Table of Contents
I. INTRODUCTION TO JAVA AND SECURITY.
1. An Overview of Java and Security. Java Is Not Just a Language. What Java Does. Java Is Not an Island: Java as a Part of Security. Understanding Java 2 Security. Summary.
2. Attack and Defense. Components of Java. Java 2 and Cryptography. Attacking the World of Java. Summary.
3. The New Java Security Model. The Need for Java Security. Evolution of the Java Security Model. Java 2 Protection Domain and Permissions Model. New Class Search Path. Java 2 Class Loading Mechanism. The Policy File. Security Manager vs Access Controller. Security Management with Java 2. Summary.
II. UNDER THE HOOD.
4. The Java Virtual Machine. The Java Virtual Machine, Close Up. Summary.
5. Class Files in Java 2. The Traditional Development Life Cycle. The Java Development Life Cycle. The Java 2 Class File Format. The Constant Pool. Java Bytecode.
6. The Class Loader and Class File Verifier. Class Loaders. The Class File Verifier. The Bytecode Verifier in Detail. An Incompleteness Theorem for Bytecode Verifiers. Summary.
7. The Java 2 Security Manager. What Security Manager Does. Operation of the Security Manager. Attacking the Defenses of Java. Avoiding SecurityHazards. Examples of Security Manager Extensions. Summary.
8. Security Configuration Files in the Java 2 SDK. A Note on java.home and the JRE Installation Directory. Keystores. The Security Properties File, java.security. Security Policy Files. An Example of Security Settings in the Java 2 Platform. File Read Access to Files in the Code Base URL Directory. Security Properties and Policy File Protection. How to Implement a Policy Server.
9. Java 2 SDK Security Tools. Key and Certificate Management Tool. Java Archive Tool. JAR Signing and Verification Tool. Policy File Creation and Management Tool.
10. Security APIs in Java. The Package java.security. The Package java.security.spec. The Package java.security.cert. Package java.security.interfaces. The Package java.security.acl. Examples Using the Java 2 Security APIs. The Permission Classes. How to Write Privileged Code.
11. The Java Plug-In. Main Features of Java Plug-In. What Does the Java Plug-In Do? Java Plug-In HTML Changes. Java Plug-In Control Panel. Java Plug-In Security Scenario.
12. Java Gets Out of Its Box. JAR Files and Applet Signing. Signed Code Scenario in JDK 1.1 and Sun HotJava. Signed Code Scenario in Java 2 SDK, Standard Edition, V1.2. Signed Code Scenario in Netscape Communicator. Signed Code Scenario in Microsoft Internet Explorer. The JAR Bug—Fixed In Java 2 SDK, Standard Edition, V1.2.1. Future Developments.
III. BEYOND THE ISLAND OF JAVA SURFING INTO THE UNKNOWN.
13. Cryptography in Java. Security Questions, Cryptographic Answers. The Java Cryptography Architecture Framework. JCA Terms and Definitions. Java Cryptography Extension. Java Cryptography in Practice. Asymmetric Encryption with the Java 2 SDK and JCE 1.2. How to Implement Your Own Provider.
14. Enterprise Java. Browser Add-On Applets. Networked Architectures. Secure Clients and Network Computers. Server-Side Java. Servlets. Distributed Object Architectures—RMI. Enterprise JavaBeans.
15. Java and Firewalls in and out of the Net. What Is a Firewall? What Does a Firewall Do? Detailed Example of TCP/IP Protocol. Proxy Servers and SOCKS Gateways. The Effect of Firewalls on Java. Java and Firewall Scenarios. Remote Method Invocation. Summary.
16. Java and SSL. What Is SSL? Using SSL from an Applet. Java and SSL with Sun Microsystems. How to Use Java and SSL. Java and SSL with IBM SSLite. Conclusions. Summary.
17. Epilogue. Future Directions of Java. Conclusion.
Appendix A: Getting Internal System Properties. Program GetAllProperties. Program GetProperty.
Appendix B: Signature Formats. Appendix C: X.509 Certificates. X.509 Certificate Versions.
Appendix D: Sources of Information about Java Security. Companies. Universities.
Appendix E: What's on the Diskette? How to Access the Diskette. How to Get the Same Software Material from the Web.
Appendix F: Special Notices. Appendix G: Related Publications. International Technical Support Organization Publications. Redbooks on CD-ROMs. Other Publications.
How to Get ITSO Redbooks. IBM Redbook Fax Order Form.
Glossary. Index. ITSO Redbook Evaluation.
Forewords & Introductions
PREFACE:
Preface
Java is fashionable, but is it reliable? Java is entertaining, but is it secure? Java is useful, but is it safe?
The purpose of this book is to answer those questions, from the point of view of people who want to use Java, but want to do so reliably, securely and safely. That makes this book different from much recent writing on Java, which focuses, perfectly legitimately, on how a Java system can be broken into and how to avoid those dangers. On the contrary, this book focuses on how Java can be made secure and how to exploit its strengths. The goal is to provide practical help to the various groups involved in making a Java-based application or Web site into an industrial-strength commercial proposition.
Various groups have different needs and different skills, which this book meets in its different parts.
- The first part is aimed at the intelligent non-specialist who oversees system management or application development, or incorporates Java into the security policy. Only a basic understanding of computers and a limited exposure to Java is assumed, but all the themes of Java security are introduced in a context that stresses over and over again how Java security must be seen as an integral part of system security.
- The second part goes into more detail on how Java security works, and is aimed more at system and network administrators and programmers, who need to know more of what is going on.
- The third part looks at the broader context in which Java operates, including some extensions to Java security and some aspects of its future.
This book explains the evolution of the Java security model, andthenfocuses on the Java 2 security architecture and its revolutionary domains of protection. It offers a very large number of examples to give you a better understanding of the technology involved.
The Team That Wrote This Redbook
This redbook was produced by a team of specialists from around the world working at the International Technical Support Organization Raleigh Center.The leader of this project was Marco Pistoia.
Marco Pistoia is a Network Security Specialist, working as a project leader at the International Technical Support Organization, Raleigh Center. He writes extensively and teaches IBM classes worldwide on all areas of the e-business Application Framework, WebSphere, Java and Internet security. Marco holds a degree with honors in Pure Mathematics from the University of Rome and a masters degree in Computer Science. Before joining the ITSO, he was a System Engineer in IBM Italy. He received an Outstanding Technical Achievement Award in 1996.
Duane F. Reller is a Senior Software Engineer in the System/390 Programming Laboratory in Endicott, New York, USA. He has 25 years of experience in System/390 Hardware and Software development. He has served in technical and management positions. He holds a Bachelor's degree in Electrical Technology and a Master of Science degree in Computer Science from the State University of New York at Binghamton. His areas of expertise include Hardware and Software System's Architecture and Management.
Deepak Gupta is a Senior Software Engineer in IBM, India. He has two and a half years of experience in Internet technologies. He holds a degree in Electronics and Communications from the University of Roorkee, India. His areas of expertise include Internet security and Electronic Commerce. Deepak was involved in IBM India's largest e-Commerce project and in India's first secured e-Commerce site allowing Rupee-based transactions, for which he was conferred the Employee of the Month Award. He has also given several talks on Internet security and e-Commerce.
Milind Nagnur is a Senior Associate in the Operations and Systems Risk Management (OSRM) group of Price Waterhouse Coopers in Mumbai, India. He has a couple of years of exposure in Internet technologies, with emphasis on security and control issues in real business applications. He holds a degree in Mechanical Engineering from the Indian Institute of Technology in Bombay, India, and an MBA from the Indian Institute of Management in Calcutta, India.Ashok K. Ramani is a Senior Software Engineer in IBM India. He has two and a half years of experience in Internet technologies. He holds a degree in MSc.(Tech.) Information Systems from the Birla Institute of Technology and Science, Pilani, India. His areas of expertise include Internet security and Electronic Commerce. Ashok was involved in IBM India's largest e-Commerce project and in India's first secure e-Commerce site allowing Rupee-based transactions for which he was conferred the Employee of the Month Award. He has won special recognition awards at IBM India for his contribution to e-Commerce projects. He has also presented several talks on Internet security and e-Commerce.
Comments Welcome
Your comments are important to us!
We want our redbooks to be as helpful as possible. Please send us your comments about this or other redbooks in one of the following ways:
- Fax the evaluation form found in "ITSO Redbook Evaluation" on page 713 to the fax number shown on the form.
- Use the online evaluation form found at ...
Read an Excerpt
PREFACE: Preface
Java is fashionable, but is it reliable? Java is entertaining, but is it secure? Java is useful, but is it safe?
The purpose of this book is to answer those questions, from the point of view of people who want to use Java, but want to do so reliably, securely and safely. That makes this book different from much recent writing on Java, which focuses, perfectly legitimately, on how a Java system can be broken into and how to avoid those dangers. On the contrary, this book focuses on how Java can be made secure and how to exploit its strengths. The goal is to provide practical help to the various groups involved in making a Java-based application or Web site into an industrial-strength commercial proposition.
Various groups have different needs and different skills, which this book meets in its different parts.
- The first part is aimed at the intelligent non-specialist who oversees system management or application development, or incorporates Java into the security policy. Only a basic understanding of computers and a limited exposure to Java is assumed, but all the themes of Java security are introduced in a context that stresses over and over again how Java security must be seen as an integral part of system security.
- The second part goes into more detail on how Java security works, and is aimed more at system and network administrators and programmers, who need to know more of what is going on.
- The third part looks at the broader context in which Java operates, including some extensions to Java security and some aspects of its future.
This book explains the evolution of the Java security model, and thenfocuses on the Java 2 security architecture and its revolutionary domains of protection. It offers a very large number of examples to give you a better understanding of the technology involved.
The Team That Wrote This Redbook
This redbook was produced by a team of specialists from around the world working at the International Technical Support Organization Raleigh Center.The leader of this project was Marco Pistoia.
Marco Pistoia is a Network Security Specialist, working as a project leader at the International Technical Support Organization, Raleigh Center. He writes extensively and teaches IBM classes worldwide on all areas of the e-business Application Framework, WebSphere, Java and Internet security. Marco holds a degree with honors in Pure Mathematics from the University of Rome and a masters degree in Computer Science. Before joining the ITSO, he was a System Engineer in IBM Italy. He received an Outstanding Technical Achievement Award in 1996.
Duane F. Reller is a Senior Software Engineer in the System/390 Programming Laboratory in Endicott, New York, USA. He has 25 years of experience in System/390 Hardware and Software development. He has served in technical and management positions. He holds a Bachelor's degree in Electrical Technology and a Master of Science degree in Computer Science from the State University of New York at Binghamton. His areas of expertise include Hardware and Software System's Architecture and Management.
Deepak Gupta is a Senior Software Engineer in IBM, India. He has two and a half years of experience in Internet technologies. He holds a degree in Electronics and Communications from the University of Roorkee, India. His areas of expertise include Internet security and Electronic Commerce. Deepak was involved in IBM India's largest e-Commerce project and in India's first secured e-Commerce site allowing Rupee-based transactions, for which he was conferred the Employee of the Month Award. He has also given several talks on Internet security and e-Commerce.
Milind Nagnur is a Senior Associate in the Operations and Systems Risk Management (OSRM) group of Price Waterhouse Coopers in Mumbai, India. He has a couple of years of exposure in Internet technologies, with emphasis on security and control issues in real business applications. He holds a degree in Mechanical Engineering from the Indian Institute of Technology in Bombay, India, and an MBA from the Indian Institute of Management in Calcutta, India.Ashok K. Ramani is a Senior Software Engineer in IBM India. He has two and a half years of experience in Internet technologies. He holds a degree in MSc.(Tech.) Information Systems from the Birla Institute of Technology and Science, Pilani, India. His areas of expertise include Internet security and Electronic Commerce. Ashok was involved in IBM India's largest e-Commerce project and in India's first secure e-Commerce site allowing Rupee-based transactions for which he was conferred the Employee of the Month Award. He has won special recognition awards at IBM India for his contribution to e-Commerce projects. He has also presented several talks on Internet security and e-Commerce.
Comments Welcome
Your comments are important to us!
We want our redbooks to be as helpful as possible. Please send us your comments about this or other redbooks in one of the following ways:
- Fax the evaluation form found in "ITSO Redbook Evaluation" on page 713 to the fax number shown on the form.
- Use the online evaluation form found at ...
loading...