Introduction to Java Enterprise Security

Get a brief introduction to Java Enterprise security and an overview of the course.

We'll cover the following

Overview

This course is about Java Enterprise security. It will answer the following questions:

  • What options do we have to identify our end users?

  • What is the difference between encoding, encryption, and hashing?

  • How can we propagate permission information within a microservice architecture?

  • How can we integrate technologies like OAuth2 and OpenId Connect?

  • And much more.

Normally, we would also have to consider the topic of authentication and authorization for web applications and REST-style endpoints. However, we won’t worry about it for this course.

Security is a very broad concept, and we won’t be able to cover every aspect of it in this one course. Instead, we’ll concentrate on information security: how do we identify a user and ensure that they can only access and edit the info that is authorized for them?

According to ISO standards, we can define information security as:

Preservation of confidentiality, integrity, and availability of informationISO/IEC 27000:2009 (E). (2009). Information technology - Security techniques - Information security management systems - Overview and vocabulary. ISO/IEC.

Trademarked names, logos, and images may appear in this course. Rather than use a trademark symbol with every occurrence of a trademarked name, logo, or image, we will use them only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringing the trademark.

OWASP

When the frameworks we use have a vulnerability that exposes the data to a broader audience, or when we make a mistake in the coding or the configuration of the environment, we are affected by a security vulnerability. These vulnerabilities are categorized based on the mechanics involved in them.

Some good material about these vulnerabilities can be found on the OWASP website. The Open Web Application Security Project, (OWASP), maintains a list of the most important vulnerabilities currently affecting software. The top 10 issues in their 2021 edition are:

  • A01 Broken Access Control
  • A02 Cryptographic Failures
  • A03 Injection
  • A04 Insecure Design
  • A05 Security Misconfiguration
  • A06 Vulnerable and outdated Components
  • A07 Identification and Authorization failures
  • A08 Software and Data Integrity Failures
  • A09 Security Logging and Monitoring Failures
  • A10 Server-side Request Forgery

This is a general list, not only related to Java Enterprise. Some of the items, like injection, are normally not an issue with Jakarta EE, as JPA uses placeholders for the values in the SQL queries. Several items on this list are related to authentication, authorization, and incorrect usage of misconfiguration of encryption. Clearly, it’s important to understand the basic concepts of security and learn all aspects of security that your application requires.

The OWASP website can be a good help and starting point, as they also maintain checklists to help you properly implement the security requirements of your applications.