Security in the Payara Platform
Security is always a concern when implementing applications that will run in production environments. The Payara Platform Enterprise is a fully-supported open source software for enterprises offering a strong tool set of security features so you won’t have to implement your own security measures from scratch, enabling reliable and secure deployments of Jakarta EE and MicroProfile applications on premises, in the cloud, or hybrid environments.
Making the platform secure and providing useful built-in security tools for application developers and production administrators is an essential part of the platform development process and is accomplished with monthly releases, security fixes, critical security patches, and a 10-year software lifecycle. The Payara Platform also provides tools to secure and restrict access to a production system, encrypt communication, and audit security events and configuration changes.
Security Features
| Category | Features |
|---|---|
| Authentication | Jakarta Soteria, Realms, JAAS |
| Authorisation | Jakarta EE Role based security, JWT, JACC, Payara CDI Based permission annotation, SecurityManager, Security Extensions |
| IdentityStores | LDAP, Database, Yubikey, Linux PAM |
| Identity Propagation | OAuth2, Open ID Connect |
| Confidentiality | TLS 1.3, Password Encryption and Aliasses, Data Grid encryption |
| Security Auditing Tools | Access Log, Domain Updates Log, Payara Audit Modules, JPA audit |
| Standard Compliance | Jakarta Security, PCI |
Security Guides
Security Auditing in Payara Server
This guide explains and demonstrates the security auditing best practises and features you can find in Payara Server. Security is always a concern you must have when implementing applications that will run in production environments. Both the JVM and Payara Server have a strong tool set of security implementations for most use cases in the industry.
Securing Your Applications Running on Payara Platform (JAX-RS Endpoints)
This User Guide will discuss the different aspects of securing the JAX-RS endpoints of your application using standards and common practices like OAuth2, OpenID Connect, JWT Tokens, and MicroProfile JWT authentication in combination with the Payara Platform.
Security Tools in Payara Platform
In this datasheet learn about the tools provided by the Payara Platform to secure and restrict access to a production system, encrypt communication, and audit security events and configuration changes.
How to Develop Applications with Minimal Security Risks
This user guide written in collaboration with Snyk, takes you through 7 key pointers for developing applications with a minimal security risk. It will help you take responsibility for the security of your software, to best avoid becoming one of the 20,000 websites every day that get hacked on average.
How to Raise Security Issues
Payara Services Limited is very active at identifying and fixing possible security vulnerabilities included into Payara Server and Payara Micro that are either inherited from GlassFish upstream or introduced by new features developed.
We strongly encourage users to report such problems in the following ways:
- If you have a support contract, create a ticket describing the security vulnerabilities detected as you would do for any other bug reports.
- If you do not have a support contract, please send an email with the described vulnerabilities detected to security@payara.fish. Please don’t use this address to report bugs or issues unrelated to security vulnerabilities as they will be ignored, instead use the GitHub repository issues page for raising a new issue detailing the problem at hand.
You can also direct inquiries about reported CVE issues detected in similar Java platforms or application servers (like Apache Tomcat, JBoss WildFly, etc.) and let us research whether or not Payara Server is affected by such issues.
Community Security Fixes SummaryEnterprise Security Fixes Summary
Security Articles
Client Certificate Realm Configuration in Payara Server 29 Oct 2021
A realm is the security policy domain within an application server. It defines how the authentication and authorization for your application is performed. Most of the time, your application is used by a person that can provide username and passwords as credentials (directly or indirectly through providers like an OpenId Connect provider) but some use cases exist where another process needs to use your endpoints.
Client Certificate Validation in Payara Platform October 2021 Release 22 Oct 2021
The Client Certificates security extensions continue to receive improvements in this release. In previous releases (July and September 2021) we added Client Certificate Authentication improvements, giving the ability to define multiple TrustStores and implement a SPI to allow developers to perform additional checks on the Client Certificate. Previously, any Client Certificate that is used and matched within the KeyStore was accepted, even when the certificate was expired. Starting in the October 2021 releases (Payara Community 5.2021.8 and Payara Enterprise 5.32.0), using the newly developed SPI, we have implemented an additional check when using the Client Certificate authentication option to ensure the certificate is valid.
Client Certificate Authentication Improvements in Payara Server July and September 2021 Releases 17 Sep 2021
SSL certificates are used for several features within Payara Server. You can configure your custom certificate for the TLS based connections the Payara Server is serving when using a custom domain name. And those certificates can be used for authentication purposes to identify the caller, mainly in a machine to machine communication. With the July and September 2021 Payara Server releases, we have implemented two new features to improve the usage of these custom SSL certificates.
6 Vital Steps to Enhancing IoT Security 14 May 2021
You may have heard the term ‘Internet of Things’ or IoT, referred to with increasing frequency in technology and business circles. It is cited more and more frequently as key in the future of computing, the workplace, consumer technology, travel and more. But what do we mean when we say Internet of Things – and what implications does it have when it comes to security?
カスタム SSL証明書を用いた Payara Serverのセキュア化 10 May 2021
Payara Serverの管理タスクで最も多いものの1つは、他のWebサーバーと同様に、HTTPプロトコルやPayara Serverへのリモート・アクセスをセキュアにするための電子証明書のセットアップです。皆様は自己署名証明書または信頼できる認証局の署名入り証明書のいずれかをお持ちでしょうが、どちらの場合も証明書をPayara Serverのドメインに追加してセキュアな通信に用いるのはとても簡単です。
Security Video Tutorials
MicroProfile in Practice – Expose and visualise metrics, Configure your app & Secure REST endpoints.
Java Champion Ondrej Mihalyi demonstrates with a simple game application, some MicroProfile capabilities in the Payara Platform which powers both Payara Server and Payara Micro. Demonstrating how to:
- Expose operational and business logic metrics and how to visualise them.
- Configure your applications.
- Secure REST endpoints in your applications using JSON web token mechanism.
How to Create a Secure JSF JPA Application
How to Create a Secure JSF/JPA Web App on Payara Server 5 – Learn how to create a secure web application using multiple Java EE/Jakarta EE APIs and connect it to a MySQL 8 database in this comprehensive tutorial.
Authentication and Authorization with Payara and MicroProfile JWT
In this video, Java Champion Adam Bien explores Authentication and authorization in JAX-RS with JSON Web Tokens (JWT). Tokens were generated with http://jwtenizr.sh The service was deployed with http://wad.sh to http://payara.fish.
MicroProfile Metrics with Prometheus and Grafana
The goal of MicroProfile Metrics is to expose monitoring data from the implementation in a unified way. It also defines a Java API so that the developer can define and supply his own values. Prometheus is a popular Open-Source product for gathering metrics. Grafana is a multi-platform open source solution for running data analytics, pulling up metrics, and monitoring apps.