|
|
Recommended: Sing it, brah! 5 fabulous songs for developers
JW's Top 5
Featured White Papers
- Measuring Risk to Improve Java Software Quality
- Do You Really Get Classloaders?
- Pragmatic Continuous Delivery with Jenkins, Nexus, and LiveRebel
- Your Next Java Web App: Less XML, No Long Restarts, Fewer Hassles
- Coding with JRebel, Java Forever Changed
- 2012 Developer Productivity Report: Java Tools, Tech, Devs, and Data
Sponsored Links
-
Graph databases are 1000x faster than relational.
Learn More!
-
Career opportunities at Harman- Careers That'll Rock Your Socks Off.
Learn More!
-
Developer-friendly Java PDF libraries by Qoppa Software
Live Demos
-
Stop blaming your app! Diagnose Java performance issues.
Free tool >
-
UrbanCode: Go From Continuous Integration to
Continuous DeliveryLearn More!
Sponsored Links
Optimize with a SATA RAID Storage Solution
Range of capacities as low as $1250 per TB. Ideal if you currently rely on servers/disks/JBODs
Java security evolution and concepts, Part 2
Discover the ins and outs of Java security
Page 5 of 6
The keystore
The keystore is a password-protected database that holds private keys and certificates. The password is selected at the time of creation. Each database entry can be guarded by its own password for extra security. Certificates accepted into the keystore are considered to be trusted. Keystore information can be used and updated by the security tools provided with the SDK.
Aspects of Java 2 Security
Aspects of Java 2 Security can be broadly classified as:
- Core security: the core classes that deal with security
- Security extensions: the optional packages that supplement the platform security
- Security tools: the Java 2 Software Development Kit (SDK) tools pertaining to security
- Application, applet, and plugin security: security deployment
In this article, I have focused on core security. I'll discuss the other aspects in subsequent articles.
Core security
Java 2's security pieces reside primarily in:
java.langjava.securityjava.security.certjava.security.interfacesjava.security.spec
Another Java 2 package, java.security.acl, which exists for historical reasons, has been superseded by classes in the java.security package.
Let's examine each major security-related class in more detail.
java.lang
The java.lang package contains the SecurityManager class discussed above, which allows applications to implement a security policy. Before performing a sensitive operation,
the SecurityManager determines the operation's identity and whether it can be performed in its security context. The manager contains many methods
that begin with the word check. The invocation of such a check method typically looks like this:
SecurityManager security = System.getSecurityManager();
if (security != null) {
security.checkXXX(argument, . . . );
}
The special method checkPermission(java.security.Permission) determines whether an access request indicated by a specified permission should be granted or denied. The default implementation
calls:
AccessController.checkPermission(perm);
If a request is allowed, checkPermission returns quietly. If denied, a SecurityException is thrown. Refer to the "Sidebar 2: Security Exceptions" for an overview of security exceptions.
java.security
java.security contains most security classes and interfaces. It contains classes for access control, parameters for the various cryptographic
algorithms, code source, guarded objects, key management, message digests, permission, policy, protection domains, providers,
secure class loaders, random number generators, and digital signatures.
The following Java code can be used to produce a permission to read files in the /tmp directory.
FilePermission p = new FilePermission("/tmp/*", "read");
Entries in the policy file can also be used to achieve similar results. The following is a sample entry in the policy file that indicates the granularity of providing access.
// Sample policy file
grant signedBy "signer_names", codeBase "URL" {
permission permission_class_name "target_name", "action",
signedBy "signer_names";
};
Both the signedBy and codeBase name and value pairs are optional. The signedBy entry is an alias corresponding to the public key certificate of the private key used to sign the code. The alias name is
mapped to the certificate in the keystore. The entry below would grant read/write access to all /tmp files if the code were signed by "Duke". The URL where the code originated is irrelevant.
- Feedback
More from JavaWorld
Resources
- "Java Security Evolution and Concepts," Raghavan N. Srinivas (JavaWorld):
- Part 1Learn computer security concepts and terms in this introductory overview (April 2000)
- Part 2Discover the ins and outs of Java security (July 2000)
- Part 3Tackle Java applet security with confidence (December 2000)
- Part 4Learn how optional packages extend and enhance Java security (May 2001)
- Part 5J2SE 1.4 offers numerous improvements to Java security (December 2001)
- JavaWorld security-related articles and resources
- "AESCryptography advances into the future," Raghavan Srinivas (JavaWorld, April 2000)
http://www.javaworld.com/jw-04-2000/jw-0428-aes.html - "A security roundup," Raghavan Srinivas (JavaOne Today, June 2000) -- highlights of JavaOne sessions and BOFs on topics relating to Java security
http://www.javaworld.com/javaone00/j1-00-security.html - JavaWorld's Java Bookstore security page can point you to numerous security-related books
http://www.javaworld.com/javaworld/books/jw-books-security.html
- java.sun.com security-related resources
- For comprehensive Java security information, read java.sun.com's Java Security API page
http://java.sun.com/security - For the latest documentation on Java security, read the documentation that is part of Java 2 v1.3
http://java.sun.com/j2se/1.3/docs/guide/security/index.html - "Security on the Java Platform," Li Gong (JavaOne, 1999) -- Slides from a technical session covering Java security
http://java.sun.com/javaone/javaone98/sessions/T101/index.htm - More JavaOne 1999 Java security information
http://industry.java.sun.com/javaone/99/tracks/ - "Low Level Security in Java," Frank Yellin (December 1995)
http://java.sun.com/sfaq/verifier.html - For Java security Q&A archives, see
http://archives.java.sun.com/archives/java-security.html - "Frequently Asked Questions -- Java Security" (java.sun.com)
http://java.sun.com/sfaq/ - "TrailSecurity in Java 2 SDK 1.2," Mary Dageforde (java.sun.com)
http://web2.java.sun.com/docs/books/tutorial/security1.2/index.html
- Useful security-related books, documentation, and Websites
- Inside Java 2 Platform SecurityArchitecture, API Design, and Implementation, Li Gong (Addison Wesley, 1999)
http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=0201310007 - The University of Princeton's highly regarded Secure Internet Programming Website dedicates itself to computer security, especially
mobile code such as Java
http://www.cs.princeton.edu/sip - Read about the University of Washington's "Kimera -- A System Architecture for Networked Computers" site
http://kimera.cs.washington.edu - A comprehensive list of security problems with suggested remedial action, known as CERT advisories
http://www.cert.org - Applied CryptographyProtocols, Algorithms, and Source Code in C, 2nd Ed., Bruce Schneier (John Wiley and Sons, 1996) -- a fascinating book on the science and politics of cryptography
http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=0471128457 - Find information and news about the Advanced Encryption Standard (AES) at the "AESCrypto Algorithm for the 21st Century" page
http://csrc.nist.gov/encryption/aes/ - Download RSA Labs's FAQ about today's cryptographyftp://ftp.rsasecurity.com/pub/labsfaq/labsfaq4.pdf
- X.509 standard for certificates
http://www.ietf.org/rfc/rfc2459.txt
About Us | Advertise | Contact Us | Terms of Service/Privacy | AdChoices
Copyright, 2006-2013 Infoworld, Inc. All rights reserved.