Some reader favorites:
EJB fundamentals and session beans
Create a scrollable virtual desktop in Swing
Web services test code generator
Klaus Berg has recently released a test-code generator for JUnit-based Web service clients. If you're developing Web services
using Axis2 and XMLBeans this wizard could turn your JUnit test client coding into a powerful code generation process. It
also has uses for those using GUI-based testing tools like soapUI.
| Memory Analysis in Eclipse |
| Enterprise AJAX - Transcend the Hype |
Network security deals with securing the communication channel between two entities so they can communicate -- each entity confident in the other's identity and in the integrity of the messages exchanged over the channel.
A number of reasons make building secure networked applications a challenge. The difficult subjects upon which modern security is built (such as cryptography) can sometimes confuse developers. Also puzzling are the opaque presentations of key standards and technologies -- such as the X.509 certificate standards. However, at the end of the day, network security is difficult because the characteristics of the network medium itself prove hard to understand. The following analogy illustrates why:
When we converse in everyday life, information about the party with whom we communicate comes through multiple mediums, such as sight and sound. We use this information to authenticate the other party's identity and to judge the channel's quality. Even when we converse over the phone, we can adeptly judge the identity of the party on the other end from nuances in tone, speed, and inflection, not to mention the conversation's context.
Communication over a medium such as the Internet provides far fewer clues. Imagine speaking with a friend in another room through a tin can telephone. Its poor signal quality obliterates many of the audible clues we use to identify each other. The tin can scenario resembles the situation that most applications experience on the Internet or other networks.
Security in the network context consists of authenticating the other entity over this anonymizing channel, and protecting the communicated information from eavesdropping and accidental or malicious modification.
I have written extensively about the tools and technologies used to secure communication at the network level (see Resources). I focus this article on practical guidelines to follow and issues to consider when designing and implementing a network security solution.
Designing a security solution begins with the information you need to protect. Moving financial transactions across the Internet requires much stronger security than downloading a Webpage full of last week's sports scores. When selecting the technology and creating a design, you should consider the following design issues:
As an excellent case in point, the first version of the Mobile Information Device Profile lacked SSL (secure socket layer) support -- an essential component of an end-to-end Web security solution -- primarily because of the perception that SSL proves too heavy for mobile devices. In response to this concern, Vipul Gupta of Sun Microsystems Laboratories built a standards-compliant SSL implementation for J2ME. His work demonstrates that small devices can achieve acceptable SSL performance. Gupta's implementation achieves that goal because it supports only a reduced set of the most popular cipher suites, lacks support for client authentication by the server (an operation with a costly client-side component), and reuses expensive RSA (Rivest-Shamir-Adleman) computations across multiple connections to the same server. See Resources for more information.
It almost goes without saying that selecting the right technology is important when implementing a network security solution. The choice affects the longevity and quality of the security offered as well as an application's ability to integrate into an existing security infrastructure. The JDK provides a broad range of security APIs. The following list will help you identify and select the right technology for your problem:
java.security)
javax.crypto)
java.security.cert)
javax.net.ssl)
javax.security.auth)
The JDK 1.4 beta includes:
org.ietf.jgss)
java.security.cert)
These standard APIs will handle many of your security-related Web application and enterprise integration tasks.
It is not wise to design a network security solution without considering the network. The systems on which an application runs and the network over which it communicates all place their mark on a design.
Consider this edge case: You build an application that runs completely within a secure network. If the network proves secure -- and this means the network is physically protected, and the users are trusted and only carefully granted access -- then you have little need to secure the application itself. In many cases the network is not as secure as believed, and developers fail to secure the application because leaving security mechanisms out is easier than building them. However, some situations justify this approach. For example, in a clustered environment with multiple instances of an application running and communicating to balance load, it's often sufficient to secure the cluster as a whole, not the application.