book

Java Security, 2nd Edition

Name: Java Security, 2nd Edition
Author: Scott Oaks
ISBN: 9780596001575

by Scott Oaks

May 2001

Intermediate to advanced

618 pages

20h 50m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Java Security
A Note Regarding Supplemental Files
Preface
Who Should Read This Book?
Versions Used in This Book
Conventions Used in This Book
Command ConventionsCode Conventions
Organization of This Book
What’s New in This Edition
How to Contact Us
Acknowledgments

Feedback for the Author
1. Java Application Security
What Is Security?
Software Used in This Book
The Java 2 PlatformThe Java Cryptography ExtensionThe Java Secure Sockets ExtensionThe Java Authentication and Authorization ServiceMore About Export ControlsOther Software Versions
The Java Sandbox
Applets, Applications, and ProgramsAnatomy of a Java Program
Security Debugging
Summary
2. The Default Sandbox
Elements of the Java Sandbox
Permissions
File Permissions
Socket Permissions
Property Permissions
Runtime Permissions
AWT Permissions
Net Permissions
Security Permissions
Serializable Permissions
Reflection Permissions
All Permissions
Keystores
Code Sources
Policy Files
The policytoolManaging policy codebasesManaging permissionsPermissions Outside of Policy Files
The Default Sandbox
The Default Policy File
The java.security File
Comparison with Previous Releases
Summary
3. Java Language Security
Java Language Security Constructs
Object Serialization and Memory Integrity
Enforcement of the Java Language Rules
Compiler EnforcementThe Bytecode VerifierInside the bytecode verifierDelayed bytecode verificationRuntime Enforcement
Comparisons with Previous Releases
Controlling Bytecode Verification
Summary
4. The Security Manager
Overview of the Security Manager
Security Managers and the Java API
Operating on the Security Manager
Methods of the Security Manager
Methods Relating to File AccessMethods Relating to Network AccessMethods Protecting the Java Virtual MachineMethods Protecting Program ThreadsMethods Protecting System ResourcesMethods Protecting Security Aspects
Comparison with Previous Releases
Trusted and Untrusted ClassesDifferences in the Security Manager ClassFile accessNetwork accessSystem accessThread accessSecurity access
Summary
5. The Access Controller
The CodeSource Class
Permissions
The Permission ClassUsing the Permission ClassThe BasicPermission ClassPermission CollectionsThe Permissions Class
The Policy Class
Installing a Policy Class
Protection Domains
The AccessController Class
Access Control Contexts
Guarded Objects
Comparison with Previous Releases
Summary
6. Java Class Loaders
The Class Loader and Namespaces
Class Loading Architecture
Implementing a Class Loader
Class Loader ClassesKey Methods of the Class LoaderThe loadClass( ) methodThe findClass( ) methodThe defineClass( ) methodsResponsibilities of the Class LoaderUsing the URL Class LoaderStep 1: Optionally call the checkPackageAccess( ) methodStep 2: Use the previously-defined class, if availableStep 3: Defer class loading to the parentStep 4: Optionally call the checkPackageDefinition( ) methodStep 5: Read in the class bytesStep 6: Create the appropriate protection domainSteps 7-8: Define the class, verify it, and resolve itUsing the SecureClassLoader ClassOther Class Loaders
Miscellaneous Class Loading Topics
DelegationLoading ResourcesLoading Libraries
Comparison with Previous Releases
Summary
7. Introduction to Cryptography
The Need for Authentication
Author AuthenticationData AuthenticationJava’s Role in Authentication
The Role of Authentication
Cryptographic Engines
Cryptographic KeysMessage DigestsDigital SignaturesEncryption Engines
Summary
8. Security Providers
The Architecture of Security Providers
Components of the ArchitectureChoosing a Security Provider
The Provider Class
Using the Provider ClassImplementing the Provider ClassDeploying the Provider Class
The Security Class
The Security Class and the Security Manager
The Architecture of Engine Classes
Comparison with Previous Releases
Summary
9. Keys and Certificates
Keys
The Key InterfaceAsymmetric KeysDSA keysRSA keysDiffie-Hellman keysThe KeyPair classSymmetric Keys
Generating Keys
The KeyPairGenerator ClassUsing the KeyPairGenerator classGenerating DSA keysImplementing a Key Pair GeneratorThe KeyGenerator ClassUsing the KeyGenerator classImplementing a KeyGenerator class
Key Factories
The KeyFactory ClassUsing the KeyFactory classImplementing a key factoryThe SecretKeyFactory ClassKey SpecificationsThe EncodedKeySpec classThe AlgorithmParameterSpec interfaceA Key Factory ExampleExisting key specification classes
Certificates
The Certificate ClassThe CertificateFactory ClassThe X509Certificate ClassAdvanced X509Certificate MethodsRevoked Certificates
Keys, Certificates, and Object Serialization
Comparison with Previous Releases
Summary
10. Key Management
Key Management Terms
The keytool
Global Options to keytoolCreating a Key EntryGenerating a Certificate RequestImporting a CertificateCreating a Certificate EntryModifying Keystore EntriesDeleting Keystore EntriesExamining Keystore DataMiscellaneous CommandsUsing Certificates from Netscape
The Key Management API
PrincipalsThe KeyStore Class
A Key Management Example
Installing a KeyStore Class
Secret Key Management
Secret Key DistributionSecret Key Agreement
Comparison with Previous Releases
Summary
11. Message Digests
Using the Message Digest Class
Secure Message Digests
The Mac ClassCalculating Your Own MAC
Message Digest Streams
The DigestOutputStream ClassThe DigestInputStream Class
Implementing a MessageDigest Class
The MacSpi Class
Comparison with Previous Releases
Summary
12. Digital Signatures
The Signature Class
Using the Signature ClassThe SignedObject ClassSigning and Certificates
Signed Classes
The jarsigner ToolCreating a signed jar fileVerifying a jar fileReading Signed Jar Files
Implementing a Signature Class
Comparison with Previous Releases
Summary
13. Cipher-Based Encryption
The Cipher Engine
Using the Cipher Class for Encryption/DecryptionPerforming Your Own PaddingInitialization of a PBEWithMD5AndDES CipherUsing the Cipher Class for Key WrappingImplementing the Cipher Class
Cipher Streams
The CipherOutputStream ClassThe CipherInputStream Class
Sealed Objects
Comparison with Previous Releases
Summary
14. SSL and HTTPS
An Overview of SSL and JSSE
Keystores and TruststoresJSSE CertificatesJSSE Socket Factories
SSL Client and Server Sockets
SSL Server SocketsSSL Sockets
SSL Sessions
SSL Contexts and Key Managers
Working with Key ManagersWorking with Trust Managers
Miscellaneous SSL Issues
SSL ProxiesClient-Side AuthenticationChoosing an SSL Cipher SuiteSSL HandshakingJSSE Permissions
The HTTPS Protocol Handler
Verifying HTTPS HostsHTTPS Properties
Debugging JSSE
Summary
15. Authentication and Authorization
JAAS Overview
Simple JAAS programming
The JAAS Setup CodeThe LoginContext classThe Subject classThe JAAS User-Specific Code
Simple JAAS Administration
Configuring Login ModulesLogin control flagsSample login modulesWriting Policy FilesWriting JAAS policy filesWriting standard policy filesRunning the Example
Advanced JAAS Topics
JAAS CallbacksThe name callbackThe password callbackThe text input callbackThe text output callbackThe choice callbackThe confirmation callbackThe language callbackWriting a Login ModuleThe JAAS Policy ClassAdministering a JAAS PolicyClient/Server AuthenticationGroups and Roles
Summary
A. The java.security File
B. Security Resources
Security Bugs
Java Security BugsTracking Security Bugs
Third-Party Security Providers
Security References
C. Identity-Based Key Management
Javakey
Creating Identities and SignersGenerating Keys and CertificatesExporting and Importing CredentialsSigning a jar FileMiscellaneous javakey Commands
Identities
The Identity ClassUsing the identity classImplementing an Identity classThe Identity class and the security managerSignersUsing the Signer classImplementing a signerSigners and the security manager
Identity Scopes
Using the IdentityScope ClassWriting an Identity ScopeIdentityScope and the Security Manager
Key Management in an Identity Scope
Implementing an Identity ClassImplementing a Signer ClassA Shared System Identity ScopeCreating Identities
Summary
D. The Secure Java Container
The 1.1-Based Class Loader
Defining Signed Classes
The 1.1-Based Security Manager
Protected Methods of the Security ManagerThe class loader depthProtected instance variables in the security managerImplementation TechniquesImplementing network accessImplementing thread securityImplementing the file access methods
Running Secure Applications
Summary
E. Implementing a JCE Security Provider
F. Quick Reference
Package java.security
Class java.security.AccessControlContext
Class java.security.AccessController
Class java.security.AlgorithmParameterGenerator
Class java.security.AlgorithmParameter-GeneratorSpi
Class java.security.AlgorithmParameters
Class java.security.AlgorithmParametersSpi
Class java.security.AllPermission
Class java.security.BasicPermission
Interface java.security.Certificate
Class java.security.CodeSource
Class java.security.DigestInputStream
Class java.security.DigestOutputStream
Interface java.security.DomainCombiner
Interface java.security.Guard
Class java.security.GuardedObject
Class java.security.Identity
Class java.security.IdentityScope
Interface java.security.Key
Class java.security.KeyFactory
Class java.security.KeyFactorySpi
Class java.security.KeyPair
Class KeyPairGenerator
Class KeyPairGeneratorSpi
Class java.security.KeyStore
Class java.security.KeyStoreSpi
Class java.security.MessageDigest
Class java.security.MessageDigestSpi
Class java.security.Permission
Class java.security.PermissionCollection
Class java.security.Permissions
Class java.security.Policy
Interface java.security.Principal
Interface java.security.PrivateKey
Class java.security.ProtectionDomain
Class java.security.Provider
Interface java.security.PublicKey
Class java.security.SecureClassLoader
Class java.security.SecureRandom
Class java.security.SecureRandomSpi
Class java.security.Security
Class java.security.SecurityPermission
Class java.security.Signature
Class java.security.SignatureSpi
Class java.security.SignedObject
Class java.security.Signer
Class java.security.UnresolvedPermission
Package java.security.cert
Class java.security.cert.Certificate
Class java.security.cert.CertificateFactory
Class java.security.cert.CertificateFactorySpi
Class java.security.cert.CRL
Class java.security.cert.X509Certificate
Class java.security.cert.X509CRL
Class java.security.cert.X509CRLEntry
Interface java.security.cert.X509Extension
Package java.security.interfaces
Interface java.security.interfaces.DSAKey
Interface java.security.interfaces.DSAKeyPair-Generator
Interface java.security.interfaces.DSAParams
Interface java.security.interfaces.DSAPrivateKey
Interface java.security.interfaces.DSAPublicKey
Interface java.security.interfaces.RSAKey
Interface java.security.interfaces.RSAPrivateCrtKey
Interface java.security.interfaces.RSAPrivateKey
Interface java.security.interfaces.RSAPublicKey
Package java.security.spec
Interface java.security.spec.Algorithm-ParameterSpec
Class java.security.spec.DSAParameterSpec
Class java.security.spec.DSAPrivateKeySpec
Class java.security.spec.DSAPublicKeySpec
Class java.security.spec.EncodedKeySpec
Interface java.security.spec.KeySpec
Class java.security.spec.PKCS8EncodedKeySpec
Class java.security.spec.RSAKeyGenParameterSpec
Class java.security.spec.RSAPrivateCrtKeySpec
Class java.security.spec.RSAPrivateKeySpec
Class java.security.spec.RSAPublicKeySpec
Class java.security.spec.X509EncodedKeySpec
Package javax.crypto
Class javax.crypto.Cipher
Class javax.crypto.CipherInputStream
Class javax.crypto.CipherOutputStream
Class javax.crypto.CipherSpi
Class javax.crypto.ExemptionMechanism
Class javax.crypto.ExemptionMechanismSpi
Class javax.crypto.KeyAgreement
Class javax.crypto.KeyAgreementSpi
Class javax.crypto.KeyGenerator
Class javax.crypto.KeyGeneratorSpi
Class javax.crypto.Mac
Class javax.crypto.MacSpi
Class javax.crypto.NullCipher
Class javax.crypto.SealedObject
Interface javax.crypto.SecretKey
Class javax.crypto.SecretKeyFactory
Class javax.crypto.SecretKeyFactorySpi
Package javax.crypto.interfaces
Interface javax.crypto.interfaces.DHKey
Interface javax.crypto.interfaces.DHPrivateKey
Interface javax.crypto.interfaces.DHPublicKey
Package javax.crypto.spec
Class javax.crypto.spec.DESKeySpec
Class javax.crypto.spec.DESedeKeySpec
Class javax.crypto.spec.DHGenParameterSpec
Class javax.crypto.spec.DHParameterSpec
Class javax.crypto.spec.DHPrivateKeySpec
Class javax.crypto.spec.DHPublicKeySpec
Class javax.crypto.spec.IvParameterSpec
Class javax.crypto.spec.PBEKeySpec
Class javax.crypto.spec.PBEParameterSpec
Class javax.crypto.spec.RC2ParameterSpec
Class javax.crypto.spec.RC5ParameterSpec
Class javax.crypto.spec.SecretKeySpec
Package javax.net
Class javax.net.ServerSocketFactory
Class javax.net.SocketFactory
Package javax.net.ssl
Class javax.net.ssl.HandshakeCompletedEvent
Interface javax.net.ssl.HandshakeCompleted-Listener
Class javax.net.ssl.SSLServerSocket
Class javax.net.ssl.SSLServerSocketFactory
Interface javax.net.ssl.SSLSession
Class javax.net.ssl.SSLSessionBindingEvent
Interface javax.net.ssl.SSLSessionBindingListener
Interface javax.net.ssl.SSLSessionContext
Class javax.net.ssl.SSLSocket
Class javax.net.ssl.SSLSocketFactory
Package javax.security.auth
Class javax.security.auth.AuthPermission
Interface javax.security.auth.Destroyable
Class javax.security.auth.Policy
Class javax.security.auth.PrivateCredential-Permission
Interface javax.security.auth.Refreshable
Class javax.security.auth.Subject
Class javax.security.auth.SubjectDomainCombiner
Package javax.security.auth.callback
Interface javax.security.auth.callback.Callback
Interface javax.security.auth.callback.Callback-Handler
Class javax.security.auth.callback.ChoiceCallback
Class javax.security.auth.callback.Confirmation-Callback
Class javax.security.auth.callback.LanguageCallback
Class javax.security.auth.callback.NameCallback
Class javax.security.auth.callback.Password-Callback
Class javax.security.auth.callback.TextInputCallback
Class javax.security.auth.callback.TextOutput-Callback
Package javax.security.auth.login
Class javax.security.auth.login.AppConfiguration-Entry
Class javax.security.auth.login.Configuration
Class javax.security.auth.login.LoginContext
Package javax.security.auth.spi
Interface javax.security.auth.spi.LoginModule
Package javax.security.cert
Class javax.security.cert.Certificate
Class javax.security.cert.X509Certificate
Package com.sun.net.ssl
Interface com.sun.net.ssl.HostnameVerifier
Class com.sun.net.ssl.HttpsURLConnection
Interface com.sun.net.ssl.KeyManager
Class com.sun.net.ssl.KeyManagerFactory
Class com.sun.net.ssl.KeyManagerFactorySpi
Class com.sun.net.ssl.SSLContext
Class com.sun.net.ssl.SSLContextSpi
Class com.sun.net.ssl.SSLPermission
Interface com.sun.net.ssl.TrustManager
Class com.sun.net.ssl.TrustManagerFactory
Class com.sun.net.ssl.TrustManagerFactorySpi
Interface com.sun.net.ssl.X509KeyManager
Interface com.sun.net.ssl.X509TrustManager
Package com.sun.security.auth
Class com.sun.security.auth.NTDomainPrincipal
Class com.sun.security.auth.NTNumericCredential
Class com.sun.security.auth.NTSid
Class com.sun.security.auth.NTSid
Class com.sun.security.auth.NTSidDomainPrincipal
Class com.sun.security.auth.NTSidGroupPrincipal
Class com.sun.security.auth.NTSidPrimaryGroup-Principal
Class com.sun.security.auth.NTSidUserPrincipal
Class com.sun.security.auth.NTUserPrincipal
Class com.sun.security.auth.PolicyFile
Interface com.sun.security.auth.PrincipalComparator
Class com.sun.security.auth.SolarisNumericGroup-Principal
Class com.sun.security.auth.SolarisNumericUser-Principal
Class com.sun.security.auth.SolarisPrincipal
Class com.sun.security.auth.X500Principal
Package com.sun.security.auth.login
Class com.sun.security.auth.login.ConfigFile
Package com.sun.security.auth.module
Class com.sun.security.auth.module.JndiLogin-Module
Class com.sun.security.auth.module.NTLoginModule
Class com.sun.security.auth.module.SolarisLogin-Module
Miscellaneous Packages
Class java.awt.AWTPermission
Class java.io.FilePermission
Class java.io.SerializablePermission
Class java.lang.ClassLoader
Class java.lang.RuntimePermission
Class java.lang.SecurityManager
Class java.lang.reflect.ReflectPermission
Class java.net.NetPermission
Class java.net.SocketPermission
Class java.net.URLClassLoader
Class java.rmi.RMISecurityManager
Class java.rmi.server.RMIClassLoader
Class java.util.PropertyPermission
Index
About the Author
Colophon
Copyright

Content preview from Java Security, 2nd Edition

Generating Keys

Java’s security API provides two standard engines to generate keys: one to generate a pair of asymmetric keys and one to generate a secret key.

The KeyPairGenerator Class

Generation of public and private keys is provided by the KeyPairGenerator class (java.security.KeyPairGenerator):

public abstract class KeyPairGenerator extends KeyPairGeneratorSpi: Generate and provide information about public/private key pairs.

Generating a key pair is a very time-consuming operation. Fortunately, it does not need to be performed often; much of the time, we obtain keys from a key management system rather than generating them. However, when we establish our own key management system in the next chapter, we’ll need to use this class; it is often easier to generate your own keys from scratch rather than use a key management system as well.

Using the KeyPairGenerator class

Like all engine classes, the KeyPairGenerator is an abstract class for which there is no implementation in the core API. However, it is possible to retrieve instances of the KeyPairGenerator class via these methods:

public static KeyPairGenerator getInstance(String algorithm)public static KeyPairGenerator getInstance(String algorithm, String provider)

Find the implementation of the engine that generates key pairs with the named algorithm. The algorithm should be one of the standard API algorithm names; if an appropriate implementation cannot be found, this method throws a NoSuchAlgorithmException .

The first format ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 0596001576Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills