Synopses & Reviews
Java's most striking claim is that it provides a secure programming environment. However, despite lots of discussion, few people understand precisely what Java's claims mean and how it backs up those claims. Java Security is an in-depth exploration aimed at developers, network administrators, and anyone who needs to work with or understand Java's security mechanisms. It discusses in detail what security does and doesn't mean, what Java's default security policies are, and how to create and implement your own policies.In doing so, Java Security provides detailed coverage of security managers, class loaders, the access controller, and much of the java.security package. It discusses message digests, certificates, and digital signatures, showing you how to use Java's facilities for signing classes or to implement your own signature facility. It shows you how to write a class loader that recognizes signed classes, verifies the signature, and cooperates with a security manager to grant additional privileges. It also discusses the problem of managing cryptographic keys and shows you how to implement your own key management systems.Java Security is an essential book for everyone using Java in real-world software. If you're deploying software written in Java, you need to know how to grant your classes the privileges they need, without granting privileges to untrusted classes. You need to know how to protect your systems against intrusion and corruption. Java provides the tools; this book shows you how to use them.
Synopsis
"Java Security" covers Java's security mechanisms and teaches you how to work with them. It discusses class loaders, security managers, access lists, digital signatures, and authentication and shows how to use these to create and enforce your own security policy.
Description
Includes bibliographical references (p. 374) and index.
About the Author
Henry Wong is a senior consultant at Enigmatec Corporation since 2004 -- involved with many Java related projects. In this role, he has worked with many hardware platforms, operating systems, application servers, and third party packages and services.
Henry previously worked as a computer engineer at Sun Microsystems from 1989 to 2003. Originally hired as a consultant to help customers with special device drivers, kernel modifications, and DOS interoperability products, Henry has also worked on Solaris ports, performance tuning projects, and multithreaded design and implementations for benchmarks and demos. Since early 1995, Henry has been involved in developing Java prototypes and supporting customers who are using Java.
Prior to working at Sun, Henry earned a Bachelor of Science degree in chemical engineering from The Cooper Union in 1987. He joined a small software company in 1986 working on SCSI device drivers, image and audio data compression, and graphics tools used for a medical information system.
When not in front of a computer, Henry is an instrument rated private pilot, who also likes to dabble in archery, cooking, Scuba diving, and traveling to different places with his wife, Nini.
Table of Contents
Preface; Who Should Read This Book?; Versions Used in This Book; Conventions Used in This Book; Organization of This Book; How to Contact Us; Acknowledgments; Feedback for the Author; Chapter 1: Java Application Security; 1.1 What Is Security?; 1.2 The Java Sandbox; 1.3 Applications, Applets, and Programs; 1.4 Running a Java Application; 1.5 Summary; Chapter 2: Java Language Security; 2.1 Java Language Security Constructs; 2.2 Enforcement of the Java Language Rules; 2.3 Summary; Chapter 3: Java Class Loaders; 3.1 Security and the Class Loader; 3.2 Anatomy of a Class Loader; 3.3 Loading Classes; 3.4 Implementing a Class Loader; 3.5 Extensions to the Class Loader; 3.6 Miscellaneous Class Loading Topics; 3.7 Summary; Chapter 4: The Security Manager Class; 4.1 Overview of the Security Manager; 4.2 Trusted and Untrusted Classes; 4.3 Using the Security Manager; 4.4 Summary; Chapter 5: The Access Controller; 5.1 The CodeSource Class; 5.2 Permissions; 5.3 The Policy Class; 5.4 Protection Domains; 5.5 The AccessController Class; 5.6 Guarded Objects; 5.7 Summary; Chapter 6: Implementing Security Policies; 6.1 Protected Methods of the Security Manager; 6.2 Security Managers and the Class Loader; 6.3 Implementation Techniques; 6.4 Running Secure Applications; 6.5 Summary; Chapter 7: Introduction to Cryptography; 7.1 The Need for Authentication; 7.2 The Role of Authentication; 7.3 Cryptographic Engines; 7.4 Summary; Chapter 8: Security Providers; 8.1 The Architecture of Security Providers; 8.2 The Provider Class; 8.3 The Security Class; 8.4 The Architecture of Engine Classes; 8.5 Summary; Chapter 9: Message Digests; 9.1 Using the Message Digest Class; 9.2 Message Digest Streams; 9.3 Implementing a MessageDigest Class; 9.4 Summary; Chapter 10: Keys and Certificates; 10.1 Keys; 10.2 The KeyPairGenerator Class; 10.3 The KeyFactory Class; 10.4 Certificates; 10.5 Keys, Certificates, and Object Serialization; 10.6 Summary; Chapter 11: Key Management; 11.1 Overview of Key Management; 11.2 The KeyStore Class; 11.3 A Key Management Example; 11.4 Summary; Chapter 12: Digital Signatures; 12.1 The Signature Class; 12.2 Signed Classes; 12.3 Implementing a Signature Class; 12.4 Summary; Chapter 13: Encryption; 13.1 Export Restrictions; 13.2 The Sun Security Provider in the JCE; 13.3 Key Types in the JCE; 13.4 Secret Key Engines; 13.5 Encrypting Data; 13.6 Cipher Streams; 13.7 Symmetric Key Agreement; 13.8 Sealed Objects; 13.9 Summary; Security Tools; The keytool; The jarsigner Tool; The policytool; Files to Administer by Hand; Identity-Based Key Management; Identities; Identity Scopes; Key Management in an Identity Scope; Summary; Security Resources; Security Bugs; Third-Party Security Providers; Security References; Quick Reference; Package java.security; Package java.security.cert; Package java.security.interfaces; Package java.security.spec; Package javax.crypto; Package javax.crypto.interfaces; Package javax.crypto.spec; Miscellaneous Packages; Colophon;