| |
| |
| |
The Background | |
| |
| |
| |
A Security Primer | |
| |
| |
The Security Problem | |
| |
| |
Case Studies | |
| |
| |
Survey Findings | |
| |
| |
Computers, Networks and the Internet | |
| |
| |
Security Concepts | |
| |
| |
Security Attacks | |
| |
| |
System Vulnerabilities | |
| |
| |
Toward the Solution | |
| |
| |
Enabling Technologies | |
| |
| |
Security Management | |
| |
| |
Application Security | |
| |
| |
Summary | |
| |
| |
Further Reading | |
| |
| |
| |
A Quick Tour of the Java Platform | |
| |
| |
Packaging of Java Platform | |
| |
| |
Evolution of Java | |
| |
| |
Java Security Model | |
| |
| |
Java Language Security | |
| |
| |
Access Control | |
| |
| |
Cryptographic Security | |
| |
| |
J2SE Platform | |
| |
| |
J2SE APIs | |
| |
| |
J2SE Deployment Technologies | |
| |
| |
J2EE Platform | |
| |
| |
Web Centric Architecture | |
| |
| |
EJB Centric Architecture | |
| |
| |
Multi-Tier Architecture | |
| |
| |
Summary | |
| |
| |
Further Reading | |
| |
| |
| |
The Technology | |
| |
| |
| |
Cryptography with Java | |
| |
| |
Example Programs and crypttool | |
| |
| |
Cryptographic Services and Providers | |
| |
| |
Providers | |
| |
| |
Algorithm and Implementation Independence | |
| |
| |
Listing Providers | |
| |
| |
Installing and Configuring a Provider | |
| |
| |
Cryptographic Keys | |
| |
| |
Java Representation of Keys | |
| |
| |
Generating Keys | |
| |
| |
Storing Keys | |
| |
| |
Encryption and Decryption | |
| |
| |
Algorithms | |
| |
| |
Java API | |
| |
| |
Message Digest | |
| |
| |
Message Authentication Code | |
| |
| |
Digital Signature | |
| |
| |
Algorithms | |
| |
| |
Java API | |
| |
| |
Key Agreement | |
| |
| |
Summary of Cryptographic Operations | |
| |
| |
Cryptography with crypttool | |
| |
| |
Limited versus Unlimited Cryptography | |
| |
| |
Performance of Cryptographic Operations | |
| |
| |
Practical Applications | |
| |
| |
Legal Issues with Cryptography | |
| |
| |
Summary | |
| |
| |
Further Reading | |
| |
| |
| |
PKI with Java | |
| |
| |
Digital Certificates | |
| |
| |
Managing Certificates | |
| |
| |
Windows Certificate Store | |
| |
| |
Managing Certificates with keytool | |
| |
| |
Certification Authority | |
| |
| |
Setting up a Minimal CA | |
| |
| |
Issuing a Certificate | |
| |
| |
Summary of Steps | |
| |
| |
PKI Architectures | |
| |
| |
Java API for PKI | |
| |
| |
Certificates and Certification Paths | |
| |
| |
Certificate Revocation List | |
| |
| |
Repository of Certificates and CRLs | |
| |
| |
Building Certification Paths | |
| |
| |
Validating Certification Paths | |
| |
| |
Applications of PKI | |
| |
| |
Secure e-mail Communication | |
| |
| |
Secure Online Communication | |
| |
| |
Identification and Authentication | |
| |
| |
Code Signing | |
| |
| |
Software License Enforcement | |
| |
| |
Contract Signing and Record Maintenance | |
| |
| |
PKI Use-Cases | |
| |
| |
Server Authentication for Online Transactions | |
| |
| |
Authenticating a JCE Provider | |
| |
| |
Summary | |
| |
| |
Further Reading | |
| |
| |
| |
Access Control | |
| |
| |
A Quick Tour of Java Access Control Features | |
| |
| |
Access Control Based on Origin of Code | |
| |
| |
Access Control Based on Code Signer | |
| |
| |
Access Control Based on User | |
| |
| |
Access Control Requirements for the Java Platform | |
| |
| |
Applets within a Web Browser | |
| |
| |
Standalone Java Programs | |
| |
| |
Components within the J2EE Platform | |
| |
| |
User Identification and Authentication | |
| |
| |
User Login in a Java Application | |
| |
| |
Login Configuration | |
| |
| |
Callback Handler | |
| |
| |
Running Code on Behalf of a User | |
| |
| |
Policy-Based Authorization | |
| |
| |
Java Policy Files | |
| |
| |
Policy File Syntax | |
| |
| |
Permission Types | |
| |
| |
Enforcement of Permissions | |
| |
| |
Developing a Login Module | |
| |
| |
JSTK User Account Management System | |
| |
| |
Login Module JSTKLoginModule | |
| |
| |
Applying JASS to a Sample Application | |
| |
| |
The Sample Application | |
| |
| |
Authentication and Authorization Requirements | |
| |
| |
JAAS Enabled Sample Application | |
| |
| |
Performance Issues | |
| |
| |
Summary | |
| |
| |
Further Reading | |
| |
| |
| |
Securing the Wire | |
| |
| |
Brief Overview of SSL | |
| |
| |
Java API for SSL | |
| |
| |
Running Programs EchoServer and EchoClient | |
| |
| |
Mutual Authentication with Self-Signed Certificate | |
| |
| |
Server Authentication with CA Signed Certificate | |
| |
| |
KeyManager and TrustManager APIs | |
| |
| |
Understanding SSL Protocol | |
| |
| |
HTTP over SSL | |
| |
| |
Java API for HTTP and HTTPS | |
| |
| |
Custom Hostname Vetification | |
| |
| |
Tunneling Through Web Proxies | |
| |
| |
RMI Over SSL | |
| |
| |
Performance Issues | |
| |
| |
Trouble Shooting | |
| |
| |
Summary | |
| |
| |
Further Reading | |
| |
| |
| |
Securing the Message | |
| |
| |
Message Security Standards | |
| |
| |
A Brief Note on Handling XML | |
| |
| |
XML Signature | |
| |
| |
An Example | |
| |
| |
XML Canonicalization | |
| |
| |
Exclusive Canonicalization | |
| |
| |
The Structure of the Signature Element | |
| |
| |
Java API for XML Signature | |
| |
| |
VeriSign's TSIK | |
| |
| |
Infomosaic's SecureXML | |
| |
| |
XML Encryption | |
| |
| |
An Example | |
| |
| |
Structure of the EncryptedData Element | |
| |
| |
Java API for XML Encryption | |
| |
| |
XML Encryption with TSIK | |
| |
| |
XML Signature and Encryption Combinations | |
| |
| |
Summary | |
| |
| |
Further Reading | |
| |
| |
| |
The Application | |
| |
| |
| |
RMI Security | |
| |
| |
Sample Application Using RMI | |
| |
| |
Security from Downloaded Code | |
| |
| |
SSL for Transport Security | |
| |
| |
RMI and Access Control | |
| |
| |
Processing Client Logins | |
| |
| |
Modified main() of the Client and the Server | |
| |
| |
Intercepting the Method Invocations | |
| |
| |
Login Configuration and Policy Files | |
| |
| |
Running the Application | |
| |
| |
Conclusions | |
| |
| |
Summary | |
| |
| |
Further Reading | |
| |
| |
| |
Web Application Security | |
| |
| |
Java Web Applications | |
| |
| |
Apache Tomcat | |
| |
| |
Installing and Running Tomcat | |
| |
| |
Exploring Tomcat Setup | |
| |
| |
A Simple Web Application: RMB | |
| |
| |
Security Requirements | |
| |
| |
User Identification and Authentication | |
| |
| |
User Account Systems | |
| |
| |
Authorization | |
| |
| |
Server Authentication | |
| |
| |
Message Integrity and Confidentiality | |
| |
| |
Audit Logs | |
| |
| |
User Authentication Schemes | |
| |
| |
Basic Authentication Scheme | |
| |
| |
Digest Authentication Scheme | |
| |
| |
FORM-Based Authentication Scheme | |
| |
| |
Certificate-Based Authentication Scheme | |
| |
| |
Web Container Security Features | |
| |
| |
Declarative Security | |
| |
| |
Programmatic Security | |
| |
| |
HTTPS with Apache Tomcat | |
| |
| |
Setup for Server Authentication | |
| |
| |
Setup for Client Authentication | |
| |
| |
Troubleshooting HTTPS Setup | |
| |
| |
Performance Issues with HTTPS | |
| |
| |
Common Vulnerabilities | |
| |
| |
Command Injection Flaws | |
| |
| |
Cross-Site Scripting (XSS) Flaws | |
| |
| |
Summary | |
| |
| |
Further Reading | |
| |
| |
| |
EJB Security | |
| |
| |
A Brief Overview of EJBs | |
| |
| |
Working with WebLogic Server 7.0 | |
| |
| |
Installing BEA WebLogic Server 7.0 | |
| |
| |
Configuring a Domain and Running the Server | |
| |
| |
Building Echo EJB | |
| |
| |
Deploying Echo EJB | |
| |
| |
Running the Client | |
| |
| |
EJB Security Mechanisms | |
| |
| |
Transport Security with SSL | |
| |
| |
EJB Security Context and Programmatic Security | |
| |
| |
Client Authentication | |
| |
| |
JNDI Authentication | |
| |
| |
JAAS Authentication | |
| |
| |
Declarative Security for EJBs | |
| |
| |
Declarative Security Example | |
| |
| |
Overview of the Example | |
| |
| |
Deployment Descriptors | |
| |
| |
Building, Deploying and Running the Example Beans | |
| |
| |
EJB Security and J2SE Access Control | |
| |
| |
Summary | |
| |
| |
Further Reading | |
| |
| |
| |
Web Service Security | |
| |
| |
Web Services Standards | |
| |
| |
Web Services In Java | |
| |
| |
Apache Axis | |
| |
| |
Installing and Running Axis | |
| |
| |
A Simple Web Service | |
| |
| |
A Web Service Client | |
| |
| |
Watching the SOAP Messages | |
| |
| |
Servlet Security for Web Services | |
| |
| |
SSL Security for Web Services | |
| |
| |
WS Security | |
| |
| |
WS Security with Apache Axis | |
| |
| |
WS Security Handlers | |
| |
| |
WS Security Example | |
| |
| |
Summary | |
| |
| |
Further Reading | |
| |
| |
| |
Conclusions | |
| |
| |
Technology Stack | |
| |
| |
Authentication and Authorization | |
| |
| |
Distributed Application Security | |
| |
| |
Comprehensive Security | |
| |
| |
| |
Public Key Cryptography Standards | |
| |
| |
| |
Standard Names--Java Cryptographic Services | |
| |
| |
| |
JSTK Tools | |
| |
| |
| |
Example Programs | |
| |
| |
| |
Products Used For Examples | |
| |
| |
| |
Standardization Bodies | |
| |
| |
References | |
| |
| |
Index | |