Monday, 22 August 2016

Java EE Security Workshop

Earlier this month, I organized a workshop on Java EE Security. Because a lot of the developers don't know all the features and possibilities we have or how we can use them. It didn't cover just the spec related stuff, but I tried to make it as practical as possible and includes some popular framework as PrimeFaces, ScribeJava, Nimbus-Jose etc ...

The workshop contained the explanation of various concepts and examples regarding 'Information security'. It is the term for the classic security in web applications and REST style endpoints where we need to establish the identity of the user and determine the actions what he is allowed to do. Or what data he is allowed to see.

For the attendees, the step by step instructions for the examples are gathered in a 'book'. Together with a short explanation of the concepts and a description why and how the example works.
Of course, there was more material for the attendees who followed the workshop, but the book is available for free and can be downloaded from

Here a short overview what can be found in the document

  • What are authentication and authorization
  • The difference between encryption, encoding and hashing.
  • A comparison of a simple BASIC authentication usage, The Do it Yourself way, standard Java EE and popular framework usage like Apache Shiro.
  • What are the authentication methods?
  • How to integrate FORM basic authentication with PrimeFaces
  • The goals of the Java EE Security API JSR (JSR-375)
  • An LDAP example with Soteria, the RI of JSR 375
  • OAuth2 explained
  • Google OAuth2 authentication with the help of ScribeJava
  • Roles versus permissions, and why the latter is better.
  • What is JWT and how can we use it for security purposes
  • Using JWT to uniquely, securely identify the other party in a REST style communication using Nimbus-JOSE.
  • Introduction to the features of the Octopus framework (

I hope that a lot of you, just like the attendees who were very enthusiastic, learn some new things related to security in Java based web applications and REST style endpoints.