book

Java Security Handbook

by Jamie Jaworski, Paul J. Perrone, Venkata S.R. Krishna Chaganti

September 2000

Intermediate to advanced

552 pages

12h 9m

English

Sams

Read now

Unlock full access

Dedication
The Importance of Java SecurityWho Should Read This BookHow This Book is OrganizedGetting StartedHow to Use This Book
The Basic Security ModelCryptographyClasses of CryptographyMessage DigestsSymmetric KeysAsymmetric KeysAuthentication and NonrepudiationAuthentication TypesPassword-Based Identity and AuthenticationPhysical-Token–Based Identity and AuthenticationBiometrics-Based Identity and AuthenticationCertificate-Based Identity and AuthenticationNonrepudiationAccess ControlDiscretionary Access ControlRole-Based Access ControlMandatory Access ControlFirewall Access ControlDomainsAuditingPolicies and AdministrationSummary
The History of Security in JavaJava Security ArchitectureCore Java 2 Security ArchitectureJava Cryptography ArchitectureJava Cryptography ExtensionJava Secure Socket ExtensionJava Authentication and Authorization ServiceByte Code VerifierClass LoaderClass Loader Architecture and SecurityClass-Loader InterfacesSecurity ManagerSecurity Manager InterfacesCustom Security ManagersJava Cryptography ArchitectureThe Architecture of JCACryptographic EnginesCryptographic Service ProvidersSummary
PermissionsPermissions ArchitecturePermission TypesCustom Permission TypesSecurity PoliciesSecurity Policy File FormatReferencing Properties in Policy FilesUsing Security Policy FilesSecurity Policy ToolSecurity Policy APIsJava Access ControlAccess Control ArchitectureGuarded ObjectsSecurityManager-to-Access Control MappingFine-Grained and Configurable Access Control ExampleSummary
Extending the SandboxThe JDK 1.0 SandboxThe JDK 1.1 SandboxJDK 1.2 Least PrivilegeSpecifying an Applet Security PolicyThe Contents of the Security Policy FileThe Syntax of Grant EntriesUsing Signed AppletsCreating the JAR fileSigning the JAR FileSpecifying a Signed Applet PolicyObtaining a Signing CertificateWorking with Different BrowsersSummary

A Short History of Secret WritingCryptography, Cryptanalysis, and CryptologyCiphersThe Caesar CipherCryptanalysis of the Caesar CipherA Simple Substitution CipherCryptanalysis of the Simple Substitution CipherSecret-Key CryptographyThe Data Encryption Standard (DES)DES ModesECB Mode and PaddingCBC ModePCBC ModeCFB ModeOFB ModeWhich Mode Should I Use?A DES ExampleDESedeBlowfishRivest CiphersPublic Key CryptographyThe Rivest, Shamir, Adleman (RSA) AlgorithmAn RSA ExampleUsing RSARSA Performance and SecurityThe ElGamal AlgorithmMessage DigestsMD5SHA-1Base 64 EncodingDigital SignaturesThe Digital Signature AlgorithmDigital CertificatesSummary
Importance of Key ManagementKey RepresentationKey GenerationThe KeyPairGenerator ClassThe KeyGenerator ClassThe KeyGeneratorApp ProgramSecure Random Numbers and Key GenerationKey TranslationThe KeyFactory ClassThe SecretKeyFactory ClassKey AgreementSimple Key Management for Internet Protocols (SKIP)JCE Support for Key AgreementExamples of Implementing Key AgreementsKey Storage and Password-Based EncryptionKey Management Differences Between JDK 1.1 and the Java 2 Platform (version JDK 1.2)JDK 1.1 Key ManagementThe Identity ClassThe IdentityScope ClassThe Signer ClassJDK 1.2 Key ManagementThe KeyStore ClassThe KeytoolSummary
Message Digest Classes and InterfacesMessageDigestSpiMessageDigestComputing Message DigestsDigestInputStream and DigestOutputStreamWorking with Digest StreamsDigestExceptionMessage Authentication CodesMacSpiMacMACs in ActionSignature Classes and InterfacesSignatureSpiSignatureCreating and Verifying Digital SignaturesSignedObjectUsing SignedObjectSignerSignatureExceptionSummary
Inside the JCEThe Cryptix JCESecurity Providers and Algorithm IndependenceHow a Security Provider Is OrganizedEngine ClassesSPI ClassesProvider ClassesCreating a New ProviderExtending the SPI ClassExtending the Provider ClassInstalling Provider ClassesUsing the ProviderSummary
SSL OverviewJava Secure Socket Extension OverviewJSSE Package and Class OverviewJSSE ProvidersJSSE SSL Server SocketsObtaining an SSL Server Socket FactoryCreating SSL Server SocketsSSL Server Socket ListeningClient AuthenticationJSSE SSL Client SocketsObtaining an SSL Socket FactoryCreating SSL Client SocketsJSSE SSL SessionsSummary
Distributed Enterprise System TechnologyEnterprise Database ConnectivityEnterprise CommunicationsEnterprise Communication ServicesEnterprise Container-Based ComponentsEnterprise Database Connectivity SecurityEnterprise Communications SecurityBasic Network SecurityRMI SecurityCORBA SecurityEnterprise Communications Service SecurityJNDI SecurityJini SecurityJMS SecurityJavaMail SecurityEnterprise Container-Based Component SecurityWeb Component SecurityEJB SecuritySummary
What Is a Database?Relational DatabasesWorking with KeysStructured Query LanguageRemote Database AccessODBC and JDBC DriversMicrosoft's ODBCEnter JDBCConnecting to Databases with the java.sql PackageSetting Up a Database ConnectionThe DriverManager ClassThe Driver InterfaceThe Connection InterfaceExecuting SQL StatementsThe Statement InterfaceThe PreparedStatement and CallableStatement InterfacesThe StatementApp ProgramDatabase Security IssuesSecuring Database ConnectionsUsing a Dedicated Subnet for Client-Server CommunicationEncrypting Communication Between the Database Client and ServerProtecting the Database Client and ServerUsing FirewallsDeploying Intrusion Detection SystemsHardening the Client and Server PlatformsAuthenticating the Client and ServerSecuring the User ConnectionAuthenticating the UserImplementing Access ControlsImplementing Access Controls at the Database ServerImplementing Access Controls at the Database ClientImplementing Access Controls at the Web ServerImplementing Access Controls at the User's BrowserAuditingDatabase ScanningSummary
JAAS OverviewJAAS SubjectsSubject RelationshipsCreating SubjectsManipulating Subject AttributesSpecializing Subject CredentialsAuthentication with JAASLogin Module Configuration and InitializationLogin Context ConstructionLogin Module ConfigurationLogin Module Configuration File LocationLogin Module InitializationThe Authentication ProcessCallback HandlingAuthorization with JAASJAAS Security Policy File FormatUsing JAAS Security Policy FilesPerforming Security-Critical ActionsJAAS Security Authorization AbstractionsJAAS Policy ManipulationAuthentication PermissionsPrivate Credential PermissionsStandard Java Security Policies with JAAS PermissionsSummary
CORBA Security OverviewCORBA Security PackagesCORBA Security ArchitectureCore CORBA Security InterfacingAuthenticationDelegationAuthorizationAuditingNonrepudiationEncryptionSecurity PoliciesSecurity AdministrationSummary
EJB Security OverviewStandard Programmatic EJB Access ControlsStandard Declarative EJB Access ControlsVendor-Specific EJB Access ControlsVendor-Specific EJB Identity and AuthenticationEJB Secure Communications, Delegation, and AuditingEJB Connection SecurityEJB Principal DelegationEJB Security AuditingSummary
The Common Gateway InterfaceWeb Server-to-CGI Program CommunicationCGI Program-to-Web Server CommunicationSession State MaintenanceCookiesURL RewritingHidden Form FieldsServer-Side Programming Security IssuesInterception of Session State InformationForgery of Session State InformationBuffer OverflowData ValidationPage SequencingSession TimeoutInformation ReportingBrowser ResidueUser AuthenticationLogging of Sensitive InformationLeast PrivilegeJava ServletsWhy Servlets?The Servlet APIThe javax.servlet PackageInterfacesClassesExceptionsThe javax.servlet.http PackageInterfacesClassesThe javax.servlet.jsp PackageInterfacesClassesExceptionsThe javax.servlet.jsp.tagext PackageInterfacesClassesHow Servlets WorkServlet ExamplesServlet SecurityUser AuthenticationRole-based Access ControlsTransmission SecurityAdding Security to the Sample ServletsContainer Security RequirementsProgrammatic SecurityJavaServer PagesSummary
JavaScript (February, 1996)DNS Attack (February, 1996)Class Loader Implementation Bug (March, 1996)Verifier Implementation Bug (March, 1996)URL Name Resolution Attack (April, 1996)Hostile Applets (April, 1996)Classloader Attack Variant (May 18, 1996)Illegal Type Cast Attack (June 2, 1996)Inconsistency in javakey (December 13, 1996)Web Spoofing (December, 1996)Java Versus ActiveX (February 25, 1997)Virtual Machine Bug (March 5, 1997)Disclosure of IP Addresses (March 17, 1997)Signing Flaw (April 29, 1997)Verifier Bugs (May 16, 1997)Another Verifier Bug (June 23, 1997)RSA PKCS1 Risk in SSL (June 26, 1998)Princeton Classloader Attack (July 22, 1998)Execution of Unverified Code (March 26, 1999)Construction of Unverified Classes (April 14, 1999)Locally Installed Applet Classes (February 2, 2000)
The Math Behind RSAThe Prime Numbers Are InfinitePrimality TestingPrime Number GenerationFinding an Encryption KeyReduced Set of ResiduesCalculating d from e, p, and qCalculating d, Knowing Only e and nCryptix and RSAEncryption and DecryptionComputing and Verifying Signatures
Downloading the JCEInstalling the JCETesting Your Installation
The java.security PackageInterfacesCertificateGuardKeyPrincipalPrivateKeyPrivilegedActionPrivilegedExceptionActionPublicKeyClassesAccessControlContextAccessControllerAlgorithmParameterGeneratorAlgorithmParameterGeneratorSpiAlgorithmParametersAlgorithmParametersSpiAllPermissionBasicPermissionCodeSourceDigestInputStreamDigestOutputStreamGuardedObjectIdentityIdentityScopeKeyFactoryKeyFactorySpiKeyPairKeyPairGeneratorKeyPairGeneratorSpiKeyStoreKeyStoreSpiMessageDigestMessageDigestSpiPermissionPermissionCollectionPermissionsPolicyProtectionDomainProviderSecureClassLoaderSecureRandomSecureRandomSpiSecuritySecurityPermissionSignatureSignatureSpiSignedObjectSignerUnresolvedPermissionExceptionsAccessControlExceptionDigestExceptionGeneralSecurityExceptionInvalidAlgorithmParameterExceptionInvalidKeyExceptionInvalidParameterExceptionKeyExceptionKeyManagementExceptionKeyStoreExceptionNoSuchAlgorithmExceptionNoSuchProviderExceptionPrivilegedActionExceptionProviderExceptionSignatureExceptionUnrecoverableKeyExceptionThe java.security.acl PackageInterfacesAclAclEntryGroupOwnerPermissionClassesExceptionsAclNotFoundExceptionLastOwnerExceptionNotOwnerExceptionThe java.security.cert PackageInterfacesX509ExtensionClassesCertificateCertificateFactoryCertificateFactorySpiCRLX509CertificateX509CRLX509CRLEntryExceptionsCRLExceptionCertificateEncodingExceptionCertificateExceptionCertificateExpiredExceptionCertificateNotYetValidExceptionCertificateParsingExceptionCRLExceptionThe java.security.interfaces PackageInterfacesDSAKeyDSAKeyPairGeneratorDSAParamsDSAPrivateKeyDSAPublicKeyRSAPrivateCrtKeyRSAPrivateKeyRSAPublicKeyClassesExceptionsThe java.security.spec PackageInterfacesAlgorithmParameterSpecKeySpecClassesDSAParameterSpecDSAPrivateKeySpecDSAPublicKeySpecEncodedKeySpecPKCS8EncodedKeySpecRSAPrivateCrtKeySpecRSAPrivateKeySpecRSAPublicKeySpecX509EncodedKeySpecExceptionsInvalidKeySpecExceptionInvalidParameterSpecExceptionThe javax.crypto PackageInterfacesSecretKeyClassesCipherCipherInputStreamCipherOutputStreamCipherSpiKeyAgreementKeyAgreementSpiKeyGeneratorKeyGeneratorSpiMacMacSpiNullCipherSealedObjectSecretKeyFactorySecretKeyFactorySpiExceptionsBadPaddingExceptionIllegalBlockSizeExceptionNoSuchPaddingExceptionShortBufferExceptionThe javax.crypto.interfaces PackageInterfacesDHKeyDHPrivateKeyDHPublicKeyClassesExceptionsThe javax.crypto.spec PackageInterfacesClassesDESedeKeySpecDESKeySpecDHGenParameterSpecDHParameterSpecDHPrivateKeySpecDHPublicKeySpecIvParameterSpecPBEKeySpecPBEParameterSpecRC2ParameterSpecRC5ParameterSpecSecretKeySpecExceptions
Downloading the Cryptix 3.1Installing Cryptix 3.1Testing Your Installation
OverviewKeystore LocationsKeytool CommandsThe -certreq CommandThe -delete CommandThe -export CommandThe -genkey CommandThe -help CommandThe -identitydb CommandThe -import CommandThe -keyclone CommandThe -keypasswd CommandThe -list CommandThe -printcert CommandThe -selfcert CommandThe -storepasswd CommandThe Cacerts Keystore
JAR FilesUsing the jar ToolCreating a JAR FileViewing a JAR FileExtracting the Contents of a JAR FileSigning JAR FilesUsing jarsigner to Sign a JAR FileVerifying the Signature of a JAR FileChanging the Applet Security Policy

Content preview from Java Security Handbook

Chapter 15. Java Servlet and JSP Security

This chapter covers security issues associated with Web applications developed using Java servlets and JavaServer Pages (JSP). It summarizes the operation of the Common Gateway Interface and discusses CGI and other Web-related security issues. It explains how servlets are developed and deployed and how a Web application's web.xml file can be configured to specify user authentication and access controls. JSP is introduced, and the relationship between JSP and servlet security is discussed.

The Common Gateway Interface

The Common Gateway Interface was adopted early on in the Web's formation as a standard for interfacing external programs to Web servers. The CGI enables these external programs, referred to ...