book

Java Security Handbook

by Jamie Jaworski, Paul J. Perrone, Venkata S.R. Krishna Chaganti

September 2000

Intermediate to advanced

552 pages

12h 9m

English

Sams

Read now

Unlock full access

Copyright
Dedication
About the Authors
Acknowledgments
Tell Us What You Think!
Introduction
The Importance of Java SecurityWho Should Read This BookHow This Book is OrganizedGetting StartedHow to Use This Book
I. The Foundations of Java Security
1. Security Basics
The Basic Security ModelCryptographyClasses of CryptographyMessage DigestsSymmetric KeysAsymmetric KeysAuthentication and NonrepudiationAuthentication TypesPassword-Based Identity and AuthenticationPhysical-Token–Based Identity and AuthenticationBiometrics-Based Identity and AuthenticationCertificate-Based Identity and AuthenticationNonrepudiationAccess ControlDiscretionary Access ControlRole-Based Access ControlMandatory Access ControlFirewall Access ControlDomainsAuditingPolicies and AdministrationSummary
2. Java Security Overview
The History of Security in JavaJava Security ArchitectureCore Java 2 Security ArchitectureJava Cryptography ArchitectureJava Cryptography ExtensionJava Secure Socket ExtensionJava Authentication and Authorization ServiceByte Code VerifierClass LoaderClass Loader Architecture and SecurityClass-Loader InterfacesSecurity ManagerSecurity Manager InterfacesCustom Security ManagersJava Cryptography ArchitectureThe Architecture of JCACryptographic EnginesCryptographic Service ProvidersSummary
3. Java Application Security Access Control
PermissionsPermissions ArchitecturePermission TypesCustom Permission TypesSecurity PoliciesSecurity Policy File FormatReferencing Properties in Policy FilesUsing Security Policy FilesSecurity Policy ToolSecurity Policy APIsJava Access ControlAccess Control ArchitectureGuarded ObjectsSecurityManager-to-Access Control MappingFine-Grained and Configurable Access Control ExampleSummary
4. Applet Security
Extending the SandboxThe JDK 1.0 SandboxThe JDK 1.1 SandboxJDK 1.2 Least PrivilegeSpecifying an Applet Security PolicyThe Contents of the Security Policy FileThe Syntax of Grant EntriesUsing Signed AppletsCreating the JAR fileSigning the JAR FileSpecifying a Signed Applet PolicyObtaining a Signing CertificateWorking with Different BrowsersSummary

II. Cryptographic Security
5. Introduction to Cryptography
A Short History of Secret WritingCryptography, Cryptanalysis, and CryptologyCiphersThe Caesar CipherCryptanalysis of the Caesar CipherA Simple Substitution CipherCryptanalysis of the Simple Substitution CipherSecret-Key CryptographyThe Data Encryption Standard (DES)DES ModesECB Mode and PaddingCBC ModePCBC ModeCFB ModeOFB ModeWhich Mode Should I Use?A DES ExampleDESedeBlowfishRivest CiphersPublic Key CryptographyThe Rivest, Shamir, Adleman (RSA) AlgorithmAn RSA ExampleUsing RSARSA Performance and SecurityThe ElGamal AlgorithmMessage DigestsMD5SHA-1Base 64 EncodingDigital SignaturesThe Digital Signature AlgorithmDigital CertificatesSummary
6. Key Management and Digital Certificates
Importance of Key ManagementKey RepresentationKey GenerationThe KeyPairGenerator ClassThe KeyGenerator ClassThe KeyGeneratorApp ProgramSecure Random Numbers and Key GenerationKey TranslationThe KeyFactory ClassThe SecretKeyFactory ClassKey AgreementSimple Key Management for Internet Protocols (SKIP)JCE Support for Key AgreementExamples of Implementing Key AgreementsKey Storage and Password-Based EncryptionKey Management Differences Between JDK 1.1 and the Java 2 Platform (version JDK 1.2)JDK 1.1 Key ManagementThe Identity ClassThe IdentityScope ClassThe Signer ClassJDK 1.2 Key ManagementThe KeyStore ClassThe KeytoolSummary
7. Message Digests and Digital Signatures
Message Digest Classes and InterfacesMessageDigestSpiMessageDigestComputing Message DigestsDigestInputStream and DigestOutputStreamWorking with Digest StreamsDigestExceptionMessage Authentication CodesMacSpiMacMACs in ActionSignature Classes and InterfacesSignatureSpiSignatureCreating and Verifying Digital SignaturesSignedObjectUsing SignedObjectSignerSignatureExceptionSummary
8. The Java Cryptography Extension
Inside the JCEThe Cryptix JCESecurity Providers and Algorithm IndependenceHow a Security Provider Is OrganizedEngine ClassesSPI ClassesProvider ClassesCreating a New ProviderExtending the SPI ClassExtending the Provider ClassInstalling Provider ClassesUsing the ProviderSummary
9. SSL and JSSE
SSL OverviewJava Secure Socket Extension OverviewJSSE Package and Class OverviewJSSE ProvidersJSSE SSL Server SocketsObtaining an SSL Server Socket FactoryCreating SSL Server SocketsSSL Server Socket ListeningClient AuthenticationJSSE SSL Client SocketsObtaining an SSL Socket FactoryCreating SSL Client SocketsJSSE SSL SessionsSummary
III. Distributed System Security
10. Distributed Enterprise Security Overview
Distributed Enterprise System TechnologyEnterprise Database ConnectivityEnterprise CommunicationsEnterprise Communication ServicesEnterprise Container-Based ComponentsEnterprise Database Connectivity SecurityEnterprise Communications SecurityBasic Network SecurityRMI SecurityCORBA SecurityEnterprise Communications Service SecurityJNDI SecurityJini SecurityJMS SecurityJavaMail SecurityEnterprise Container-Based Component SecurityWeb Component SecurityEJB SecuritySummary
11. Databases and Database Security
What Is a Database?Relational DatabasesWorking with KeysStructured Query LanguageRemote Database AccessODBC and JDBC DriversMicrosoft's ODBCEnter JDBCConnecting to Databases with the java.sql PackageSetting Up a Database ConnectionThe DriverManager ClassThe Driver InterfaceThe Connection InterfaceExecuting SQL StatementsThe Statement InterfaceThe PreparedStatement and CallableStatement InterfacesThe StatementApp ProgramDatabase Security IssuesSecuring Database ConnectionsUsing a Dedicated Subnet for Client-Server CommunicationEncrypting Communication Between the Database Client and ServerProtecting the Database Client and ServerUsing FirewallsDeploying Intrusion Detection SystemsHardening the Client and Server PlatformsAuthenticating the Client and ServerSecuring the User ConnectionAuthenticating the UserImplementing Access ControlsImplementing Access Controls at the Database ServerImplementing Access Controls at the Database ClientImplementing Access Controls at the Web ServerImplementing Access Controls at the User's BrowserAuditingDatabase ScanningSummary
12. The Java Authentication and Authorization Service
JAAS OverviewJAAS SubjectsSubject RelationshipsCreating SubjectsManipulating Subject AttributesSpecializing Subject CredentialsAuthentication with JAASLogin Module Configuration and InitializationLogin Context ConstructionLogin Module ConfigurationLogin Module Configuration File LocationLogin Module InitializationThe Authentication ProcessCallback HandlingAuthorization with JAASJAAS Security Policy File FormatUsing JAAS Security Policy FilesPerforming Security-Critical ActionsJAAS Security Authorization AbstractionsJAAS Policy ManipulationAuthentication PermissionsPrivate Credential PermissionsStandard Java Security Policies with JAAS PermissionsSummary
13. CORBA Security
CORBA Security OverviewCORBA Security PackagesCORBA Security ArchitectureCore CORBA Security InterfacingAuthenticationDelegationAuthorizationAuditingNonrepudiationEncryptionSecurity PoliciesSecurity AdministrationSummary
14. Enterprise JavaBeans Security
EJB Security OverviewStandard Programmatic EJB Access ControlsStandard Declarative EJB Access ControlsVendor-Specific EJB Access ControlsVendor-Specific EJB Identity and AuthenticationEJB Secure Communications, Delegation, and AuditingEJB Connection SecurityEJB Principal DelegationEJB Security AuditingSummary
15. Java Servlet and JSP Security
The Common Gateway InterfaceWeb Server-to-CGI Program CommunicationCGI Program-to-Web Server CommunicationSession State MaintenanceCookiesURL RewritingHidden Form FieldsServer-Side Programming Security IssuesInterception of Session State InformationForgery of Session State InformationBuffer OverflowData ValidationPage SequencingSession TimeoutInformation ReportingBrowser ResidueUser AuthenticationLogging of Sensitive InformationLeast PrivilegeJava ServletsWhy Servlets?The Servlet APIThe javax.servlet PackageInterfacesClassesExceptionsThe javax.servlet.http PackageInterfacesClassesThe javax.servlet.jsp PackageInterfacesClassesExceptionsThe javax.servlet.jsp.tagext PackageInterfacesClassesHow Servlets WorkServlet ExamplesServlet SecurityUser AuthenticationRole-based Access ControlsTransmission SecurityAdding Security to the Sample ServletsContainer Security RequirementsProgrammatic SecurityJavaServer PagesSummary
IV. Appendixes
A. Past Java Security Flaws
JavaScript (February, 1996)DNS Attack (February, 1996)Class Loader Implementation Bug (March, 1996)Verifier Implementation Bug (March, 1996)URL Name Resolution Attack (April, 1996)Hostile Applets (April, 1996)Classloader Attack Variant (May 18, 1996)Illegal Type Cast Attack (June 2, 1996)Inconsistency in javakey (December 13, 1996)Web Spoofing (December, 1996)Java Versus ActiveX (February 25, 1997)Virtual Machine Bug (March 5, 1997)Disclosure of IP Addresses (March 17, 1997)Signing Flaw (April 29, 1997)Verifier Bugs (May 16, 1997)Another Verifier Bug (June 23, 1997)RSA PKCS1 Risk in SSL (June 26, 1998)Princeton Classloader Attack (July 22, 1998)Execution of Unverified Code (March 26, 1999)Construction of Unverified Classes (April 14, 1999)Locally Installed Applet Classes (February 2, 2000)
B. The Mathematics of RSA
The Math Behind RSAThe Prime Numbers Are InfinitePrimality TestingPrime Number GenerationFinding an Encryption KeyReduced Set of ResiduesCalculating d from e, p, and qCalculating d, Knowing Only e and nCryptix and RSAEncryption and DecryptionComputing and Verifying Signatures
C. Downloading and Installing the JCE
Downloading the JCEInstalling the JCETesting Your Installation
D. The Java 2 Security API
The java.security PackageInterfacesCertificateGuardKeyPrincipalPrivateKeyPrivilegedActionPrivilegedExceptionActionPublicKeyClassesAccessControlContextAccessControllerAlgorithmParameterGeneratorAlgorithmParameterGeneratorSpiAlgorithmParametersAlgorithmParametersSpiAllPermissionBasicPermissionCodeSourceDigestInputStreamDigestOutputStreamGuardedObjectIdentityIdentityScopeKeyFactoryKeyFactorySpiKeyPairKeyPairGeneratorKeyPairGeneratorSpiKeyStoreKeyStoreSpiMessageDigestMessageDigestSpiPermissionPermissionCollectionPermissionsPolicyProtectionDomainProviderSecureClassLoaderSecureRandomSecureRandomSpiSecuritySecurityPermissionSignatureSignatureSpiSignedObjectSignerUnresolvedPermissionExceptionsAccessControlExceptionDigestExceptionGeneralSecurityExceptionInvalidAlgorithmParameterExceptionInvalidKeyExceptionInvalidParameterExceptionKeyExceptionKeyManagementExceptionKeyStoreExceptionNoSuchAlgorithmExceptionNoSuchProviderExceptionPrivilegedActionExceptionProviderExceptionSignatureExceptionUnrecoverableKeyExceptionThe java.security.acl PackageInterfacesAclAclEntryGroupOwnerPermissionClassesExceptionsAclNotFoundExceptionLastOwnerExceptionNotOwnerExceptionThe java.security.cert PackageInterfacesX509ExtensionClassesCertificateCertificateFactoryCertificateFactorySpiCRLX509CertificateX509CRLX509CRLEntryExceptionsCRLExceptionCertificateEncodingExceptionCertificateExceptionCertificateExpiredExceptionCertificateNotYetValidExceptionCertificateParsingExceptionCRLExceptionThe java.security.interfaces PackageInterfacesDSAKeyDSAKeyPairGeneratorDSAParamsDSAPrivateKeyDSAPublicKeyRSAPrivateCrtKeyRSAPrivateKeyRSAPublicKeyClassesExceptionsThe java.security.spec PackageInterfacesAlgorithmParameterSpecKeySpecClassesDSAParameterSpecDSAPrivateKeySpecDSAPublicKeySpecEncodedKeySpecPKCS8EncodedKeySpecRSAPrivateCrtKeySpecRSAPrivateKeySpecRSAPublicKeySpecX509EncodedKeySpecExceptionsInvalidKeySpecExceptionInvalidParameterSpecExceptionThe javax.crypto PackageInterfacesSecretKeyClassesCipherCipherInputStreamCipherOutputStreamCipherSpiKeyAgreementKeyAgreementSpiKeyGeneratorKeyGeneratorSpiMacMacSpiNullCipherSealedObjectSecretKeyFactorySecretKeyFactorySpiExceptionsBadPaddingExceptionIllegalBlockSizeExceptionNoSuchPaddingExceptionShortBufferExceptionThe javax.crypto.interfaces PackageInterfacesDHKeyDHPrivateKeyDHPublicKeyClassesExceptionsThe javax.crypto.spec PackageInterfacesClassesDESedeKeySpecDESKeySpecDHGenParameterSpecDHParameterSpecDHPrivateKeySpecDHPublicKeySpecIvParameterSpecPBEKeySpecPBEParameterSpecRC2ParameterSpecRC5ParameterSpecSecretKeySpecExceptions
E. Downloading and Installing the Cryptix JCE 1.2
Downloading the Cryptix 3.1Installing Cryptix 3.1Testing Your Installation
F. Using the Keytool
OverviewKeystore LocationsKeytool CommandsThe -certreq CommandThe -delete CommandThe -export CommandThe -genkey CommandThe -help CommandThe -identitydb CommandThe -import CommandThe -keyclone CommandThe -keypasswd CommandThe -list CommandThe -printcert CommandThe -selfcert CommandThe -storepasswd CommandThe Cacerts Keystore
G. Using the jarsigner Tool
JAR FilesUsing the jar ToolCreating a JAR FileViewing a JAR FileExtracting the Contents of a JAR FileSigning JAR FilesUsing jarsigner to Sign a JAR FileVerifying the Signature of a JAR FileChanging the Applet Security Policy

Content preview from Java Security Handbook

Chapter 15. Java Servlet and JSP Security

This chapter covers security issues associated with Web applications developed using Java servlets and JavaServer Pages (JSP). It summarizes the operation of the Common Gateway Interface and discusses CGI and other Web-related security issues. It explains how servlets are developed and deployed and how a Web application's web.xml file can be configured to specify user authentication and access controls. JSP is introduced, and the relationship between JSP and servlet security is discussed.

The Common Gateway Interface

The Common Gateway Interface was adopted early on in the Web's formation as a standard for interfacing external programs to Web servers. The CGI enables these external programs, referred to ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 0672316021Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Java Security Handbook

by Jamie Jaworski, Paul J. Perrone, Venkata S.R. Krishna Chaganti

Chapter 15. Java Servlet and JSP Security

The Common Gateway Interface

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.