|
|
Recommended: Sing it, brah! 5 fabulous songs for developers
JW's Top 5
Featured White Papers
- Measuring Risk to Improve Java Software Quality
- Do You Really Get Classloaders?
- Pragmatic Continuous Delivery with Jenkins, Nexus, and LiveRebel
- Your Next Java Web App: Less XML, No Long Restarts, Fewer Hassles
- Coding with JRebel, Java Forever Changed
- 2012 Developer Productivity Report: Java Tools, Tech, Devs, and Data
Sponsored Links
-
Graph databases are 1000x faster than relational.
Learn More!
-
Career opportunities at Harman- Careers That'll Rock Your Socks Off.
Learn More!
-
Developer-friendly Java PDF libraries by Qoppa Software
Live Demos
-
Stop blaming your app! Diagnose Java performance issues.
Free tool >
-
UrbanCode: Go From Continuous Integration to
Continuous DeliveryLearn More!
Sponsored Links
Optimize with a SATA RAID Storage Solution
Range of capacities as low as $1250 per TB. Ideal if you currently rely on servers/disks/JBODs
Java security evolution and concepts, Part 2
Discover the ins and outs of Java security
Page 3 of 6
Figure 4. Java 2 security architecture
Byte-code verifier
Since Java code can be imported from anywhere in the network, it is critical to screen the code to be sure that it was produced by a trustworthy compiler. The byte-code verifier, sometimes referred to as a mini-theorem prover, tries to prove that a given series of Java byte codes are legal.
Among other things, it verifies the format of the class file - it must have the right length, the correct magic numbers, no operand stack overflows and underflows, and so on. In short, the verifier confirms or denies that the class file is consistent with the specifications. Although Figure 4 appears to indicate that byte-code verification occurs when the class is loaded, some of these checks may be delayed until just before the byte code is first executed.
Even though the byte-code verifier serves an important purpose, it is not very interesting from a programming standpoint because its behavior cannot be altered programmatically. The behavior may be altered with command line options on the interpreter, when applicable.
ClassLoader
The ClassLoader, which loads Java byte codes into the JVM, is an important link in the security chain. It works in conjunction with the SecurityManager and the access controller to enforce security rules. Notice in Figure 4 that the ClassLoader is involved in enforcing some security decisions earlier in an object's lifetime than the security manager. Also, information about the URL from which the code originated and the code's signers is initially available to the ClassLoader.
It is possible to implement a customized ClassLoader or a subclass from java.security.SecureClassLoader to provide security features beyond those offered by the standard Java 2 Security model.
The ClassLoader, as its name indicates, loads classes into the VM. It is also responsible for the concept of namespaces at runtime, which are created by packages. With namespaces, identically named identifiers can refer to different objects.
Since a ClassLoader is itself a class, some bootstrapping is necessary early on. The ClassLoader, referred to as the primordial class loader and usually written in a native language, loads the bootstrap classes in a platform-dependent manner.
Some classes defined in the java.* package are essential to the JVM and the runtime system. These are referred to as system classes, loaded by the System ClassLoader. The terminology sometimes extends to all classes found in the CLASSPATH environment variable.
Typically, a ClassLoader hierarchy is created as more classes are loaded.
CodeSource
Since Java code can be downloaded over a network, the code's origin and author are critical to maintaining a secure environment.
Consequently, the object java.security.CodeSource fully describes a piece of code. The CodeSource encapsulates the code's origin, which is specified as an URL, and the set
of digital certificates containing public keys corresponding to the set of private keys used to sign the code.
- Feedback
More from JavaWorld
Resources
- "Java Security Evolution and Concepts," Raghavan N. Srinivas (JavaWorld):
- Part 1Learn computer security concepts and terms in this introductory overview (April 2000)
- Part 2Discover the ins and outs of Java security (July 2000)
- Part 3Tackle Java applet security with confidence (December 2000)
- Part 4Learn how optional packages extend and enhance Java security (May 2001)
- Part 5J2SE 1.4 offers numerous improvements to Java security (December 2001)
- JavaWorld security-related articles and resources
- "AESCryptography advances into the future," Raghavan Srinivas (JavaWorld, April 2000)
http://www.javaworld.com/jw-04-2000/jw-0428-aes.html - "A security roundup," Raghavan Srinivas (JavaOne Today, June 2000) -- highlights of JavaOne sessions and BOFs on topics relating to Java security
http://www.javaworld.com/javaone00/j1-00-security.html - JavaWorld's Java Bookstore security page can point you to numerous security-related books
http://www.javaworld.com/javaworld/books/jw-books-security.html
- java.sun.com security-related resources
- For comprehensive Java security information, read java.sun.com's Java Security API page
http://java.sun.com/security - For the latest documentation on Java security, read the documentation that is part of Java 2 v1.3
http://java.sun.com/j2se/1.3/docs/guide/security/index.html - "Security on the Java Platform," Li Gong (JavaOne, 1999) -- Slides from a technical session covering Java security
http://java.sun.com/javaone/javaone98/sessions/T101/index.htm - More JavaOne 1999 Java security information
http://industry.java.sun.com/javaone/99/tracks/ - "Low Level Security in Java," Frank Yellin (December 1995)
http://java.sun.com/sfaq/verifier.html - For Java security Q&A archives, see
http://archives.java.sun.com/archives/java-security.html - "Frequently Asked Questions -- Java Security" (java.sun.com)
http://java.sun.com/sfaq/ - "TrailSecurity in Java 2 SDK 1.2," Mary Dageforde (java.sun.com)
http://web2.java.sun.com/docs/books/tutorial/security1.2/index.html
- Useful security-related books, documentation, and Websites
- Inside Java 2 Platform SecurityArchitecture, API Design, and Implementation, Li Gong (Addison Wesley, 1999)
http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=0201310007 - The University of Princeton's highly regarded Secure Internet Programming Website dedicates itself to computer security, especially
mobile code such as Java
http://www.cs.princeton.edu/sip - Read about the University of Washington's "Kimera -- A System Architecture for Networked Computers" site
http://kimera.cs.washington.edu - A comprehensive list of security problems with suggested remedial action, known as CERT advisories
http://www.cert.org - Applied CryptographyProtocols, Algorithms, and Source Code in C, 2nd Ed., Bruce Schneier (John Wiley and Sons, 1996) -- a fascinating book on the science and politics of cryptography
http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=0471128457 - Find information and news about the Advanced Encryption Standard (AES) at the "AESCrypto Algorithm for the 21st Century" page
http://csrc.nist.gov/encryption/aes/ - Download RSA Labs's FAQ about today's cryptographyftp://ftp.rsasecurity.com/pub/labsfaq/labsfaq4.pdf
- X.509 standard for certificates
http://www.ietf.org/rfc/rfc2459.txt
About Us | Advertise | Contact Us | Terms of Service/Privacy | AdChoices
Copyright, 2006-2013 Infoworld, Inc. All rights reserved.