9.9. Signing Objects

Recall the earlier discussion about the need to protect an object when it is in serialized state and during transit. In fact, quite a few situations exist in which the authenticity of an object and its state must be assured. Following are three examples.

  • An object acting as an authentication or authorization token is passed around internally to any Java runtime as part of the security system functions. Such a token must be unforgeable, and any innocent or malicious modification to its state must be detected.

  • An object is transported across machines (JVMs), and its authenticity still needs to be verified.

  • An object’s state is stored outside the Java runtime, for example, onto a disk for JVM restarting purposes.

The class

Get Inside Java™ 2 Platform Security: Architecture, API Design, and Implementation, Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.