Java Security
Writing and Deploying Secure Applications
Published on 17. May 2001
620 pages
978-1-4493-7211-8 (ISBN)
Description
One of Java's most striking claims is that it provides a secure programming environment. Yet despite endless discussion, few people understand precisely what Java's claims mean and how it backs up those claims. If you're a developer, network administrator or anyone else who must understand or work with Java's security mechanisms, Java Security is the in-depth exploration you need.Java Security, 2nd Edition, focuses on the basic platform features of Java that provide security--the class loader, the bytecode verifier, and the security manager--and recent additions to Java that enhance this security model: digital signatures, security providers, and the access controller. The book covers the security model of Java 2, Version 1.3, which is significantly different from that of Java 1.1. It has extensive coverage of the two new important security APIs: JAAS (Java Authentication and Authorization Service) and JSSE (Java Secure Sockets Extension). Java Security, 2nd Edition, will give you a clear understanding of the architecture of Java's security model and how to use that model in both programming and administration.The book is intended primarily for programmers who want to write secure Java applications. However, it is also an excellent resource for system and network administrators who are interested in Java security, particularly those who are interested in assessing the risk of using Java and need to understand how the security model works in order to assess whether or not Java meets their security needs.
More details
Other editions
Additional editions
Content
- Cover
- Copyright
- Table of Contents
- Preface
- Who Should Read This Book?
- Versions Used in This Book
- Conventions Used in This Book
- Command Conventions
- Code Conventions
- Organization of This Book
- What's New in This Edition
- How to Contact Us
- Acknowledgments
- Feedback for the Author
- Chapter 1. Java Application Security
- What Is Security?
- Software Used in This Book
- The Java 2 Platform
- The Java Cryptography Extension
- The Java Secure Sockets Extension
- The Java Authentication and Authorization Service
- More About Export Controls
- Other Software Versions
- The Java Sandbox
- Applets, Applications, and Programs
- Anatomy of a Java Program
- Security Debugging
- Summary
- Chapter 2. The Default Sandbox
- Elements of the Java Sandbox
- Permissions
- Keystores
- Code Sources
- Policy Files
- The policytool
- Permissions Outside of Policy Files
- The Default Sandbox
- The Default Policy File
- The java.security File
- Comparison with Previous Releases
- Summary
- Chapter 3. Java Language Security
- Java Language Security Constructs
- Object Serialization and Memory Integrity
- Enforcement of the Java Language Rules
- Compiler Enforcement
- The Bytecode Verifier
- Runtime Enforcement
- Comparisons with Previous Releases
- Controlling Bytecode Verification
- Summary
- Chapter 4. The Security Manager
- Overview of the Security Manager
- Security Managers and the Java API
- Operating on the Security Manager
- Methods of the Security Manager
- Methods Relating to File Access
- Methods Relating to Network Access
- Methods Protecting the Java Virtual Machine
- Methods Protecting Program Threads
- Methods Protecting System Resources
- Methods Protecting Security Aspects
- Comparison with Previous Releases
- Trusted and Untrusted Classes
- Differences in the Security Manager Class
- Summary
- Chapter 5. The Access Controller
- The CodeSource Class
- Permissions
- The Permission Class
- Using the Permission Class
- The BasicPermission Class
- Permission Collections
- The Permissions Class
- The Policy Class
- Installing a Policy Class
- Protection Domains
- The AccessController Class
- Access Control Contexts
- Guarded Objects
- Comparison with Previous Releases
- Summary
- Chapter 6. Java Class Loaders
- The Class Loader and Namespaces
- Class Loading Architecture
- Implementing a Class Loader
- Class Loader Classes
- Key Methods of the Class Loader
- Responsibilities of the Class Loader
- Using the URL Class Loader
- Using the SecureClassLoader Class
- Other Class Loaders
- Miscellaneous Class Loading Topics
- Delegation
- Loading Resources
- Loading Libraries
- Comparison with Previous Releases
- Summary
- Chapter 7. Introduction to Cryptography
- The Need for Authentication
- Author Authentication
- Data Authentication
- Java's Role in Authentication
- The Role of Authentication
- Cryptographic Engines
- Cryptographic Keys
- Message Digests
- Digital Signatures
- Encryption Engines
- Summary
- Chapter 8. Security Providers
- The Architecture of Security Providers
- Components of the Architecture
- Choosing a Security Provider
- The Provider Class
- Using the Provider Class
- Implementing the Provider Class
- Deploying the Provider Class
- The Security Class
- The Security Class and the Security Manager
- The Architecture of Engine Classes
- Comparison with Previous Releases
- Summary
- Chapter 9. Keys and Certificates
- Keys
- The Key Interface
- Asymmetric Keys
- Symmetric Keys
- Generating Keys
- The KeyPairGenerator Class
- Implementing a Key Pair Generator
- The KeyGenerator Class
- Key Factories
- The KeyFactory Class
- The SecretKeyFactory Class
- Key Specifications
- A Key Factory Example
- Certificates
- The Certificate Class
- The CertificateFactory Class
- The X509Certificate Class
- Advanced X509Certificate Methods
- Revoked Certificates
- Keys, Certificates, and Object Serialization
- Comparison with Previous Releases
- Summary
- Chapter 10. Key Management
- Key Management Terms
- The keytool
- Global Options to keytool
- Creating a Key Entry
- Generating a Certificate Request
- Importing a Certificate
- Creating a Certificate Entry
- Modifying Keystore Entries
- Deleting Keystore Entries
- Examining Keystore Data
- Miscellaneous Commands
- Using Certificates from Netscape
- The Key Management API
- Principals
- The KeyStore Class
- A Key Management Example
- Installing a KeyStore Class
- Secret Key Management
- Secret Key Distribution
- Secret Key Agreement
- Comparison with Previous Releases
- Summary
- Chapter 11. Message Digests
- Using the Message Digest Class
- Secure Message Digests
- The Mac Class
- Calculating Your Own MAC
- Message Digest Streams
- The DigestOutputStream Class
- The DigestInputStream Class
- Implementing a MessageDigest Class
- The MacSpi Class
- Comparison with Previous Releases
- Summary
- Chapter 12. Digital Signatures
- The Signature Class
- Using the Signature Class
- The SignedObject Class
- Signing and Certificates
- Signed Classes
- The jarsigner Tool
- Reading Signed Jar Files
- Implementing a Signature Class
- Comparison with Previous Releases
- Summary
- Chapter 13. Cipher-Based Encryption
- The Cipher Engine
- Using the Cipher Class for Encryption/Decryption
- Performing Your Own Padding
- Initialization of a PBEWithMD5AndDES Cipher
- Using the Cipher Class for Key Wrapping
- Implementing the Cipher Class
- Cipher Streams
- The CipherOutputStream Class
- The CipherInputStream Class
- Sealed Objects
- Comparison with Previous Releases
- Summary
- Chapter 14. SSL and HTTPS
- An Overview of SSL and JSSE
- Keystores and Truststores
- JSSE Certificates
- JSSE Socket Factories
- SSL Client and Server Sockets
- SSL Server Sockets
- SSL Sockets
- SSL Sessions
- SSL Contexts and Key Managers
- Working with Key Managers
- Working with Trust Managers
- Miscellaneous SSL Issues
- SSL Proxies
- Client-Side Authentication
- Choosing an SSL Cipher Suite
- SSL Handshaking
- JSSE Permissions
- The HTTPS Protocol Handler
- Verifying HTTPS Hosts
- HTTPS Properties
- Debugging JSSE
- Summary
- Chapter 15. Authentication and Authorization
- JAAS Overview
- Simple JAAS programming
- The JAAS Setup Code
- The JAAS User-Specific Code
- Simple JAAS Administration
- Configuring Login Modules
- Writing Policy Files
- Running the Example
- Advanced JAAS Topics
- JAAS Callbacks
- Writing a Login Module
- The JAAS Policy Class
- Administering a JAAS Policy
- Client/Server Authentication
- Groups and Roles
- Summary
- Appendix A. The java.security File
- Appendix B. Security Resources
- Security Bugs
- Java Security Bugs
- Tracking Security Bugs
- Third-Party Security Providers
- Security References
- Appendix C. Identity-Based Key Management
- Javakey
- Creating Identities and Signers
- Generating Keys and Certificates
- Exporting and Importing Credentials
- Signing a jar File
- Miscellaneous javakey Commands
- Identities
- The Identity Class
- Signers
- Identity Scopes
- Using the IdentityScope Class
- Writing an Identity Scope
- IdentityScope and the Security Manager
- Key Management in an Identity Scope
- Implementing an Identity Class
- Implementing a Signer Class
- A Shared System Identity Scope
- Creating Identities
- Summary
- Appendix D. The Secure Java Container
- The 1.1-Based Class Loader
- Defining Signed Classes
- The 1.1-Based Security Manager
- Protected Methods of the Security Manager
- Implementation Techniques
- Running Secure Applications
- Summary
- Appendix E. Implementing a JCE Security Provider
- Appendix F. Quick Reference
- Package java.security
- Package java.security.cert
- Package java.security.interfaces
- Package java.security.spec
- Package javax.crypto
- Package javax.crypto.interfaces
- Package javax.crypto.spec
- Package javax.net
- Package javax.net.ssl
- Package javax.security.auth
- Package javax.security.auth.callback
- Package javax.security.auth.login
- Package javax.security.auth.spi
- Package javax.security.cert
- Package com.sun.net.ssl
- Package com.sun.security.auth
- Package com.sun.security.auth.login
- Package com.sun.security.auth.module
- Miscellaneous Packages
- Index
- About the Author
