Some reader favorites:
EJB fundamentals and session beans
Create a scrollable virtual desktop in Swing
Wizard API updated!
Tim Boudreau has released a new version of the Swing Wizard library (version 0.997) that fixes the WizardException bug reported in JavaWorld's recent Open Source Java Project profile. The article's examples have been reworked to test out the new, improved WizardException. Thanks, Tim, for this helpful fix!
Open Source Java Projects: The Wizard API
Featured Whitepapers
Construct secure networked applications with certificates, Part 4
Authenticate clients and servers, and verify certificate chains
Over the course of the last several months, you've learned about public-key cryptography, X.509 certificates, and certificate revocation lists. You've surveyed their associated Java classes, and you've come to understand their importance. Now you need to learn how to use them, and that's where you're headed this month.You can read the whole series on certificates:
- Part 1: Certificates add value to public-key cryptography
- Part 2: Learn to use the X.509 certificates
- Part 3: Use the Java CRL and X509CRL classes
- Part 4: Authenticate clients and servers, and verify certificate chains
Imagine the following scenario: You're building a distributed application for the health insurance industry. The HIPPA (Health Insurance Portability and Accountability Act of 1996) Security Guidelines require secure access to sensitive information stored in compliant systems. Those requirements encompass both access by individuals and access by other applications. Therefore, in your distributed system, interactions between the components must be secure. Client applications must be able to authenticate the servers they connect to before transmitting sensitive information. Servers must be able to authenticate client applications before accepting and operating on sensitive information provided by clients.
One way to provide authentication is to use SSL (Secure Socket Layer). SSL, which is available for Java in the JSSE (Java Secure Socket Extension), handles authentication among communicating processes using X.509 technology and provides encryption support using various encryption algorithms of assorted strengths. For many applications, honestly, this is the way to go, especially if you want an out-of-the-box solution and can guarantee that both sides provide SSL support. However, SSL won't work in some cases; maybe you don't need it, can't use it, or don't want to use it. In those cases you have to provide similar functionality yourself.
Authentication
Let's take a high-level look at the problem. Consider the following interactions between a client and a server, which are typical of both SSL-enabled applications (although hidden from view) and the custom applications built using X.509 technology:
- The client opens a connection to the server and asks the server to authenticate itself.
- The server authenticates itself and -- optionally -- asks the client to authenticate itself. Client authentication, while possible with SSL, is seldom used in most SSL transactions. However, for enterprise applications, in which auditing of all transactions is important, client authentication provides the only way to determine for sure that the client's claimed identity is legitimate.
- The client authenticates itself. If the client desires an encrypted connection, it takes steps to establish one. I won't describe the process of establishing an encrypted connection at this time.
- The client begins the transaction.
Server authentication and client authentication essentially mirror each other, so it's sufficient to talk about one or the other. Let's look closely at the server authentication process (steps 1 and 2).
- "Construct Secure Networked Applications with Certificates," Todd Sundsted (JavaWorld)
- Part 1Certificates add value to public-key cryptography (January 12, 2001)
- Part 2Learn to use the X.509 certificates (February 16, 2001)
- Part 3Use the Java CRL and X509CRL classes (March 16, 2001)
- Part 4Authenticate clients and servers, and verify certificate chains (April 13, 2001)
- Download the source and resource files that accompany this article
http://www.javaworld.com/javaworld/jw-04-2001/howto/jw-0413-howto.zip - JCE (Java Cryptography Extension)
http://java.sun.com/products/jce/ - JSSE (Java Secure Socket Extension)
http://java.sun.com/products/jsse/ - Sun's documentation
http://java.sun.com/j2se/1.3/docs/api/java/security/cert/package-summary.html - Internet X.509 Public Key Infrastructure -- Certificate and CRL Profile
http://www.ietf.org/rfc/rfc2459.txt - The emerging specification that will make RFC 2459 obsolete (note that this URL may change as the spec is updated)
http://www.ietf.org/internet-drafts/draft-ietf-pkix-new-part1-06.txt - Information on Java Specification Request #55
http://java.sun.com/aboutJava/communityprocess/jsr/jsr_055_certp.html - Read more articles on Java Security in the JavaWorld Topical Index
http://www.javaworld.com/javaworld/topicalindex/jw-ti-security.html - Have a security question? Check out ITworld.com's Java Security discussion
http://www.itworld.com/jump/jw-0413-howto/forums.itworld.com/webx?14@@.ee6b80e - Sign up for the JavaWorld This Week free weekly email newsletter and keep up with what's new at JavaWorld
http://www.idg.net/jw-subscribe - For a complete listing of all How-To Java columns
http://www.javaworld.com/javaworld/topicalindex/jw-ti-howto.html
Free Download - 5 Minute Product Review. When slow equals Off: Manage the complexity of Web applications - Symphoniq
Free Download - 5 Minute Product Review. Realize the benefits of real user monitoring in less than an hour. - Symphoniq