In this post we will share some notes about Security. Cryptography in J2ee architect Certification .
Select from a list security restrictions that Java 2 environments normally impose on applets running in a browser. The Java 2 security model is policy-based and has superseded the sandbox/trusted approach of Java 1.1. In Java 1.1 remote code (applets, for example) that was not trusted was constrained to the sandbox. If the remote code was signed and trusted then it could access local resources.
Cryptography, Digital signatures and Certificates can be used to increase the security of a system. Java offers a number of interfaces for related services. Firewalls are also important for protecting the gateway between trusted and untrusted networks.
Code Source:A combination of a set of signers (certificates) and a code base URL.By default, Java 2 uses a policy file to associate permissions with code sources
Security Policy File: permission is the right to access a protected resource or guarded object. For Java 2 permissions are specified in the security policy file. Only one policy is in effect at a time. A policy file consists of a number of grant entries. Each grant entry describes the permissions (one or multiple) granted to a code source.
Policy class: You can use java.security.Policy to create your own security policy.
java.security package : The following are some of the classes in the java.security package:
CodeSource – This class extends the concept of a codebase to encapsulate not only the location (URL) but also the certificate(s) that were used to verify signed code originating from that location.
KeyStore – This class represents an in-memory collection of keys and certificates. It manages keys and trusted certificates.
MessageDigest – The MessageDigest class provides applications the functionality of a message digest algorithm, such as MD5 or SHA.
Permission – Abstract class for representing access to a system resource.
Policy – This is an abstract class for representing the system security policy for a Java application environment (specifying which permissions are available for code from various sources).
ProtectionDomain – The ProtectionDomain class encapulates the characteristics of a domain, which encloses a set of classes whose instances are granted the same set of permissions.
Security – Centralizes all security properties and common security methods.
Given an architectural system specification, identify appropriate locations for implementation of specified security features, and select suitable technologies for implementation of those features.
Exposure to threats can be mitigated by using:
Authentication, Authorization (ACLs), Protecting Messages, Auditing
Web tier authentication (This is the usual location for this)
- Basic HTTP – the web server authenticates a principal with user name & password from Web client
- Form-based – lets developers customize the authentication user
- HTTPS mutual authentication – the client and server use X.509 certificates to establish identity over a SSL channel. Read more…