Overview
Explore a comprehensive 35-minute technical session on building secure Java web applications using Spring Security and Apache Fortress. Dive into the Jakarta EE architecture and learn practical, hands-on techniques for implementing robust authentication, authorization, and confidentiality controls. Discover where to place security controls and why, with code examples to jumpstart your own highly secure Java web applications. Gain insights from industry experts Shawn McKinney and John Tumminaro as they demonstrate an end-to-end application security architecture for an Apache Wicket Web app running in Tomcat. Understand the importance of runtime Java security policies, ANSI RBAC INCITS 359 specification, and ABAC implementation. Walk through real-world examples, including role engineering samples and live demos of Apache Fortress, to enhance your understanding of secure web application development.
Syllabus
Objective
Intro
Recommendation
What's The Problem
Apache Struts Statement on Equifax Security Breach
The Solution (Take 2)
Employ a Runtime Java Security Policy
Not a Perfect Solution
the deadbolt
the security system
The Standards Journey
Use ANSI RBAC INCITS 359 Specification
Use RBAC Object Model
Apache Fortress Access Management SDK and Web Components
Use RBAC Functional Model
Example #3: Role Engineering Sample
Locks on the rooms
Apache Fortress Demo
RBAC Policy Enhanced
Use ANSI RBAC & ABAC
Under the Hood
ABAC Demo
Questions
Taught by
OWASP Foundation