"The book is of enormous consequence and potential value. The Java 2 Platform Security represents an advance of major proportions, and the information in this book is captured nowhere else." --Peter G. Neumann, Principal Scientist, SRI International Computer Science Lab, author of Computer-Related Risks, and Moderator of the Risks Forum "Profound! There are a large number of security pearls. I enjoyed and was very impressed by both the depth and breadth of the book." --Stephen Northcutt, Director of Research for Intrusion Detection and Response, SANS Institute Inside the Java 2 Platform Security is the definitive and comprehensive guide to the Java security platform. Written by the Chief Java Security Architect at Sun, it provides a detailed look into the central workings of the Java security architecture and describes security tools and techniques for successful implementation. This book features detailed descriptions of the many enhancements incorporated within the security architecture that underlies the Java 2 platform. It also provides a practical guide to the deployment of Java security, and shows how to customize, extend, and refine the core security architecture. For those new to the topic, the book includes an overview of computer and network security concepts and an explanation of the basic Java security model. You will find detailed discussions on such specific topics as: *The original Java sandbox security model *The new Java 2 Platform permission hierarchy *How Java security supports the secure loading of classes *Java 2 access control mechanisms *Policy configuration *Digital certificates *Security tools, including Key Store and Jar Signer *Secure Java programming techniques *Ways to customize the Java security architecture with new permission types *How to move legacy security code onto the Java 2 Platform In addition, the book discusses techniques for preserving object security--such as signing, sealing, and guarding objects--and outlines the Java cryptography architecture. Throughout, the book points out common mistakes and contains numerous code examples demonstrating the usage of classes and methods. With this complete and authoritative guide, you will gain a deeper understanding into how and why the Java security technology functions as it does, and will be better able to utilize its sophisticated security capabilities in the development of your applications. 0201310007B04062001

Table of Contents:
Preface. How This Book Is Organized. Acknowledgments. 1. Computer and Network Security Fundamentals. Cryptography versus Computer Security. Threats and Protection. Perimeter Defense. Firewalls. Inadequacies of Perimeter Defense Alone. Access Control and Security Models. MAC and DAC Models. Access to Data and Information. Static versus Dynamic Models. Considerations Concerning the Use of Security Models. Using Cryptography. One-Way Hash Functions. Symmetric Ciphers. Asymmetric Ciphers. Authentication. Mobile Code. Where Does Java Security Fit In. 2. Basic Security for the Java Language. The Java Language and Platform. Basic Security Architecture. Bytecode Verification and Type Safety. Signed Applets. A Brief History of Security Bugs and Fixes. 3. JDK 1.2 Security Architecture. From the Beginning. Why a New Security Architecture. Sandbox Restrictions on Applets Too Limiting. Insufficient Separation Between Policy and Enforcement. Security Checks Not Easily Extensible. Locally Installed Applets Too Easily Trusted. Internal Security Mechanisms Fragile. Summary. java.security.GeneralSecurityException. Security Policy. CodeSource. Testing for Equality and Using Implication. Permission Hierarchy. java.security.Permission. Permission Sets. java.security.UnresolvedPermission. java.io.FilePermission. java.net.SocketPermission. java.security.BasicPermission. java.util.PropertyPermission. java.lang.RuntimePermission. java.awt.AWTPermission. java.net.NetPermission. java.lang.reflect.ReflectPermission. java.io.SerializablePermission. java.security.SecurityPermission. java.security.AllPermission. Implications of Permission Implications. Assigning Permissions. Positive versus Negative Permissions. ProtectionDomain. Securely Loading Classes. Class Loader Hierarchy. java.lang.ClassLoader and Delegation. java.security.SecureClassLoader. java.net.URLClassLoader. Classpaths. java.lang.SecurityManager. Example Use of the Security Manager. Unchanged APIs in JDK 1.2. Deprecated Methods in JDK 1.2. java.security.AccessController. Interface Design of AccessController. The Basic Access Control Algorithm. Method Inheritance. Extending the Basic Algorithm with Privileged Operations. Three Types of Privileged Actions. The Context of Access Control. The Full Access Control Algorithm. SecurityManager versus AccessController. A Mini-History of Privileged Operations. Summary and Lessons Learned. 4. Deploying the Security Architecture. Installing JDK 1.2. Policy Configuration. Configuring System-Wide and User-Specific Policies. Configuring Application-Specific Policies. Configuring an Alternative Policy Class Implementation. Default Policy File Format. Policy File Examples. Property Expansion in Policy Files. Digital Certificates. Helpful Security Tools. Keystore Databases. Keytool. Policy Tool. Jarsigner. Code Signing Example. Managing Security Policies for Nonexperts. 5. Customizing the Security Architecture. Creating New Permission Types. Composite Permissions. Customizing Security Policy. Migrating JDK 1.1-Based Security Managers. JDK 1.1 Security Manager Classes. Accommodating JDK 1.1 Security Managers on JDK 1.2. Modifying JDK 1.1 Security Managers for JDK 1.2. 6. Object Security. Security Exceptions. Fields and Methods. Static Fields. Private Object State and Object Immutability. Privileged Code. Serialization. Inner Classes. Native Methods. Signing Objects. Sealing Objects. Guarding Objects. Examples of Using GuardedObject. 7. Programming Cryptography. Design Principles. Cryptographic Services and Service Providers. Installing and Adding a Provider. Cryptography Classes. java.security.Security. java.security.Provider. java.security.MessageDigest. java.security.Signature. Algorithm Parameters. java.security.Key and java.security.spec.KeySpec. java.security.KeyFactory and java.security.cert.CertificateFactory. KeyPair and KeyPairGenerator. java.security.KeyStore. Randomness and Seed Generators. java.security.SecureRandom. Code Examples. Example 1: Computing a Message Digest. Example 2: Generating a Public/Private Key Pair. Example 3: Generating and Verifying Signatures. Example 4: Reading a File That Contains Certificates. Standard Names. Message Digest Algorithms. Key and Parameter Algorithms. Digital Signature Algorithms. Random Number Generation Algorithms. Certificate Types. Keystore Types. Algorithm Specifications. SHA-1 Message Digest Algorithm. MD2 Message Digest Algorithm. MD5 Message Digest Algorithm. Digital Signature Algorithm. RSA-Based Signature Algorithms. DSA KeyPair Generation Algorithm. RSA KeyPair Generation Algorithm. DSA Parameter Generation Algorithm. 8. Future Directions. Security Management. JDK Feature Enhancement. Java Authentication and Authorization Service. Subjects and Principals. Credentials. Pluggable and Stacked Authentication. Callbacks. Access Control. JAAS Implementation. Conclusion. Bibliography. Index. 0201310007T04062001