Security in the Payara Platform
Security is always a concern when implementing applications that will run in production environments. The Payara Platform Enterprise is a fully-supported open source software for enterprises offering a strong tool set of security features so you won’t have to implement your own security measures from scratch, enabling reliable and secure deployments of Jakarta EE and Eclipse MicroProfile applications on premises, in the cloud, or hybrid environments.
Making the platform secure and providing useful built-in security tools for application developers and production administrators is an essential part of the platform development process and is accomplished with monthly releases, security fixes, critical security patches, and a 10-year software lifecycle. The Payara Platform also provides tools to secure and restrict access to a production system, encrypt communication, and audit security events and configuration changes.
|Authentication||Jakarta Soteria, Realms, JAAS|
|Authorisation||Jakarta EE Role based security, JWT, JACC, Payara CDI Based permission annotation, SecurityManager, Security Extensions|
|IdentityStores||LDAP, Database, Yubikey, Linux PAM|
|Identity Propagation||OAuth2, Open ID Connect|
|Confidentiality||TLS 1.3, Password Encryption and Aliasses, Data Grid encryption|
|Security Auditing Tools||Access Log, Domain Updates Log, Payara Audit Modules, JPA audit|
|Standard Compliance||Jakarta Security, PCI|
Security Auditing in Payara Server
This guide explains and demonstrates the security auditing best practises and features you can find in Payara Server. Security is always a concern you must have when implementing applications that will run in production environments. Both the JVM and Payara Server have a strong tool set of security implementations for most use cases in the industry.
Securing Your Applications Running on Payara Platform (JAX-RS Endpoints)
This User Guide will discuss the different aspects of securing the JAX-RS endpoints of your application using standards and common practices like OAuth2, OpenID Connect, JWT Tokens, and MicroProfile JWT authentication in combination with the Payara Platform.
Security Tools in Payara Platform
In this guide learn about the tools provided by the Payara Platform to secure and restrict access to a production system, encrypt communication, and audit security events and configuration changes.
Integrating LDAP with Payara Server
This guide explains and demonstrates how to integrate Lightweight Directory Access Protocol with Payara Server. We illustrate the implementation of the LDAP integration using a sample scenario: integrate Payara® Server with a LDAP user directory and manage the authentication and authorization of a sample web application.
How to Raise Security Issues
Payara Services Limited is very active at identifying and fixing possible security vulnerabilities included into Payara Server and Payara Micro that are either inherited from GlassFish upstream or introduced by new features developed.
We strongly encourage users to report such problems in the following ways:
- If you have a support contract, create a ticket describing the security vulnerabilities detected as you would do for any other bug reports.
- If you do not have a support contract, please send an email with the described vulnerabilities detected to firstname.lastname@example.org. Please don’t use this address to report bugs or issues unrelated to security vulnerabilities as they will be ignored, instead use the GitHub repository issues page for raising a new issue detailing the problem at hand.
You can also direct inquiries about reported CVE issues detected in similar Java platforms or application servers (like Apache Tomcat, JBoss WildFly, etc.) and let us research whether or not Payara Server is affected by such issues.
Securing your application is a very important aspect of the development of your application. You not only need to make sure that the application has the intended functionality but also that this functionality can only be executed by the appropriate people. You not only need to make sure that updates to data are restricted to the correct people, but it is also important that end users only see data they are allowed to see. And in case of sensitive data, this is even more important.
Securing your application is a very important aspect of development. You not only need to make sure that the application has the intended functionality but also that this functionality can only be executed by the appropriate people. It is critical to ensure that updates to data are restricted to the correct people, and that end users only see data they are allowed to see. And in case of sensitive data, this is even more important.
Watch this video to learn how to create a secure web application using multiple Java EE/Jakarta EE APIs and connect it to a MySQL 8 database in this comprehensive tutorial.
Payara Platform Supports TLS 1.3 on JDK 8 13 Mar 2020
Transport Layer Security (TLS) was introduced as a replacement for Secure Sockets Layer (SSL). TLS is a cryptographic protocol which provides secure communication between a client and a server. It also provides a mechanism by which information is not tampered with, falsified or read by anyone other than the intended receiver. TLS 1.3 was released in August 2018 to replace the widely used TLS 1.2. TLS 1.3 comes with stronger cryptographic algorithms and brings in major improvements in performance, security and privacy, which will be discussed in this blog.
This is an updated blog of the original which was published in May 2016 Payara Server provides the Health Check Service for automatic self-monitoring in order to detect future problems as soon as possible. When enabled, the Health Check Service periodically checks some low level metrics. Whenever it detects that a threshold is not met, it triggers alert notifications that allow to detect undesired behavior and predict possible failures. All of these automatic checks are very lightweight and run with a negligible impact on performance.
MicroProfile in Practice – Expose and visualise metrics, Configure your app & Secure REST endpoints.
Java Champion Ondrej Mihalyi demonstrates with a simple game application, some MicroProfile capabilities in the Payara Platform which powers both Payara Server and Payara Micro. Demonstrating how to:
- Expose operational and business logic metrics and how to visualise them.
- Configure your applications.
- Secure REST endpoints in your applications using JSON web token mechanism.
How to Create a Secure JSF JPA Application
How to Create a Secure JSF/JPA Web App on Payara Server 5 – Learn how to create a secure web application using multiple Java EE/Jakarta EE APIs and connect it to a MySQL 8 database in this comprehensive tutorial.
MicroProfile Metrics with Prometheus and Grafana
The goal of MicroProfile Metrics is to expose monitoring data from the implementation in a unified way. It also defines a Java API so that the developer can define and supply his own values. Prometheus is a popular Open-Source product for gathering metrics. Grafana is a multi-platform open source solution for running data analytics, pulling up metrics, and monitoring apps.