In an increasingly interconnected and digital world, it is no surprise that there has been a steady rise in the number and cost of security breaches over the last few years. To maximize the robustness and resilience of your applications and prevent any vulnerability from being exploited, it's important for companies to keep everything around their software up to date.

When it comes to application servers, it means using a modern, fully supported solution or upgrading to one quickly. With Java EE-based server runtime environments being outdated legacy software and lacking support, it is essential to migrate applications relying on these to favor an alternative, such as Jakarta EE, to safeguard your applications and data.

Introduction

Security is a paramount concern for modern web applications. Protecting sensitive data and user access necessitates a standardized approach. The OpenID Connect (OIDC) protocol, in conjunction with Identity Providers (IdPs) like Keycloak, and the Jakarta Security API integrated into Jakarta EE, offer a reliable solution. Together, they help streamline authentication and authorization in your Jakarta EE applications.

In the digital age, where data breaches are common and privacy is paramount, ensuring users use strong passwords is the first step to securing applications from never-ending threats. Passay, a Java password generation and policy management library helps enhance the security layer of any Java application. Let's dive into the core components of Passay in this blog post to see how you can employ it in your own applications. 

Securing applications is a critical aspect of modern software development, ensuring that only authorised users can access sensitive functionalities and data. In the realm of Java enterprise development, one of the robust solutions for securing applications is the use of MicroProfile JWT (JSON Web Tokens). This approach combines the strengths of Jakarta EE, with the agility and portability of MicroProfile standards, particularly for microservices architectures.

Download the Guide - 
Securing Jakarta EE Applications with MicroProfile JWT

Payara, a leading provider of Jakarta EE and MicroProfile runtimes, has been authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).

These days the world-wide open-source community celebrates the advent of Jakarta EE 10. It is then a good time to look at one of its most relevant and, at the same time, unknown parts: security!

In this blog, I'll give an introduction to Jakarta EE Security, and then explain how Payara Platform builds on Jakarta EE Security with built-in identity stores for RDBMS (Relational Database Management System) and LDAP (Lightweight Directory Access Protocol).

The April 2022 Payara Platform release is here! Payara Platform Community 5.2022.2 brings 13 bug fixes, 2 component upgrades, 3 improvements and 3 security fixes, whilst Payara Platform Enterprise 5.38.0 includes 2 bug fixes, 1 improvement and 4 security fixes. 

It includes the fix for "Spring4Shell", and improved support for Jakarta EE 9, as you can now run Jakarta EE 9 applications using PrimeFaces.

This release also gives Payara users the ability to use gRPC, the Google Remote Procedure Call Framework.

Please note: This is the penultimate Payara 5 Community release. Payara 6 Community will soon take its place, to be used with Jakarta EE 10. If you want to keep using earlier Java EE/Jakarta EE versions - we encourage you to move to Payara 5 Enterprise.

The Remote Code Execution (RCE) vulnerability detected in the Spring Java Framework in March 2022 (tagged as CVE-2022-22965) is unlikely to impact those using Payara Platform.

The second episode in our 'Quick Fire Java' video series is out!

We discuss Log4j, security process and prioritization, and how Payara dealt with the vulnerability.

All in a concise 10-minute video.

A realm is the security policy domain within an application server. It defines how the authentication and authorization for your application is performed. Most of the time, your application is used by a person that can provide username and passwords as credentials (directly or indirectly through providers like an OpenId Connect provider) but some use cases exist where another process needs to use your endpoints.