MAC -- Best Practices on MACs -- PKI Conclusions -- TLS in Java and TLS 1.3 -- What Is TLS -- Why TLS Is Important -- Benefits of TLS 1.3 -- How TLS Works -- Tools and Algorithms That Can Be Used -- TLS Protocol Details -- The Record Protocol -- Handshake -- TLS in Java -- JSSE API -- Obtaining an SSLSocketFactory -- Obtaining an SSLSocket -- In Action -- Takeaways on TLS -- Java SE Underpinnings Outro -- References -- Appendix 1. Commonly Used AuthPermissions in JAAS -- Appendix 2. Supported Algorithms Provided by SunJCE (Bundled JCE Provider) -- Appendix 3. Supported Algorithms by Bouncy Castle -- Chapter 7: Jakarta EE Implementations -- Overview -- Specification Usage -- Contribution Activity -- Implementation Usage -- Implementation Components -- GlassFish -- Authentication -- Passwords -- Master Password and Keystores -- Understanding Master Password Synchronization -- Default Master Password -- Saving the Master Password to a File -- Using the Master Password Creating a Domain -- Administration Password -- Encoded Passwords -- Web Browsers and Password Storage -- Authentication Realms -- Create an Authentication Realm -- List Authentication Realms -- Update an Authentication Realm -- Delete an Authentication Realm -- Exousia -- Configuring Exousia in GlassFish -- Manage Authorization Providers from the Admin Console -- Manage Authorization Providers from the Command Line -- Using Exousia with Tomcat -- Soteria -- A Very Brief History. | |
| Authentication Mechanisms. | |
| Sommario/riassunto: | Refer to this definitive and authoritative book to understand the Jakarta EE Security Spec, with Jakarta Authentication & Authorization as its underlying official foundation. Jakarta EE Security implementations are discussed, such as Soteria and Open Liberty, along with the build-in modules and Jakarta EE Security third-party modules, such as Payara Yubikey & OIDC, and OmniFaces JWT-Auth. The book discusses Jakarta EE Security in relation to SE underpinnings and provides a detailed explanation of how client-cert authentication over HTTPS takes place, how certifications work, and how LDAP-like names are mapped to caller/user names. General (web) security best practices are presented, such as not storing passwords in plaintext, using HTTPS, sanitizing inputs to DB queries, encoding output, and explanations of various (web) attacks and common vulnerabilities are included. Practical examples of securing applications discuss common needs such as letting users explicitly log in, sign up, verify email safely, explicitly log in to access protected pages, and go direct to the log in page. Common issues are covered such as abandoning an authentication dialog halfway and later accessing protected pages again. What You Will Learn Know what Jakarta/Java EE security includes and how to get started learning and using this technology for today's and tomorrow's enterprise Java applications Secure applications: traditional server-side web apps built with JSF (Faces) as well as applications based on client-side frameworks (such as Angular) and JAX-RS Work with the daunting number of security APIs in Jakarta EE Understand how EE security evolved Who This Book Is For Java developers using Jakarta EE and writing applications that need to be secured (every application). Basic knowledge of Servlets and CDI is assumed. Library writers and component providers who wish to provide additional authentication mechanisms for Jakarta EE also will find the book useful. |
| Titolo autorizzato: | The Definitive Guide to Security in Jakarta EE |
| ISBN: | 1-4842-7945-X |
| Formato: | Materiale a stampa  |
| Livello bibliografico | Monografia |
| Lingua di pubblicazione: | Inglese |
| Record Nr.: | 9910561299303321 |
| Lo trovi qui: | Univ. Federico II |
| Opac: | Controlla la disponibilità qui |