Home > Store > Programming > Java

Inside Java™ 2 Platform Security: Architecture, API Design, and Implementation, 2nd Edition

Register your product to gain access to bonus material or receive a coupon.

  • Description
  • Extras
  • Sample Content

Inside Java™ 2 Platform Security, the definitive and comprehensive guide to the Java security platform, has been thoroughly updated to reflect key additions and revisions to Java security technologies currently in use by leading technology companies. This second edition, penned by the Java experts at Sun Microsystems, provides a detailed look into the central workings of the Java security architecture and describes tools and techniques for successful implementation on even the most demanding network computing environment.

While Java has always provided a stronger security model than other platforms, this book reviews all the methods and practices required to improve security without sacrificing functionality. With tips on how to customize, extend, and refine the Java security architecture, users will have everything they need to protect their information assets from both external and internal threats.

This book's in-depth coverage encompasses security architecture, deployment, customization, new developments, and much more.

  • Security fundamentals
  • Secure class loading
  • Specifying fine-grained security policy
  • Enforcing security policy with AccessController, SecurityManager, and more
  • Digital certificates, certification paths, signed code, JAAS, and other authentication measures
  • Java-based cryptography with code examples
  • JSSE, Java GSS-API, and RMI for network security
  • Previews of other platforms for security, including Java Card, J2ME and Jini

    • Designed for both the system administrator and software practitioner, this book delivers vital knowledge for building and maintaining a secure system using the Java 2 platform. With detailed code and usage examples throughout, Inside Java™ 2 Platform Security, Second Edition, is an indispensable resource for all platform security needs.

    The Java™ Series is supported, endorsed, and authored by the creators of the Java technology at Sun Microsystems, Inc. It is the official place to go for complete, expert, and definitive information on Java technology. The books in this Series provide the inside information you need to build effective, robust, and portable applications and applets. The Series is an indispensable resource for anyone targeting the Java™ 2 platform.

    Sample Chapter(s)

    Download Sample Chapter 7 related to this title.

    Index

    Download the Index file related to this title.

    Preface

    Inventing is a combination of brains and materials. The more brains you use, the less material you need.
    —Charles Kettering

    The phrases "computer security," "network security," and "information security" conjure up different notions and precepts to a given audience. Some tend to envision technical measures, such as cryptography, as the sole means by which security is attained. Others recognize the limitations of various technical measures and treat them as tools which, when used in combination with other technical measures, can accomplish the task at hand. The distinction is subtle but important. The phrase "platform security" reflects a holistic view of security. It suggests that the foundation is secure and can be relied upon as is or used as a secure subsystem to leverage when building larger systems. Building a secure platform is a very difficult and exacting task which historically has only been accomplished when security is a design requirement that is taken into consideration at the onset. The idea that security can be "bolted on" has been proven frail and wrought with failure modes, which has lead to a mulititude of security breaches.

    Java technology is possibly the only general-purpose secure computing platform to become commercially successful. This would never have happened had the designers not taken security seriously from the start. The security properties of Java technology are many and the Java platform builds upon itself to create a reliable and secure platform. The Java 2 security model would be impossible to make trustworthy if it were not for the safety net provided by the Java language itself. The Java language specifies the semantics to ensure type safety and referential integrity and yet would fail miserably if it were not for the enforcement and assurances the Java Virtual Machine provides. Thus from these various secure subsystems we have created a greater whole.

    The target audience of this book is varied. We believe this book will be a useful resource to those seeking a general understanding of the security foundation the Java 2 security architecture provides and relies upon. The book should also prove particularily useful to software practitioners building enterprise-class applications which must meet varied security requirements ranging from authentication to authorization to information protection. This book provides insight into some of the design tradeoffs we made as we developed the platform and the lessons we have learned as we continue to evolve and enhance the platform. We provide guidance to those needing to customize the security model for their specific purposes. We describe the inflection points we designed into the platform to accommodate those rare but critical customizations. Most of the aforementioned topics are targeted to system developers, yet we recognize that security is not limited to the implementation of an application. Equally important is the deployment of the application. For deployers we supply descriptions ranging from expressing security policy to hardening the installation of the runtime environment.

    This book does not explain to any level of detail the Java programming language. We recommend the book by Arnold and Gosling as a good starting point. Also we do not cover the various security APIs in their entirety and thus we refer the reader to the Java 2 SDK documentation.

    How This Book Is Organized

    The text of this book is essentially organized to cater to the various audiences we previously described. The first two chapters supply background information providing the basis for more specific topics covered in subsequent chapters. The reader need not be proficient in the Java language to understand these introductory chapters. Chapters 3 through 6 describe the Java 2 security architecture, starting with general concepts and ending with comprehensive coverage of security policy enforcement. Chapters 7 through 11 are targeted towards the enterprise application developer, covering topics ranging from trust establishment to cryptography and network security. For these chapters, Java language proficiency is assumed. Chapter 12 is directly targeted towards deployers, who should also read chapter 8 for additional details regarding trust establishment. It is our belief that deployers need not be proficient in the Java language and that the sections of chapter 8 describing APIs can be ignored by them. The content of each chapter of this book is as follows.

    Chapter 1. A general background on computer, network, and information security.

    Chapter 2. A review of the Java security models, starting with the original sandbox and progressing to the fine-grained access control model.

    Chapter 3. An in-depth look at the Java 2 security architecture, which is policy-driven and capable of enforcing fine-grained access controls.

    Chapter 4. Detailed coverage of class loading, including a description of the class loader inheritance hierarchy and the runtime delegation hierarchy.

    Chapter 5. An explanation of the security classes which supply the foundation for the enforcement of security policy at runtime.

    Chapter 6. Thorough coverage of the policy enforcement classes and the design of the Java 2 security architecture access control algorithm.

    Chapter 7. An explanation of the customization points provided for systems programmers who need to enhance the core security architecture.

    Chapter 8. An outline of the trust establishment capabilities and mechanisms supplied by the security architecture.

    Chapter 9. A presentation of common pitfalls and defensive programming strategies.

    Chapter 10. Comprehensive coverage of the cryptography-related APIs.

    Chapter 11. An operational overview of the APIs utilized to secure network protocols, including those for authentication, confidentiality and integrity protection.

    Chapter 12. A presentation of the deployment options which may be used to securely deploy the Java runtime and Java technology-based applications.

    Chapter 13. A look at the various Java technology platforms and a glance towards the future of Java security.



    0201787911P04082003

    Table of Contents



    Preface.

    How This Book Is Organized.

    Acknowledgements.

    About the Authors.



    Preface to the First Edition.


    Computer and Network Security Fundamentals.

    Cryptography versus Computer Security.

    Threats and Protection.

    Perimeter Defense

    Access Control and Security Models.

    Using Cryptography.

    Authentication.

    Mobile Code.

    Where Java Technology-Based Security Fits In.



    Basic Security for the Java Programming Language.

    The Java Programming Language and Platform.

    Original Basic Security Architecture.

    Bytecode Verification and Type Safety.

    Signed Applets.

    Further Enhancements.



    Java 2 Security Architecture.

    Security Architecture Requirements of Java™ 2.

    Overview of the Java 2 Security Architecture.

    Architecture Summary.

    Lessons Learned.



    Secure Class Loading.

    Class Files, Types, and Defining Class Loaders.

    Well-Known Class Loader Instances.

    Class Loader Hierarchies.

    Loading Classes.

    SecureClassLoader Details.

    URLClassLoader Details.

    Class Paths.



    Elements of Security Policy.

    Permissions.

    Describing Code.

    ProtectionDomain.

    Security Policy.

    Assigning Permissions.

    Dynamic Security Policy.



    Enforcing Security Policy.

    SecurityManager.

    AccessControlContext.

    DomainCombiner.

    AccessController.



    Customizing Security Policy.

    Customizing Security Policy Enforcement.

    Customizing Security Policy Decisions.

    Customizing the Access Control Context.



    Establishing Trust.

    Digital Certificates.

    Establishing Trust with Certification Paths.

    Establishing Trust in Signed Code.

    User-Centric Authentication and Authorization using JAAS.

    Distributed End-Entity Authentication.



    Object Security.

    Security Exceptions.

    Fields and Methods.

    Static Fields.

    Private Object State and Object Immutability.

    Privileged Code.

    Serialization.

    Inner Classes.

    Native Methods.

    Signing Objects.

    Sealing Objects.

    Guarding Objects.



    Programming Cryptography.

    Cryptographic Concepts.

    Design Principles.

    Cryptographic Services and Service Providers.

    Core Cryptography Classes.

    Additional Cryptography Classes.

    Code Examples.

    Standard Names.

    Algorithm Specifications.



    Network Security.

    Java GSS-API.

    JSSE.

    Remote Method Invocation.



    Deploying the Security Architecture.

    Installing the Latest Java 2 Platform Software.

    The Installation Directory.

    Setting System and Security Properties.

    Securing the Deployment.

    Installing Provider Packages.

    Policy Configuration.

    JAAS Login Configuration Files.

    Security Tools.



    Other Platforms and Future Directions.

    Introduction to Java Card.

    Introduction to Java 2 Micro Edition.

    Security Enhancements On the Horizon for J2SE.

    Brief Introduction To Jini Network Technology.

    Brief Introduction to J2EE.

    Client Containers.

    Final Remarks.



    Bibliography.


    Index. 0201787911T04082003

     
    Add To Cart

    Book  $44.99  $40.49

    Usually ships in 24 hours.

    This book includes Instant Online Access with Safari and free shipping!

    Instant Online Access with Safari Books Online

    With your book purchase you are entitled to free, instant online access to that book on Safari Books Online for 45 days. After you've completed your purchase, you will receive instructions on how to log into Safari Books Online. If you do not want to receive online access to the book, simply uncheck the box for Instant Online Access in your cart.

    Safari Books Online

    What is this?

    Online access to books, videos, and tutorials from Addison Wesley, Prentice Hall, Cisco Press, IBM Press, O'Reilly Media and others - starting as low as $22.99. Learn more and start a free trial.

    Start Reading Online

    Other Things You Might Like

    Sams Teach Yourself Java in 24 Hours, 5th Edition
    Sams Teach Yourself Java in 24 Hours, 5th Edition
    By Rogers Cadenhead
    Oct 25, 2009
    $31.49
    Sams Teach Yourself Java in 24 Hours, Adobe Reader, 5th Edition
    Sams Teach Yourself Java in 24 Hours, Adobe Reader, 5th Edition
    By Rogers Cadenhead
    Oct 16, 2009
    $25.19
    Sun Web Server: The Essential Guide
    Sun Web Server: The Essential Guide
    By William Nelson, Arvind Srinivasan, Murthy Chintalapati
    Aug 13, 2009
    $49.49
    Informit Network