Posts tagged Security
These days the world-wide open-source community celebrates the advent of Jakarta EE 10. It is then a good time to look at one of its most relevant and, at the same time, unknown parts: security!
In this blog, I'll give an introduction to Jakarta EE Security, and then explain how Payara Platform builds on Jakarta EE Security with built-in identity stores for RDBMS (Relational Database Management System) and LDAP (Lightweight Directory Access Protocol).
The April 2022 Payara Platform release is here! Payara Platform Community 5.2022.2 brings 13 bug fixes, 2 component upgrades, 3 improvements and 3 security fixes, whilst Payara Platform Enterprise 5.38.0 includes 2 bug fixes, 1 improvement and 4 security fixes.
It includes the fix for "Spring4Shell", and improved support for Jakarta EE 9, as you can now run Jakarta EE 9 applications using PrimeFaces.
This release also gives Payara users the ability to use gRPC, the Google Remote Procedure Call Framework.
Please note: This is the penultimate Payara 5 Community release. Payara 6 Community will soon take its place, to be used with Jakarta EE 10. If you want to keep using earlier Java EE/Jakarta EE versions - we encourage you to move to Payara 5 Enterprise.
A realm is the security policy domain within an application server. It defines how the authentication and authorization for your application is performed. Most of the time, your application is used by a person that can provide username and passwords as credentials (directly or indirectly through providers like an OpenId Connect provider) but some use cases exist where another process needs to use your endpoints.
The Client Certificates security extensions continue to receive improvements in this release. In previous releases (July and September 2021) we added Client Certificate Authentication improvements, giving the ability to define multiple TrustStores and implement a SPI to allow developers to perform additional checks on the Client Certificate.
Previously, any Client Certificate that is used and matched within the KeyStore was accepted, even when the certificate was expired. Starting in the October 2021 releases (Payara Community 5.2021.8 and Payara Enterprise 5.32.0), using the newly developed SPI, we have implemented an additional check when using the Client Certificate authentication option to ensure the certificate is valid.
SSL certificates are used for several features within Payara Server. You can configure your custom certificate for the TLS based connections the Payara Server is serving when using a custom domain name. And those certificates can be used for authentication purposes to identify the caller, mainly in a machine to machine communication.
With the July and September 2021 Payara Server releases, we have implemented two new features to improve the usage of these custom SSL certificates.
You may have heard the term ‘Internet of Things’ or IoT, referred to with increasing frequency in technology and business circles. It is cited more and more frequently as key in the future of computing, the workplace, consumer technology, travel and more.
But what do we mean when we say Internet of Things – and what implications does it have when it comes to security?
When a user needs to access multiple applications in your environment, you should not require authentication for each application. If the user has already been authenticated for one of the applications, he or she should should not be asked for credentials when he accesses one of the other applications during the same browser session. This concept is called Single Sign-on where the authentication credentials are 'shared' in the environment and can be used by any application in that environment.