Java EE .Net security interoperability
In this article, an excerpt from Java EE and. Net Interoperability, authors Marina Fisher, Ray Lai, Sonu Sharma, and Laurence Moroney introduce the technologies and standards that secure a Java EE and .Net interoperable solution.
Marina Fisher, Ray Lai, Sonu Sharma and Laurence Moroney, June 2006

Secure your SOA
This article is part of a series of short articles that introduce readers to the industry's various Web services standards. These articles provide a quick introduction to these standards, their backgrounds, underlying architectures, benefits, status, and industry adoption. As some of the content may be a depiction of the authors' viewpoints, readers are encouraged to refer to the links provided in Resources to gain a deeper understanding of a particular standard. This article focuses on the XML and Web services security standards that influence a service-oriented architecture.
Ash Parikh, Anthony Sangha and Murty Gurajada, April 2006

Axis meets MOM
Web services is positioned as the technology for integration. For architects and developers on Java/Java Enterprise Edition platforms, Apache Axis is a key open source means by which SOAP-based Web services can be enabled for service-providing components. Most common Web services implementations, in spite of all their strengths, still suffer from the unreliability of the HTTP protocol and Web environment. While WS-Reliability is emerging to be a strong reliability standard, solutions requiring guaranteed mechanisms need to rely on message-oriented middleware (MOM) technologies. Asynchronous store-forward MOM technologies such as MQSeries, MSMQ (Microsoft Message Queuing), and SonicMQ are proven ways to achieve reliable and guaranteed information exchange. This article describes a solution that combines MOM and Apache Axis to achieve both guaranteed delivery and standards-based Web services for your integration undertakings. Note: This article is based on Apache Axis 1.2. Axis 2 currently has not reached release 1.0.
Gautam Shah, February 2006

Secure data files embedded in MIDP applications
Developers developing standalone MIDP (Mobile Information Device Profile) applications often face the dilemma of securing data distributed in the JAR so other people cannot steal and use it to create a competing application. The Java Community Process is introducing new Java Specification Requests to address this issue. However, these approaches rely on cryptography computation that is CPU intensive and not backwards compatible, and hence not portable to phones that don't support the new APIs. They are also overkill for independent developers looking for a simple mechanism to thwart copyright thefts, not necessarily to bulletproof their data. This article describes a way to compress and protect data in a MIDP application.
Simon Ru, May 2005

Create an anonymous authentication module
Spam has become one of the biggest menaces on the Web. Many community-based applications force authentication only to distinguish a valid user from an automated spam-bot, which can be overkill in some cases. CAPTCHAs help in differentiating between real users and automated bots. In this article, Anand Raman uses CAPTCHAs as weak authentication mechanisms for J2EE Web applications. He begins with a quick introduction to both the J2EE Web application security model and CAPTCHAs. He then builds on these concepts to implement a JAAS (Java Authentication and Authorization Service) login module using CAPTCHAs and integrates it with an application server's existing security infrastructure. The artifacts are based on standard J2EE security mechanisms. Hence, the module can be reused on any J2EE application or across different application servers with some minor modifications.
Raman and Raman, March 2005

Solving the logout problem properly and elegantly
Properly handling the logout process in a password-protected Web application requires more than just calling the invalidate() method on the HttpSession object because most modern browsers, with the Back and Forward buttons, allow users to go back or forward on a page. If the Back button causes the browsers to display stale pages from their caches after the logout process, users of these inadequately-developed applications can become confused, lost, and wonder what has or could have happened to their personal data. Many Web applications put up a page threatening users to close their browsers completely, thus, in effect, preventing them from clicking the Back button. Others use JavaScript, which is not always active on clients' browsers. Most of these solutions are either awkwardly implemented, fail to work 100 percent of the time under all circumstances, require too much training on behalf of users, and/or compromise the user experience. This article presents solutions for properly handling the logout problem along with sample programs. Author Kevin Le starts by describing an ideal password-protected Web application. He then uses sample programs to illustrate how the problems manifest themselves and discusses the solutions required to fix the problems. By centering the discussion on JavaServer Pages (JSP), the article presents the concepts that can be easily understood and adopted for other Web-tier technologies. Le concludes his discussion by showing how building Web applications with Jakarta Struts can more elegantly solve the logout problem. Sample programs for both JSP and Struts Web applications are included.
Kevin H. Le, September 2004

Graphs for security
Most programmers are familiar with the access-control list (ACL) as a datastructure used for authorization. This article describes using a more robust structure called an access-control graph (ACG). The ACG has several advantages over traditional ACL designs and has special relevance in Web-based applications.
Efraim Berkovich, September 2004

J2EE security: Container versus custom
This article covers the factors to consider when choosing between custom security and J2EE standard security, also known as container security. It briefly covers how each type of security works and then illustrates their differences, strengths, and weaknesses. Although J2EE security itself applies to all components of an enterprise application, this discussion's main focus is Web application security or, more specifically, authentication.
Brian Pontarelli, July 2004

Jini Starter Kit 2.0 tightens Jini's security framework
Security for distributed systems based on mobile Java code is the theme of Sun Microsystems' new Jini Starter Kit, JSK 2.0. JSK 2.0 incorporates three new specifications: a new programming model and infrastructure for Jini services, a new implementation of Java RMI (Remote Method Invocation), and several changes to existing Jini tools and utilities. This article introduces JSK 2.0's security-related features.
Frank Sommers, May 2003

Cracking Java byte-code encryption
May 9, 2003
Vladimir Roubtsov, May 2003

From stove-piped projects to unified enterprise architecture
In " US Department of Energy Signs On to J2EE" (JavaWorld, May 2002), Jian Zhong and Mike Lehr discussed, at the architectural level, how to create a secure single sign-on (SSO) service for multiple n-tier Web applications. After months of intensive research, design, and implementation, the SSO they developed for the Energy Information Administration of the US Department of Energy is now in production to support real-world e-government applications. Since that article first published, many readers asked architectural and technical questions. In this article, Jian Zhong further discusses strategic considerations in developing an e-authentication service in enterprise environments. By reading this article, readers will gain deeper understanding of e-authentication, e-signature, and an enterprise architecture (EA) approach for reusability and information sharing.
Jian Zhong, March 2003

The first taste of Liberty
Prompting a user to separately log into closely affiliated Websites creates an awkward user experience. Web services that rely on one another may not even permit separate logins since they must operate without human intervention. The Liberty Alliance Project specifications provide a single sign-on mechanism for both Websites and Web services. This article explores how Liberty helps federate a user's identities from different service providers and uses that federated network identity to authenticate a user to many Web-accessible services. The article concludes with an example of how two Websites can use single sign-on.
Frank Sommers, March 2003

Secure Web services
Security is important for any kind of distributed computing environment. For Web services environments, security is becoming even more important due to Web services' unique characteristics. In this article, Sang Shin discusses these characteristics and explains why Web services need a different set of security schemes. He then examines the various Web services security schemes being designed and implemented by the industry. These new schemes are expected to accelerate the adoption of Web services, especially in the business community, where security is always a top priority.
Sang Shin, March 2003

Data security in mobile Java applications
The recent release of MIDP (Mobile Information Device Profile) features a major improvement over version 1.0. Version 2.0 includes enhanced mobile code and application security through a well-defined security manager and provisioning process. On the data and communication security front, MIDP 2.0 makes HTTPS support mandatory. HTTPS is currently the most widely used data security protocol in PersonalJava and J2ME/CDC (Java 2 Platform, Micro Edition/Connected Device Configuration) applications.
Michael Juntao Yuan, December 2002

Safeguard your XML-based messages
Web services are here to stay, but if you are like most software developers, you worry about the plaintext SOAP (Simple Object Access Protocol) messages being exchanged over the Web. Web services security is a hot topic today because the success of this exciting technology hinges directly upon how secure we can make it. To that end, the World Wide Web Consortium (W3C) has defined the XML Signature and XML Encryption specifications for digitally signing and encrypting XML-based communication messages, such as the SOAP messages used in Web services. Furthermore, companies such as IBM, Microsoft, and VeriSign have partnered to provide additional specifications, such as WS-Security (Web Services Security), that build upon these W3C specifications. And who hasn't heard of the Liberty Alliance Project, a consortium of companies led by Sun Microsystems to provide a standards-based single sign-on solution to Web services? In the midst of all these initiatives lies the Apache XML Security project, an open source project that currently implements the W3C XML Signature specification and will soon support the XML Encryption specification. This article serves as a tutorial to get you up to speed with this outstanding implementation.
Tarak Modi, December 2002

All

Wizard API updated!
Tim Boudreau has released a new version of the Swing Wizard library (version 0.997) that fixes the WizardException bug reported in JavaWorld's recent Open Source Java Project profile. The article's examples have been reworked to test out the new, improved WizardException. Thanks, Tim, for this helpful fix!
Open Source Java Projects: The Wizard API

Newsletter sign-up

Sign up for our technology specific newsletters.

Enterprise Java
View all newsletters
Email Address: