Chapter 17. Java EE Security API

17.1. About Java EE Security API

Java EE Security API defines plug-in interfaces for authentication and identity stores, and a new injectable-type SecurityContext interface that provides an access point for programmatic security. It is defined in JSR-375 of the Java Community Process. For details about the specifications, see Java EE Security API Specification.

17.2. Configure Java EE Security API Using Elytron

Enabling Java EE Security API Using the elytron Subsystem

The SecurityContext interface defined in the Java EE Security API uses the Java Authorization Contract for Containers (JACC) policy provider to access the current authenticated identity. To enable your deployments to use the SecurityContext interface, you must configure the elytron subsystem to manage the JACC configuration and define a default JACC policy provider.

  1. Disable JACC in the legacy security subsystem. Skip this step if JACC is already configured to be managed by Elytron.

    /subsystem=security:write-attribute(name=initialize-jacc, value=false)
  2. Define a JACC policy provider in the etlyron subsystem and reload the server.

    /subsystem=elytron/policy=jacc:add(jacc-policy={})
    reload

Enabling Java EE Security API for Web Applications

To enable the Java EE Security API for a web application, the web application needs to be associated with either an Elytron http-authentication-factory or a security-domain. This installs the Elytron security handlers and activates the Elytron security framework for the deployment.

The minimal steps to enable the Java EE Security API are:

  1. Leave the default-security-domain attribute on the undertow subsystem undefined so that it defaults to other.
  2. Add an application-security-domain mapping from other to an Elytron security domain:

    /subsystem=undertow/application-security-domain=other:add(security-domain=ApplicationDomain, integrated-jaspi=false)

    When integrated-jaspi is set to false, ad-hoc identities are created dynamically.

The Java EE Security API is built on JASPI. For information about configuring JASPI, see Configure Java Authentication SPI for Containers (JASPI) Security Using Elytron.