Topic: Java SecurityJava Security includes such topics as Java Cryptography (JCE), Java Authentication and Authorization Service (JAAS), as well as these tools: jarsigner, keytool and policytool. The security model supports fine-grain access control, governed by system-wide policy files and per-user policy files. Java security is a topic of increasing interest, especially as Java becomes the standard in enterprise application development.
O'Reilly Network articles about this topic:
Discovering a Java Application's Security Requirements
Java security manager policy files are powerful and flexible, but rather grueling and error-prone to write by hand. In this article Mark Petrovic employs a novel approach: a development-time SecurityManager that logs your applications' calls and builds a suitable policy file.
Separation of Concerns in Web Service Implementations
The principle of "separation of concerns" is much repeated in SOA circles... so why are transactional integrity, security, and business logic so often intermingled in SOA implementations? In this article, Tieu Luu shows how to use Spring to separate out security concerns in an Axis-based web service.
WS-Security in the Enterprise, Part 2: The Framework
Denis Pilupchuk continues his series on developing a WS-Security toolkit by developing a general framework to match the needs identified in part one and by starting to map WSSE features to Java objects.
Using SSL with Non-Blocking IO
Java 1.4 introduced non-blocking IO in the NIO package, but not a means of running SSL over it. That forced developers to choose between security and scalability. In J2SE 5.0, there is now a transport-agnostic SSL API, but it takes some work to understand. Nuno Santos shows how to put the two together.
Java and Security, Part 2
This second and final excerpt from Chapter 17 of WebLogic: The Definitive Guide covers WebLogic's various security providers and their default implementations, along with a look at how to authenticate using JAAS, and examples of Authentication and Identity Assertion Providers.
Java and Security, Part 1
In part one in a two-part series of excerpts from Chapter 17 of WebLogic: The Definitive Guide, authors Avinash Chugh and Jon Mountjoy examine WebLogic's various security mechanisms, beginning with a look at the Java Security Manager and how WebLogic filters connection requests. They also cover WebLogic's authentication and authorization framework and how it supports the standard J2EE security services.
Java vs. .NET Security, Part 4
Java and .NET address similar code security issues, but which one offers the best security implementation? Denis Piliptchouk's series concludes with a look at user authentication and permissions, and a final wrap-up.
Security in Struts: User Delegation Made Possible
Struts may not have an all-encompassing security scheme, but what it does offer is extensibility. Werner Raemakers looks at how to extend Struts' security by allowing one group of users to delegate permissions to others.
Java vs. .NET Security, Part 3
Java and .NET address similar code security issues, but which one offers the best security implementation? Denis Piliptchouk's series continues with a look at how each platform handles code protection and code access.
Java vs. .NET Security, Part 2
Java and .NET address similar code security issues, but which offers the best security implementation? Denis Piliptchouk's series continues with a look at cryptography support.
Java vs. .NET Security, Part 1
Java and .NET address similar code security issues, but which one offers the best security implementation? Denis Piliptchouk's series starts with a side-by-side look at how each performs configuration, code verification, and memory isolation.
J2EE Form-based Authentication
J2EE Web containers support form-based authentication mechanisms, but how do you integrate application-based security with that in other realms? This article explains.
Java API Map
Is the world of Java getting a little unweildy for you? Use our Java API map and directory to track all significant Java platforms and respective Java APIs. Includes the JAX Pack and MIDlets.
The Java Platform
In this excerpt from O'Reilly & Associates' Java in a Nutshell, 4th Edition, David Flanagan shows you a number of the Java 2SE platform packages, using examples of the most useful classes in these packages.
Web FORM-Based Authentication
Dion walks you through the various security settings that can be set up in the Web Application framework, going into detail on how you can set up FORM-based authentication.
Using Tomcat 4 Security Realms
In part 4 of his Using Tomcat series, James Goodwill covers Tomcat 4, focusing on security realms using both memory and JDBC realms (with a MySQL database example).
JSP Security for Limiting Access to Application-Internal URLs
Jamie Jaworski covers a technique for designing and building simple JSP applications, which provides some security benefits such as limiting access to application-internal URLs.
Java Application Security
In this excerpt from Chapter 1 of Java Security, 2nd Edition, Scott Oaks covers Java application security by defining security; bounding the Java security model; and finally debugging Java security in an applet or application.
Secure Your Sockets with JSSE
Jamie Jaworski installs and uses the JSSE to implement HTTPS, provides an example of a mini-HTTPS server, and Java clients that support SSL.
Programmatically Signing JAR Files
While in most cases, programmatically signing JAR files is a frowned upon, there are a few cases when it is necessary.
Java Plug-in 1.3 and RSA Signed Applets
Jamie Jaworski focuses on the latest release of the Java plug-in (v.1.3) and its support for RSA signed applets as well as dynamic trust management.
Java JDE Allows Unauthorized Commands
Noel Davis shows us a problem in Java that allows Java code to execute unauthorized commands; buffer overflows in CUPS and sudo; temporary file problems with StarOffice, MicroFocus COBOL, and CUPS; and vulnerabilities in pgp4pine, the Solaris LDAP PAM module, adcycle, and Zope.
Other documents about this topic:
Below are other references available on the web for this topic. Since other sites may change their links, please if you find any that may need to be updated.
Java JDE Allows Unauthorized Commands
Welcome to Security Alerts, an overview of recent Unix and open-source security advisories. In this column, we look at a problem in Java that allows Java code to execute unauthorized commands. Some versions of Sun's JRE (Java Runtime Environment), SDK (System Development Kit), and the JDK (Java Development Kit) have a bug that can allow Java code to execute unauthorized commands. This bug is mitigated by the requirement that the malicious code have permission to execute at least one command. Sun has reported that they have no knowledge of the bug affecting Netscape Navigator or Microsoft Explorer. [Source: O'Reilly Network]
JAAS (Java Authentication and Authorization Service) is a Java security API. JAAS was covered in this tutorial session at the 2001 O'Reilly Enterprise Java Conference. [Source: O'Reilly]