9.9. Signing Objects

Recall the earlier discussion about the need to protect an object when it is in serialized state and during transit. In fact, quite a few situations exist in which the authenticity of an object and its state must be assured. Following are three examples.

  • An object acting as an authentication or authorization token is passed around internally to any Java runtime as part of the security system functions. Such a token must be unforgeable, and any innocent or malicious modification to its state must be detected.

  • An object is transported across machines (JVMs), and its authenticity still needs to be verified.

  • An object’s state is stored outside the Java runtime, for example, onto a disk for JVM restarting purposes.

The class

Get Inside Java™ 2 Platform Security: Architecture, API Design, and Implementation, Second Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.