Java EE Security API is one of the new APIs in Java EE 8. With Java EE currently being transferred and rebranded to Jakarta EE, this API will soon be rebranded to Jakarta Security, which is the term we'll use in this article. Jakarta Security is part of the Jakarta APIs, included and active in the Payara Platform by default with no configuration required in order to use it. With some effort, Jakarta Security can be used with Tomcat, as well.  

Java EE 8 introduced a new API called the Java EE Security API (see JSR 375) or "EE Security" in short.

 

This new API, perhaps unsurprisingly given its name, deals with security in Java EE.  Security in Java EE is obviously not a new thing though, and in various ways it has been part of the platform since its inception.

 

So what is exactly the difference between EE Security and the existing security facilities in Java EE? In this article we'll take a look at that exact question.

 

Java SE comes with many security primitives upon which Java EE builds. JAAS for instance is a well known API in this context, from which Java EE uses the Principal, Subject and to some degree the LoginModule types. The Java EE security APIs JACC and JASPIC make direct use of these types.

 

For a long time, the Java EE security system has had a quite cool, but   woefully underused, feature; pluggable authorization modules. The authorization modules are provided by a specification called Java Authorization Contract for Containers, aka  JACC. 

 

Introduction

With the rise of the micro-service architecture, we have seen also a shift from SOAP to REST as the means of exchanging data between parties. REST and JAX-RS are gaining a lot of popularity outside the micro-service world, also.

 

Payara Serverの管理タスクで最も多いものの1つは、他のWebサーバーと同様に、HTTPプロトコルやPayara Serverへのリモート・アクセスをセキュアにするための電子証明書のセットアップです。自己署名証明書または信頼できる認証機関の署名入り証明書のいずれかをお持ちでしょうが、どちらの場合も証明書をPayara Serverのドメインに追加してセキュアな通信に用いるのはとても簡単です。

 

Introduction

OpenID Connect is a security mechanism for an application to contact an identity service, verify the identity of the End-User based, and obtain End-User information using REST API's in a secure way.

If you're building a REST service, then that REST service will expose some kind of data or will allow some kind of interactions with a server. For instance, consider a Facebook REST service that allows you to retrieve your chat history. Naturally you don't want just anyone looking at that history, hence the need for security.

 

Introduction : 

Java EE Security API (JSR 375) :

The Java EE Security API 1.0 is a new spec for Java EE 8 that aims to bridge some of the gaps that have traditionally been left unspecified and provides the new way to define or configure identity stores and authentication mechanisms.  

Following up from the first part of the Security Auditing  article, where we covered the audit logging,  in this part we will focus on creating a custom audit module.