Acknowledgments | p. xiii |
Introduction | p. xv |
Case Study | p. xxi |
J2EE Architecture and Technology Introduction | |
The Java Basics: Security from the Ground Up | p. 3 |
Java Then and Now | p. 4 |
Java Language Architecture | p. 5 |
The Java Virtual Machine | p. 5 |
An Interpreted Language: Java Bytecodes | p. 6 |
The Java Class Loader and Built-in Security | p. 6 |
Other Language Features | p. 7 |
Java Security Architecture | p. 7 |
Protection Domains | p. 8 |
Security Controls for Java Class Loading | p. 10 |
Java Permissions | p. 12 |
Java Security Policies | p. 13 |
The Java Security Properties File | p. 14 |
The Java Security Policy File | p. 15 |
Security Manager Checking | p. 18 |
Java Principals and Subjects | p. 19 |
Summary | p. 20 |
Introduction to JAAS, JCE, and JSSE | p. 21 |
Java Authentication and Authorization Services (JAAS) | p. 22 |
JAAS Architecture | p. 23 |
JAAS Authentication | p. 24 |
JAAS Authorization | p. 38 |
Java Encryption | p. 41 |
Encryption Fundamentals | p. 41 |
Java Cryptography Extension (JCE) | p. 43 |
The Keytool Utility | p. 46 |
Java Secure Sockets Extension (JSSE) | p. 48 |
SSL Fundamentals | p. 48 |
Library and Certificate Installation | p. 49 |
JSSE Demonstration Program | p. 50 |
Securing JAR Files | p. 56 |
The jarsigner Utility | p. 57 |
The Sealed Directive | p. 57 |
Summary | p. 58 |
J2EE Architecture and Security | p. 59 |
Middleware and Distributed Software Components | p. 60 |
Middleware Development | p. 60 |
Multitiered Application Development | p. 61 |
The Multitiered Environment | p. 62 |
J2EE Multitiered Technologies | p. 63 |
Web Tier Components: Servlets and JSP | p. 65 |
Servlets | p. 65 |
JSP | p. 69 |
JSP Use | p. 70 |
Business Tier Components: EJBs | p. 71 |
Services Provided by the EJB Container | p. 71 |
Types of EJBs | p. 73 |
EJB Deployment | p. 75 |
Development Roles with J2EE | p. 75 |
EJB Development | p. 78 |
Other J2EE APIs | p. 85 |
EJB Security Architecture | p. 87 |
Principals and Roles | p. 87 |
Declarative Security and Programmatic Security | p. 88 |
System-Level Security | p. 89 |
Security on the Presentation Tier | p. 89 |
Security on the Business Tier | p. 92 |
Defining Security Roles | p. 92 |
Mapping Roles | p. 93 |
Assigning Principals to Roles | p. 94 |
Security for Resources | p. 95 |
Summary | p. 97 |
Java Application and Network Security | |
Using Encryption and Authentication to Protect an Application | p. 101 |
Application Security: The Process | p. 102 |
System-level versus Application-level Security | p. 102 |
Application Security Techniques | p. 103 |
The Dangers of Storing Data Locally | p. 104 |
Summary | p. 134 |
Software Piracy and Code Licensing Schemes | p. 137 |
The Dangers of Code Misuse | p. 138 |
Another Licensing Strategy | p. 147 |
Secret Key Storage | p. 148 |
Summary | p. 156 |
The Exposure of Bytecodes | p. 157 |
The Dangers of Reverse-Engineering | p. 158 |
The Dangers of Embedded Strings | p. 178 |
Summary | p. 180 |
Hacking Java Client-Server Applications: Another Tier to Attack | p. 181 |
The Client-Server Implementation | p. 182 |
The Dangers of A Client-Server Architecture | p. 183 |
Watching the Basket: Application Database Security | p. 185 |
Securing the Database Connection | p. 187 |
Protecting the Client-Tier | p. 201 |
Protecting Applet-based Clients | p. 213 |
Protecting WebStart-based Clients | p. 227 |
Summary | p. 233 |
Java Network Applications: Potential Security Flaw Attacks | p. 235 |
The Dangers of RMI | p. 236 |
The Original RMI Application | p. 236 |
Encrypting the Account Number and Balance | p. 245 |
Using an SSL Connection between the Client and Server | p. 252 |
Implementing Challenge/Response Authentication | p. 257 |
Using an Authenticated Communications Channel | p. 260 |
The Dangers of Loading Class and JAR Files Remotely | p. 274 |
Summary | p. 276 |
J2EE Security on the Web and Business Tiers | |
This is .WAR: Exploiting Java Web Tier Components | p. 279 |
The Sample Application: Web-Enabled | p. 281 |
Implementing our Cache-Control Strategy | p. 315 |
Summary | p. 319 |
Shaking the Foundation: Web Container Strengths and Weaknesses | p. 321 |
The Effects of Directory Listing | p. 322 |
The Invoker Servlet | p. 324 |
Stealing a Session | p. 328 |
Generating a Server Key | p. 331 |
Enabling HTTPS in Tomcat | p. 332 |
Testing the Installation | p. 333 |
Adding a Transport Guarantee | p. 334 |
Client Certificate Authentication | p. 335 |
Configuring Tomcat to use SSL with Client Authentication | p. 336 |
Container Authentication Using a Client Certificate | p. 337 |
Dealing with Overlapping Application Roles | p. 342 |
Summary | p. 345 |
Java Web Services Security | p. 347 |
Web Services in Java | p. 348 |
Web Services Technologies | p. 349 |
The Web Services Developer Pack | p. 350 |
The Web Services-Enabled Application Implementation | p. 351 |
The Retirement Web Services Suite: Server Side | p. 352 |
The Retirement Web Services Suite: Client Side | p. 355 |
Web Services Application Vulnerabilities | p. 358 |
Requiring SSL Connections | p. 361 |
Implementing HTTP Authentication | p. 366 |
Disabling WSDL Distribution | p. 368 |
Enabling Programmatic Authorization | p. 370 |
Passing Database Passwords As Context Parameters | p. 373 |
Web Services Workflow Security | p. 374 |
The Future of Web Services Security | p. 378 |
SOAP Security Extensions: Digital Signature | p. 378 |
WS-Security | p. 379 |
Summary | p. 380 |
Enterprise Java Beans: Security for the Business Tier | p. 381 |
The EJB Application Implementation | p. 382 |
The EJB Persistence Service | p. 383 |
The Get and Set Balance Methods | p. 384 |
The Beans | p. 385 |
EJB Application Vulnerabilities | p. 389 |
Common Pitfalls When Using Message-Driven Beans | p. 400 |
The Message-Driven Bean Implementation | p. 401 |
Summary | p. 411 |
Index | p. 413 |
Table of Contents provided by Syndetics. All Rights Reserved. |