| |
| |
| |
| The Background | |
| |
| |
| |
| A Security Primer | |
| |
| |
| The Security Problem | |
| |
| |
| Case Studies | |
| |
| |
| Survey Findings | |
| |
| |
| Computers, Networks and the Internet | |
| |
| |
| Security Concepts | |
| |
| |
| Security Attacks | |
| |
| |
| System Vulnerabilities | |
| |
| |
| Toward the Solution | |
| |
| |
| Enabling Technologies | |
| |
| |
| Security Management | |
| |
| |
| Application Security | |
| |
| |
| Summary | |
| |
| |
| Further Reading | |
| |
| |
| |
| A Quick Tour of the Java Platform | |
| |
| |
| Packaging of Java Platform | |
| |
| |
| Evolution of Java | |
| |
| |
| Java Security Model | |
| |
| |
| Java Language Security | |
| |
| |
| Access Control | |
| |
| |
| Cryptographic Security | |
| |
| |
| J2SE Platform | |
| |
| |
| J2SE APIs | |
| |
| |
| J2SE Deployment Technologies | |
| |
| |
| J2EE Platform | |
| |
| |
| Web Centric Architecture | |
| |
| |
| EJB Centric Architecture | |
| |
| |
| Multi-Tier Architecture | |
| |
| |
| Summary | |
| |
| |
| Further Reading | |
| |
| |
| |
| The Technology | |
| |
| |
| |
| Cryptography with Java | |
| |
| |
| Example Programs and crypttool | |
| |
| |
| Cryptographic Services and Providers | |
| |
| |
| Providers | |
| |
| |
| Algorithm and Implementation Independence | |
| |
| |
| Listing Providers | |
| |
| |
| Installing and Configuring a Provider | |
| |
| |
| Cryptographic Keys | |
| |
| |
| Java Representation of Keys | |
| |
| |
| Generating Keys | |
| |
| |
| Storing Keys | |
| |
| |
| Encryption and Decryption | |
| |
| |
| Algorithms | |
| |
| |
| Java API | |
| |
| |
| Message Digest | |
| |
| |
| Message Authentication Code | |
| |
| |
| Digital Signature | |
| |
| |
| Algorithms | |
| |
| |
| Java API | |
| |
| |
| Key Agreement | |
| |
| |
| Summary of Cryptographic Operations | |
| |
| |
| Cryptography with crypttool | |
| |
| |
| Limited versus Unlimited Cryptography | |
| |
| |
| Performance of Cryptographic Operations | |
| |
| |
| Practical Applications | |
| |
| |
| Legal Issues with Cryptography | |
| |
| |
| Summary | |
| |
| |
| Further Reading | |
| |
| |
| |
| PKI with Java | |
| |
| |
| Digital Certificates | |
| |
| |
| Managing Certificates | |
| |
| |
| Windows Certificate Store | |
| |
| |
| Managing Certificates with keytool | |
| |
| |
| Certification Authority | |
| |
| |
| Setting up a Minimal CA | |
| |
| |
| Issuing a Certificate | |
| |
| |
| Summary of Steps | |
| |
| |
| PKI Architectures | |
| |
| |
| Java API for PKI | |
| |
| |
| Certificates and Certification Paths | |
| |
| |
| Certificate Revocation List | |
| |
| |
| Repository of Certificates and CRLs | |
| |
| |
| Building Certification Paths | |
| |
| |
| Validating Certification Paths | |
| |
| |
| Applications of PKI | |
| |
| |
| Secure e-mail Communication | |
| |
| |
| Secure Online Communication | |
| |
| |
| Identification and Authentication | |
| |
| |
| Code Signing | |
| |
| |
| Software License Enforcement | |
| |
| |
| Contract Signing and Record Maintenance | |
| |
| |
| PKI Use-Cases | |
| |
| |
| Server Authentication for Online Transactions | |
| |
| |
| Authenticating a JCE Provider | |
| |
| |
| Summary | |
| |
| |
| Further Reading | |
| |
| |
| |
| Access Control | |
| |
| |
| A Quick Tour of Java Access Control Features | |
| |
| |
| Access Control Based on Origin of Code | |
| |
| |
| Access Control Based on Code Signer | |
| |
| |
| Access Control Based on User | |
| |
| |
| Access Control Requirements for the Java Platform | |
| |
| |
| Applets within a Web Browser | |
| |
| |
| Standalone Java Programs | |
| |
| |
| Components within the J2EE Platform | |
| |
| |
| User Identification and Authentication | |
| |
| |
| User Login in a Java Application | |
| |
| |
| Login Configuration | |
| |
| |
| Callback Handler | |
| |
| |
| Running Code on Behalf of a User | |
| |
| |
| Policy-Based Authorization | |
| |
| |
| Java Policy Files | |
| |
| |
| Policy File Syntax | |
| |
| |
| Permission Types | |
| |
| |
| Enforcement of Permissions | |
| |
| |
| Developing a Login Module | |
| |
| |
| JSTK User Account Management System | |
| |
| |
| Login Module JSTKLoginModule | |
| |
| |
| Applying JASS to a Sample Application | |
| |
| |
| The Sample Application | |
| |
| |
| Authentication and Authorization Requirements | |
| |
| |
| JAAS Enabled Sample Application | |
| |
| |
| Performance Issues | |
| |
| |
| Summary | |
| |
| |
| Further Reading | |
| |
| |
| |
| Securing the Wire | |
| |
| |
| Brief Overview of SSL | |
| |
| |
| Java API for SSL | |
| |
| |
| Running Programs EchoServer and EchoClient | |
| |
| |
| Mutual Authentication with Self-Signed Certificate | |
| |
| |
| Server Authentication with CA Signed Certificate | |
| |
| |
| KeyManager and TrustManager APIs | |
| |
| |
| Understanding SSL Protocol | |
| |
| |
| HTTP over SSL | |
| |
| |
| Java API for HTTP and HTTPS | |
| |
| |
| Custom Hostname Vetification | |
| |
| |
| Tunneling Through Web Proxies | |
| |
| |
| RMI Over SSL | |
| |
| |
| Performance Issues | |
| |
| |
| Trouble Shooting | |
| |
| |
| Summary | |
| |
| |
| Further Reading | |
| |
| |
| |
| Securing the Message | |
| |
| |
| Message Security Standards | |
| |
| |
| A Brief Note on Handling XML | |
| |
| |
| XML Signature | |
| |
| |
| An Example | |
| |
| |
| XML Canonicalization | |
| |
| |
| Exclusive Canonicalization | |
| |
| |
| The Structure of the Signature Element | |
| |
| |
| Java API for XML Signature | |
| |
| |
| VeriSign's TSIK | |
| |
| |
| Infomosaic's SecureXML | |
| |
| |
| XML Encryption | |
| |
| |
| An Example | |
| |
| |
| Structure of the EncryptedData Element | |
| |
| |
| Java API for XML Encryption | |
| |
| |
| XML Encryption with TSIK | |
| |
| |
| XML Signature and Encryption Combinations | |
| |
| |
| Summary | |
| |
| |
| Further Reading | |
| |
| |
| |
| The Application | |
| |
| |
| |
| RMI Security | |
| |
| |
| Sample Application Using RMI | |
| |
| |
| Security from Downloaded Code | |
| |
| |
| SSL for Transport Security | |
| |
| |
| RMI and Access Control | |
| |
| |
| Processing Client Logins | |
| |
| |
| Modified main() of the Client and the Server | |
| |
| |
| Intercepting the Method Invocations | |
| |
| |
| Login Configuration and Policy Files | |
| |
| |
| Running the Application | |
| |
| |
| Conclusions | |
| |
| |
| Summary | |
| |
| |
| Further Reading | |
| |
| |
| |
| Web Application Security | |
| |
| |
| Java Web Applications | |
| |
| |
| Apache Tomcat | |
| |
| |
| Installing and Running Tomcat | |
| |
| |
| Exploring Tomcat Setup | |
| |
| |
| A Simple Web Application: RMB | |
| |
| |
| Security Requirements | |
| |
| |
| User Identification and Authentication | |
| |
| |
| User Account Systems | |
| |
| |
| Authorization | |
| |
| |
| Server Authentication | |
| |
| |
| Message Integrity and Confidentiality | |
| |
| |
| Audit Logs | |
| |
| |
| User Authentication Schemes | |
| |
| |
| Basic Authentication Scheme | |
| |
| |
| Digest Authentication Scheme | |
| |
| |
| FORM-Based Authentication Scheme | |
| |
| |
| Certificate-Based Authentication Scheme | |
| |
| |
| Web Container Security Features | |
| |
| |
| Declarative Security | |
| |
| |
| Programmatic Security | |
| |
| |
| HTTPS with Apache Tomcat | |
| |
| |
| Setup for Server Authentication | |
| |
| |
| Setup for Client Authentication | |
| |
| |
| Troubleshooting HTTPS Setup | |
| |
| |
| Performance Issues with HTTPS | |
| |
| |
| Common Vulnerabilities | |
| |
| |
| Command Injection Flaws | |
| |
| |
| Cross-Site Scripting (XSS) Flaws | |
| |
| |
| Summary | |
| |
| |
| Further Reading | |
| |
| |
| |
| EJB Security | |
| |
| |
| A Brief Overview of EJBs | |
| |
| |
| Working with WebLogic Server 7.0 | |
| |
| |
| Installing BEA WebLogic Server 7.0 | |
| |
| |
| Configuring a Domain and Running the Server | |
| |
| |
| Building Echo EJB | |
| |
| |
| Deploying Echo EJB | |
| |
| |
| Running the Client | |
| |
| |
| EJB Security Mechanisms | |
| |
| |
| Transport Security with SSL | |
| |
| |
| EJB Security Context and Programmatic Security | |
| |
| |
| Client Authentication | |
| |
| |
| JNDI Authentication | |
| |
| |
| JAAS Authentication | |
| |
| |
| Declarative Security for EJBs | |
| |
| |
| Declarative Security Example | |
| |
| |
| Overview of the Example | |
| |
| |
| Deployment Descriptors | |
| |
| |
| Building, Deploying and Running the Example Beans | |
| |
| |
| EJB Security and J2SE Access Control | |
| |
| |
| Summary | |
| |
| |
| Further Reading | |
| |
| |
| |
| Web Service Security | |
| |
| |
| Web Services Standards | |
| |
| |
| Web Services In Java | |
| |
| |
| Apache Axis | |
| |
| |
| Installing and Running Axis | |
| |
| |
| A Simple Web Service | |
| |
| |
| A Web Service Client | |
| |
| |
| Watching the SOAP Messages | |
| |
| |
| Servlet Security for Web Services | |
| |
| |
| SSL Security for Web Services | |
| |
| |
| WS Security | |
| |
| |
| WS Security with Apache Axis | |
| |
| |
| WS Security Handlers | |
| |
| |
| WS Security Example | |
| |
| |
| Summary | |
| |
| |
| Further Reading | |
| |
| |
| |
| Conclusions | |
| |
| |
| Technology Stack | |
| |
| |
| Authentication and Authorization | |
| |
| |
| Distributed Application Security | |
| |
| |
| Comprehensive Security | |
| |
| |
| |
| Public Key Cryptography Standards | |
| |
| |
| |
| Standard Names--Java Cryptographic Services | |
| |
| |
| |
| JSTK Tools | |
| |
| |
| |
| Example Programs | |
| |
| |
| |
| Products Used For Examples | |
| |
| |
| |
| Standardization Bodies | |
| |
| |
| References | |
| |
| |
| Index | |