Inside Java™ 2 Platform Security, the definitive and comprehensive guide to the Java security platform, has been thoroughly updated to reflect key additions and revisions to Java security technologies currently in use by leading technology companies. This second edition, penned by the Java experts at Sun Microsystems, provides a detailed look into the central workings of the Java security architecture and describes tools and techniques for successful implementation on even the most demanding network computing environment.
While Java has always provided a stronger security model than other platforms, this book reviews all the methods and practices required to improve security without sacrificing functionality. With tips on how to customize, extend, and refine the Java security architecture, users will have everything they need to protect their information assets from both external and internal threats.
This book's in-depth coverage encompasses security architecture, deployment, customization, new developments, and much more.
Designed for both the system administrator and software practitioner, this book delivers vital knowledge for building and maintaining a secure system using the Java 2 platform. With detailed code and usage examples throughout, Inside Java™ 2 Platform Security, Second Edition, is an indispensable resource for all platform security needs.
The Java™ Series is supported, endorsed, and authored by the creators of the Java technology at Sun Microsystems, Inc. It is the official place to go for complete, expert, and definitive information on Java technology. The books in this Series provide the inside information you need to build effective, robust, and portable applications and applets. The Series is an indispensable resource for anyone targeting the Java™ 2 platform.
Download Sample Chapter 7 related to this title.
How This Book Is Organized.
About the Authors.
Cryptography versus Computer Security.
Threats and Protection.
Access Control and Security Models.
Where Java Technology-Based Security Fits In.
The Java Programming Language and Platform.
Original Basic Security Architecture.
Bytecode Verification and Type Safety.
Security Architecture Requirements of Java™ 2.
Overview of the Java 2 Security Architecture.
Class Files, Types, and Defining Class Loaders.
Well-Known Class Loader Instances.
Class Loader Hierarchies.
Dynamic Security Policy.
Customizing Security Policy Enforcement.
Customizing Security Policy Decisions.
Customizing the Access Control Context.
Establishing Trust with Certification Paths.
Establishing Trust in Signed Code.
User-Centric Authentication and Authorization using JAAS.
Distributed End-Entity Authentication.
Fields and Methods.
Private Object State and Object Immutability.
Cryptographic Services and Service Providers.
Core Cryptography Classes.
Additional Cryptography Classes.
Remote Method Invocation.
Installing the Latest Java 2 Platform Software.
The Installation Directory.
Setting System and Security Properties.
Securing the Deployment.
Installing Provider Packages.
JAAS Login Configuration Files.
Introduction to Java Card.
Introduction to Java 2 Micro Edition.
Security Enhancements On the Horizon for J2SE.
Brief Introduction To Jini Network Technology.
Brief Introduction to J2EE.
Inventing is a combination of brains and materials. The more brains you use, the less material you need.
The phrases "computer security," "network security," and "information security" conjure up different notions and precepts to a given audience. Some tend to envision technical measures, such as cryptography, as the sole means by which security is attained. Others recognize the limitations of various technical measures and treat them as tools which, when used in combination with other technical measures, can accomplish the task at hand. The distinction is subtle but important. The phrase "platform security" reflects a holistic view of security. It suggests that the foundation is secure and can be relied upon as is or used as a secure subsystem to leverage when building larger systems. Building a secure platform is a very difficult and exacting task which historically has only been accomplished when security is a design requirement that is taken into consideration at the onset. The idea that security can be "bolted on" has been proven frail and wrought with failure modes, which has lead to a mulititude of security breaches.
Java technology is possibly the only general-purpose secure computing platform to become commercially successful. This would never have happened had the designers not taken security seriously from the start. The security properties of Java technology are many and the Java platform builds upon itself to create a reliable and secure platform. The Java 2 security model would be impossible to make trustworthy if it were not for the safety net provided by the Java language itself. The Java language specifies the semantics to ensure type safety and referential integrity and yet would fail miserably if it were not for the enforcement and assurances the Java Virtual Machine provides. Thus from these various secure subsystems we have created a greater whole.
The target audience of this book is varied. We believe this book will be a useful resource to those seeking a general understanding of the security foundation the Java 2 security architecture provides and relies upon. The book should also prove particularily useful to software practitioners building enterprise-class applications which must meet varied security requirements ranging from authentication to authorization to information protection. This book provides insight into some of the design tradeoffs we made as we developed the platform and the lessons we have learned as we continue to evolve and enhance the platform. We provide guidance to those needing to customize the security model for their specific purposes. We describe the inflection points we designed into the platform to accommodate those rare but critical customizations. Most of the aforementioned topics are targeted to system developers, yet we recognize that security is not limited to the implementation of an application. Equally important is the deployment of the application. For deployers we supply descriptions ranging from expressing security policy to hardening the installation of the runtime environment.
This book does not explain to any level of detail the Java programming language. We recommend the book by Arnold and Gosling as a good starting point. Also we do not cover the various security APIs in their entirety and thus we refer the reader to the Java 2 SDK documentation.
The text of this book is essentially organized to cater to the various audiences we previously described. The first two chapters supply background information providing the basis for more specific topics covered in subsequent chapters. The reader need not be proficient in the Java language to understand these introductory chapters. Chapters 3 through 6 describe the Java 2 security architecture, starting with general concepts and ending with comprehensive coverage of security policy enforcement. Chapters 7 through 11 are targeted towards the enterprise application developer, covering topics ranging from trust establishment to cryptography and network security. For these chapters, Java language proficiency is assumed. Chapter 12 is directly targeted towards deployers, who should also read chapter 8 for additional details regarding trust establishment. It is our belief that deployers need not be proficient in the Java language and that the sections of chapter 8 describing APIs can be ignored by them. The content of each chapter of this book is as follows.
Chapter 1. A general background on computer, network, and information security.
Chapter 2. A review of the Java security models, starting with the original sandbox and progressing to the fine-grained access control model.
Chapter 3. An in-depth look at the Java 2 security architecture, which is policy-driven and capable of enforcing fine-grained access controls.
Chapter 4. Detailed coverage of class loading, including a description of the class loader inheritance hierarchy and the runtime delegation hierarchy.
Chapter 5. An explanation of the security classes which supply the foundation for the enforcement of security policy at runtime.
Chapter 6. Thorough coverage of the policy enforcement classes and the design of the Java 2 security architecture access control algorithm.
Chapter 7. An explanation of the customization points provided for systems programmers who need to enhance the core security architecture.
Chapter 8. An outline of the trust establishment capabilities and mechanisms supplied by the security architecture.
Chapter 9. A presentation of common pitfalls and defensive programming strategies.
Chapter 10. Comprehensive coverage of the cryptography-related APIs.
Chapter 11. An operational overview of the APIs utilized to secure network protocols, including those for authentication, confidentiality and integrity protection.
Chapter 12. A presentation of the deployment options which may be used to securely deploy the Java runtime and Java technology-based applications.
Chapter 13. A look at the various Java technology platforms and a glance towards the future of Java security.
Download the Index
file related to this title.