Posts tagged Security

What's New in the April 2022 Payara Platform Release?

The April 2022 Payara Platform release is here! Payara Platform Community 5.2022.2 brings 13 bug fixes, 2 component upgrades, 3 improvements and 3 security fixes, whilst Payara Platform Enterprise 5.38.0 includes 2 bug fixes, 1 improvement and 4 security fixes. 

It includes the fix for "Spring4Shell", and improved support for Jakarta EE 9, as you can now run Jakarta EE 9 applications using PrimeFaces.

This release also gives Payara users the ability to use gRPC, the Google Remote Procedure Call Framework.

Please note: This is the penultimate Payara 5 Community release. Payara 6 Community will soon take its place, to be used with Jakarta EE 10. If you want to keep using earlier Java EE/Jakarta EE versions - we encourage you to move to Payara 5 Enterprise.

Client Certificate Realm Configuration in Payara Server

A realm is the security policy domain within an application server. It defines how the authentication and authorization for your application is performed. Most of the time, your application is used by a person that can provide username and passwords as credentials (directly or indirectly through providers like an OpenId Connect provider) but some use cases exist where another process needs to use your endpoints.

Client Certificate Validation in Payara Platform October 2021 Release

The Client Certificates security extensions continue to receive improvements in this release. In previous releases (July and September 2021) we added Client Certificate Authentication improvements, giving the ability to define multiple TrustStores and implement a SPI to allow developers to perform additional checks on the Client Certificate.

Previously, any Client Certificate that is used and matched within the KeyStore was accepted, even when the certificate was expired. Starting in the October 2021 releases (Payara Community 5.2021.8 and Payara Enterprise 5.32.0), using the newly developed SPI, we have implemented an additional check when using the Client Certificate authentication option to ensure the certificate is valid.

Client Certificate Authentication Improvements in Payara Server July and September 2021 Releases

SSL certificates are used for several features within Payara Server. You can configure your custom certificate for the TLS based connections the Payara Server is serving when using a custom domain name. And those certificates can be used for authentication purposes to identify the caller, mainly in a machine to machine communication.

With the July and September 2021 Payara Server releases, we have implemented two new features to improve the usage of these custom SSL certificates.

6 Vital Steps to Enhancing IoT Security

You may have heard the term ‘Internet of Things’ or IoT, referred to with increasing frequency in technology and business circles. It is cited more and more frequently as key in the future of computing, the workplace, consumer technology, travel and more.

But what do we mean when we say Internet of Things – and what implications does it have when it comes to security?

カスタム SSL証明書を用いた Payara Serverのセキュア化

Payara Serverの管理タスクで最も多いものの1つは、他のWebサーバーと同様に、HTTPプロトコルやPayara Serverへのリモート・アクセスをセキュアにするための電子証明書のセットアップです。皆様は自己署名証明書または信頼できる認証局の署名入り証明書のいずれかをお持ちでしょうが、どちらの場合も証明書をPayara Serverのドメインに追加してセキュアな通信に用いるのはとても簡単です。

How to Use OpenIdConnect with Payara Platform to Achieve Single Sign-on

When a user needs to access multiple applications in your environment, you should not require authentication for each application. If the user has already been authenticated for one of the applications, he or she should  should not be asked for credentials when he accesses one of the other applications during the same browser session. This concept is called Single Sign-on where the authentication credentials are 'shared' in the environment and can be used by any application in that environment.

How to Use Single Sign-on with Payara Server Realms

When a user needs to access multiple applications in your environment, you should not require authentication for each application. If the user has already been authenticated for one of the applications, he or she should  should not be asked for credentials when he accesses one of the other applications during the same browser session. This concept is called Single Sign-on where the authentication credentials are 'shared' in the environment and can be used by any application in that environment.