Newsletter sign-up
View all newsletters

Enterprise Java Newsletter
Stay up to date on the latest tutorials and Java community news posted on JavaWorld

Sponsored Links

Optimize with a SATA RAID Storage Solution
Range of capacities as low as $1250 per TB. Ideal if you currently rely on servers/disks/JBODs

JavaWorld.com > Java Development Tools >

Java security evolution and concepts, Part 1: Security nuts and bolts

Learn computer security concepts and terms in this introductory overview

By Raghavan N. Srinivas, JavaWorld.com, 04/28/00

  • Print
  • Feedback
.

Page 3 of 7

If you're exchanging sensitive information with someone else, you want to be absolutely sure that only the intended recipient of the message can make sense of the message and, in the eventuality that it falls into wrong hands, the message becomes effectively useless. Confidentiality is accomplished by some form of cryptographic technique.

Authentication

The authentication process confirms the user's identity. The user could be a software entity or a human. A principal is the party whose identity is verified. Associated with a principal is a set of credentials. Usually, authentication confirms identity by some secret information -- a password, for example -- known only to the user and the authenticator. Beyond passwords, more sophisticated security schemes employ advanced techniques such as smart cards or biometrics (finger printing, retinal scans, and so on) for authentication.

Once authentication is established, access to the user (or generally principal) is governed by the access control mechanisms in force.

Kerberos -- based on keys and encryption -- demonstrates an early authentication technology. It uses timestamps -- sessions remain valid for a defined time period -- to achieve that. To work properly, Kerberos fundamentally assumes that the clocks in a distributed system are synchronized.

Public key infrastructure (PKI), discussed in sections below, represents a more general authentication solution.

The Java Authentication and Authorization Service (JAAS) framework supplements the Java 2 platform with user-based authentication and access control capabilities. JAAS is a standard extension to the Java 2 Software Development Kit, v 1.3.

Integrity

Let's say that you sent an electronic check. When the bank ultimately receives the check, it needs to be sure that the payment amount has not been tampered, a security concept known as integrity.

Nonrepudiation

In the electronic check scenario outlined above, if you indeed sent the check, there ought to be no way you can deny it. Nonrepudiation provides undeniable evidence of actions such as proof of origin of data to the recipient or receipt of data to the sender.

Auditing and logs

Keeping a record of resource access that was granted or denied might be useful for audit purposes later. To that end, auditing and logs serve the useful purposes of preventing a break-in or analyzing a break-in post mortem.

Policy and access control

A security policy focuses on controlling access to protected data. It's important that the security enforcing mechanisms should be flexible enough to enforce the policy. That is referred to as keeping the policy separate from the mechanism. While that decision might be based on authorizing access to a resource based on the identity of principal, it is often easier to administer access control based on roles. Each principal is mapped to a unique role for the purposes of access control. It is often implemented as a list or matrix enumerating the access that different users/roles have to the different protected resources.

  • Print
  • Feedback

Resources