Construct secure networked applications with certificates, Part 1
Public-key cryptography's importance to network security must not be overlooked. However, trust issues challenge public-key cryptography's usage in enterprise-scale settings. In Part 1 of this series on certificates, Todd Sundsted explains how they help public-key cryptography scale to meet the needs of the enterprise usage.
Construct secure networked applications with certificates, Part 4
You can build applications using the tools and the information provided in the first three parts of this series on certificates. However, to build the most secure applications possible, you must understand the details of authentication and certificate verification. This month, Todd Sundsted takes you on a tour of authentication from the X.509 perspective and describes the steps necessary for verifying a chain of X.509 certificates.
Creating Systrace Policies
In the last article, we examined basic systrace policies. This time we're going to learn how to create and use systrace policies. In a true paranoid's ideal world, sysadmins would read the source code for every application on their system and be able to build system call access policies by hand, relying only on their intimate understanding of every feature of the application. Most system administrators don't have that sort of time and would have better things to do with that sort of time if they did.
Generate Certificate Chains for Testing Java Applications
Learn how to create digital-certificate chains to test your software. IBM Software Engineer, Paul H. Abbott, clarifies this seldom-documented process by showing you how to use the freely available OpenSSL toolkit to create a certificate chain of any length. He also describes common certificate attributes and shows you some sample Java code for reading the certificates you create into a Java keystore.
IBM Security Providers: An Overview
The 1.4.2 release of the IBM developer kit for the Java
platform provides the most comprehensive security offering for
the Java 2 platform to date. It includes several IBM-specific
security providers with new features and great enhancements.
IBM security experts Yanni Zhang, Audrey Timkovich, and John
Peck introduce the IBM security providers, review their
functionality, and explain how they differ from Sun's
providers.
In Java we trust
The Java Security API makes it a simple matter to add security and authentication to your application. The result is an application that knows what and whom it can trust. This month, Todd delves into the Java Security API and demonstrates how to generate message digests, keys, and digital signatures.
Java 2 Platform and JAAS Authorization Architectures
Follow along as Java architect Abhijit Belapurkar leads this
detailed, behind-the-scenes introduction to two distinctly
different (yet related) models of authorization: the
code-centric model of the Java 2 platform security architecture
and the user-centric model of the Java Authentication and
Authorization Service.
Java security evolution and concepts, Part 1
This series of articles will provide a general understanding of network security as well as the unique aspects of the Java programming language essential for developers. In this first of a four-part series articles dealt with network security concepts in general
Java security evolution and concepts, Part 1: Security nuts and bolts
This series of articles will provide a general understanding of network security as well as the unique aspects of the Java programming language essential for developers. The design and evolution of the Java platform security and the different Java security APIs will be discussed in future installments. Future articles will also cover the security features in Java 2 Platform, Enterprise Edition (J2EE), fast becoming the dot-com platform of choice. While an in-depth understanding of cryptography might be mathematically challenging, the first article presents an overview of the essential concepts of network security and cryptography, which are surprisingly simple to grasp. Plus: See the sidebars covering AES and the importance of key length to security.
Java security evolution and concepts, Part 4
Learn how optional packages extend and enhance Java security. In Parts 1 through 3 of this series, Raghavan Srinivas discussed network and Java security concepts, including a detailed look at applet security. In this article, the fourth and last in the series, he details the optional, yet important, packages that enhance Java security. Bonus: A working applet to demonstrate this article's concepts.
Java security, Part 1: Crypto basics
The Java platform, both its base language features and library
Extensions, provides an excellent base for writing secure
applications. In this tutorial, the first of two parts on Java
security, Brad Rubin guides you through the basics of
cryptography and how it is implemented in the Java programming
language, using plenty of code examples to illustrate the
concepts.
Java security, Part 2: Authentication and authorization
The Java platform, both its base language features and library
extensions, provides an excellent base for writing secure
applications. In this tutorial, Part 2 of 2, Brad Rubin
introduces the basic concepts of authentication and
authorization and provides an architectural overview of JAAS.
Through the use of a sample application, he'll guide your
understanding of JAAS from theory to practice. By the end of
the tutorial you will have a good foundation for working with
JAAS on your own.
Java's security architecture
One of the primary reasons Java technology is a "good fit" for
networks is that it has a comprehensive security model designed
into its architecture. The first half of this article gives an
overview of Java's security model. The second half focuses on
one aspect of that security model: the safety features built
into the Java virtual machine.
Mix protocols transparently in Struts
In this follow-up article, Steve Ditlinger shows how to extend Struts to incorporate that solution. Specifically, he demonstrates how to add custom properties to actions by extending the ActionMapping class. He also shows how to specify such property additions in the struts-config.xml file's action tag element without changing the document type definition (DTD) file. Next, he explains how to add both the behavior you desire and the necessary supporting properties to an ActionServlet class extension. Finally, he extends two Struts custom tags to take advantage of the ActionMapping and ActionServlet class extensions and minimizes the redirections to improve the mixed protocol solution
Mix protocols transparently in Web applications
To maintain the security of sensitive data as it travels over the Internet to or from the browser, Web applications often rely on Secure Sockets Layer (SSL). The secure Webpages and processes that transmit sensitive data utilize HTTP over SSL (HTTPS) rather than the usual HTTP. Integrating SSL into a Web application should prove seamless and simple to implement as well as maintain. In this article, Steve Ditlinger explores typical SSL implementations. He develops an SSL solution using the J2EE (Java 2 Platform, Enterprise Edition) servlet redirect mechanism to protect sensitive data transmission. He also develops an overall solution combining JavaServer Pages (JSP) custom tags and an application-specific servlet base class. In addition, he demonstrates this solution's implementation within an application using the Struts framework and proposes an enhancement to Struts for better integration.
Safeguard your XML-based messages
Apache XML Security is an open source implementation of the XML Digital Signature specification that allows you to digitally sign your Web service messages. Digital signatures assure your messages' receivers that the messages are really from you. After reading this article, which serves as an introductory tutorial to Apache XML Security, you will be well prepared to start signing your Web services messages.
Secure your Java apps from end to end, Part 1
In this series of articles, Todd Sundsted examines virtual machine security, application security, and network security, explaining what it takes to make your application secure in each context.
Secure your Java apps from end to end, Part 2
This article introduces you to the most common types of design and implementation flaws that turn into security vulnerabilities and describes how to avoid them.
Secure your Java apps from end to end, Part 3
In Part 3, the final installment of security examination, the author explores these issues and gives you the insight necessary to manage them.
Secure Your Sockets with JSSE
This article installs and uses the JSSE to implement HTTPS, provides an example of a mini-HTTPS server, and Java clients that support SSL.
Securing Java Code: Part 2
In this installment in our series, we further examine the elements that should be part of a secure Java code policy, including such safeguards as compartmentilization and cryptography.
Securing Linux for Java services
Enterprise Java expert Dennis Sosnoski starts with his view of how Java server technologies fit with Linux, then gives pointers on setting up the Tomcat Java servlet engine on Linux -- securely.
Security and the class loader architecture
One of the primary reasons Java technology is a "good fit" for
networks is that it has a comprehensive security model designed
into its architecture. Beginning with a refresher on the Java
sandbox, this article turns to one aspect of that security
model: the class loader architecture of the Java virtual
machine. The class loader architecture causes code downloaded
from different sources to be kept separate, and prevents the
loading of untrusted classes that declare themselves to be part
of a trusted library.
Security and the class verifier
One of the primary reasons Java technology is a "good fit" for
networks is that it has a comprehensive security model designed
into its architecture. This article turns to one aspect of that
security model: the class verifier of the Java virtual machine
(JVM). The class verifier enables untrusted code to be verified
up front, rather than on the fly as the code is executed. This
ability provides uninterrupted execution (the program can't
"crash" uncontrollably) at a minimal cost in speed degradation.
Security is in the eye of the beholder
One of the difficulties of working with traditional client/server applications has been their ability to scale easily to large numbers of users. This has been much less of a problem when using Internet technologies. However, when applications are easy to scale, they create greater demands on security. The line between secure and vulnerable is fuzzy at best, but Java makes life easier.
Signed and delivered: An introduction to security and authentication
Whether information arrives as applet or agent, e-mail or e-check, you can ultimately believe its claims, assess its value, or trust its promises only to the extent that you can trust every hand that it passed through. This is the basis of one of the biggest dichotomies of the information age: The technology that makes it easy to copy and distribute digital information also makes it easy to modify or create cunning digital forgeries of that same information. This month, Todd introduces the topics of security and authentication, and explains how the Java Security API can help us create secure and trustworthy code.
Signed and sealed objects deliver secure serialized content
Protect information with the SignedObject and SealedObject classes. This article introduces you to two classes designed to protect the contents of serialized objects from manipulation and examination
Twelve rules for developing more secure Java code
Java is growing up and is starting to be used in many security-critical situations. But even with its advanced security architecture and built-in security features, Java isn't immune to security risks. As Java security practitioners, authors Gary McGraw and Edward Felten have learned many valuable lessons about how to create more secure code. Writing security-critical code isn't easy, and developers need all the help they can get. In this article, McGraw and Felten offer 12 rules for writing safer Java code.
Understanding the keys to Java security -- the sandbox and authentication
Security concerns are important for Java (and other systems for executable content, like ActiveX). When new flaws like the recently announced code-signing hole are discovered, the press often covers the story without much depth. We think it is important to explain Java security holes and antidotes in their proper context. This article explains the code-signing bug in technical detail. But instead of jumping into the explanation right off the bat, we begin with a bit of stage-setting. We'll start by covering the Java sandbox, and go on to discuss authentication through digital signing. Only then do we introduce the star of the show, the code- signing security hole, and discuss its impact and implications.
Use constant types for safer and cleaner code
Using constant types makes your code safer and cleaner; it reduces the chance of typos that the compiler can't catch while preventing other programmers from passing you invalid values. Constant types also provide a nice object-oriented way to encapsulate arbitrary data in legacy systems.
Web FORM-Based Authentication
This article walks you through the various security settings that can be set up in the Web Application framework, going into detail on how you can set up FORM-based authentication.
Network World, an International Data Group publication, is the industry's only newsweekly shaping the future of network computing in the enterprise.
subscribe now
Articles
