Java Security Solutions Rich Helton and Johennie Helton Published by Wiley Publishing, Inc 10475 Crosspoint Boulevard Indianapolis, IN 46256 www.wiley.com Copyright © 2002 by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada Library of Congress Control Number: 2002107908 ISBN: 0-7645-4928-6 Manufactured in the United States of America 10 1B/RV/QY/QS/IN No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4744 Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4447, E-Mail: permcoordinator@wiley.com Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose No warranty may be created or extended by sales representatives or written sales materials The advice and strategies contained herein may not be suitable for your situation You should consult with a professional where appropriate Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S at (800) 762-2974, outside the U.S at (317) 572-3993 or fax (317) 572-4002 Wiley also publishes its books in a variety of electronic formats Some content that appears in print may not be available in electronic books Trademarks: Wiley, the Wiley Publishing logo and related trade dress are trademarks or registered trademarks of Wiley Publishing, Inc., in the United States and other countries, and may not be used without written permission Java is a trademark or registered trademark of Sun Microsystems, Inc All other trademarks are the property of their respective owners Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book About the Authors Rich and Johennie Helton are a husband and wife team whose collective experience in the computer industry spans over 30 years Together their work history covers most of the facets of the software development life cycle Their focus has been security as it applies to networks, applications, and enterprise solutions The Heltons operate a consulting firm known as RichWare, LLC (www.richware.com) Rich Helton's career in computers and security spans over 20 years His early interest was in amateur radio During the 80s he joined the Air Force, and he spent most of the decade in Frankfurt, Germany, working with computers and secured communications After serving in the Air Force, Rich was offered a consulting position at OmniPoint Data Corp, where he helped the inventors of wireless PCS communications He finished his MSCS in computer communications at the University of Colorado He has enjoyed many consulting positions over the past 12 years, specializing in network security, protocols, and architecture for many companies His experience includes building Secure NFS, secure Internet and Intranets, building monitoring software for enterprise communications and many distributed products He has served as lead Java architect specializing in security in such industries as brokerage, financial, telecommunications, and logistics He is a Sun Certified Java Programmer and Developer He is also BEA WebLogic 6.0 Developer Certified Rich is a co-author of BEA WebLogic Server Bible [Wiley Technology Publishing, 2002] Johennie Helton is a systems architect specializing in J2EE technologies Her professional life has included design, development, and software consulting in numerous n-tier distributed solutions for the automobile, financial, healthcare, retail, and coupon industries During her career she has focused on leading-edge technologies She has a strong background in object-oriented analysis, design and implementation, databases, application modeling, and hypermedia systems She has helped companies move to Java and has experienced firsthand the needs and realities of providing a secure solution to the enterprise She has a MSCS from the University of Colorado, and she is a contributing author to Java Data Access: JDBC, JNDI, and JAXP [Wiley Technology Publishing, 2002] Credits Executive Editor Chris Webb Senior Acquisitions Editor Grace Buechlein Project Editor Sharon Nash Technical Editors Ashutosh Bhonsle David Wall Greg Wilcox Copy Editor Kim Cofer Editorial Manager Mary Beth Wakefield Vice President & Executive Group Publisher Richard Swadley Vice President and Executive Publisher Bob Ipsen Vice President and Publisher Joseph B Wikert Executive Editorial Director Mary Bednarek Project Coordinator Maridee Ennis Proofreading Kim Cofer Indexing Johnna VanHoose Dinse For Ashley and Courtney Table of Contents Java Security Solutions Preface Part I - Introduction to Security Chapter - Security Basics Chapter - Hackers and Their Tools Chapter - Java Security Components Part II - Identity and Authentication Chapter - Key Management Algorithms Chapter - Elliptic Curve Cryptography Chapter - Key Management Through the Internet Protocol Chapter - Implementing Keys with Java Chapter - Java Implementation of Key Management Part III - Data Integrity Chapter - Ensuring Data Integrity Chapter 10 - Ensuring Message Authentication Chapter 11 - Signature Integrity Part IV - Data Hiding Chapter 12 - Understanding Ciphers Chapter 13 - Extending New Ciphers with the JDK Chapter 14 - Applying Ciphers Part V - Resource Access Using Java Chapter 15 - Securing Enterprise Resources Chapter 16 - Java Authentication and Authorization Through Kerberos Chapter 17 - Securing Messages with the Java GSS-API Chapter 18 - Java Access: The Security Manager Chapter 19 - Java Authentication and Authorization Service Part VI - Enterprise Data Security Chapter 20 - Working with Database Security Part VII - Network Access Chapter 21 - Network Security Architecture Chapter 22 - SSL and TLS Chapter 23 - Java Secure Socket Extension Part VIII - Public Key Management Chapter 24 - Java Digital Certificates Chapter 25 - PKI Management Part IX - Enterprise Access Chapter 26 - Java Enterprise Security and Web Services Security Chapter 27 - Securing Client-Side Components Chapter 28 - Securing Server-Side Components Chapter 29 - Application Security with Java Index List of Figures List of Tables List of Listings Preface Welcome to Java Security Solutions, a book that explains security in general and Java security in particular This book includes cryptography, algorithms, and architecture It provides practical solutions to security problems and not only describes the different security technologies, but explains why the different technologies exist and why you should use them The source code is done in Java and illustrates how security in Java works This book also shows how to extend Java to provide a more secure organization In this book, we wanted to show more than just how to use Java components We also wanted to show how to extend them, explain the reasons why algorithms like RSA are important, and inform readers about the basic protocols In short, we wanted to answer the what, when, how, and why of the Java components used in security solutions Why This Book? Some of the specifications that we address in this book include J2EE, WebServices, CORBA, JAAS, RMI, JSSE, SKIP, SASL, GSS-API, IPSec, X.509 certificates, cryptography, RSA, Elliptical Curve Cryptography, DSS, DSA, Kerberos, LDAP, TLS, WTLS, message digests, key agreements, key management, java access, ciphers, firewalls, network security, PKI, and much more This book helps you: Think as a hacker so that you can avoid the security pitfalls that hackers exploit Understand the building blocks of security so that you can take full advantage of security features Learn how to apply Java security features effectively and efficiently Get hands-on experience with security algorithms and their implementation Understand procedures for ensuring secure communications within the enterprise Learn how to add security to enterprise applications Understand ciphers Ensure message authentication and data integrity Understand network security architecture View your solution from beginning to end and look for vulnerable points along the way Why Java? These days, Java is the language of choice for the development of Web applications and enterprise solutions Typically, these are distributed systems requiring distributed communication among the components This distributed communication is supported by CORBA, RMI, or RMI over IIOP, and the combination of these technologies along with Java provide a tool set that allows the development of secure solutions Security has been a major design goal for Java ever since the creation of the language Java provides a language, runtime environment, APIs, and tools that are ideal for the development of secure systems The Java Development Kit (JDK) 1.4 comes standard with many cryptography components in its distribution and technologies that allow the support and development of secure solutions Some of these technologies include X.509 certificates, key agreement, a way to specify security policies, authentication, authorization, code signing, and cryptographic support The JDK 1.4 now integrates into its distribution the Java Cryptography Extension (JCE) as cryptography components and Java Authentication and Authorization Services (JAAS) Java also provides the Java Secure Socket Extension (JSSE) Although you can create solutions without these technologies, these solutions will probably be less portable and more expensive than if you use the JDK 1.4 It is definitely worth it to take your time and learn what Java has to offer In order for you to understand how these technologies can be used successfully, however, you need to understand the why, when, how, and what behind the different Java components That is where this book comes in What You Need to Know This book is for anyone who wants to understand security issues and how to prevent security violations If you want to understand how to address security concerns and how to implement many of the standards and protocols in Java, this book is for you The typical reader of this book is the intermediate to advanced Java developer, Java architect, and systems architect Basic Java programming knowledge is assumed, and therefore, concepts such as EJB deployment, Java language constructs, HTML, Web server and application server technologies are not covered in detail We address these concepts from the security perspective and not at an introductory level How This Book Is Organized This book provides a discussion on all aspects of security We begin by introducing security and its requirements Then we introduce the Java components that address these requirements, including the reasons why and how these components are to be used Then we move on to resource, enterprise, and network security This book is divided into nine parts Part I: Introduction to Security This part covers the basics of security, explains the need for security, and introduces you to the way hackers think, the tools that are available to hackers, and the most common attacks In addition, this part categorizes security elements and the different Java components available for security If you cannot wait to start with Java security, its components, and implementation, we suggest you skip to Chapter 3, "Java Security Components." Part II: Identity and Authentication This part provides an overview of key management algorithms, Elliptic Curve Cryptography (ECC), and Java implementation to keys and key management It includes key pair examples, a discussion of the mathematics, Diffie-Hellman, key generation, man-in-the-middle attack, RSA key exchange, ECC, secure random, and DES examples Part III: Data Integrity This part covers data integrity, hash functions, message digest algorithms, message authentication, and digital signatures This discussion includes RSA, ECC, MAC, SHA-1, and others It includes an MD5 implementation, a SHA-1 algorithm, a MAC algorithm, and DSA signature examples Part IV: Data Hiding This part presents ciphers, and how to implement ciphers including how to use CipherSpi Also, it presents a discussion on PBE, Blowfish, and Java Smart Cards This part includes examples on RSA and an example implementation, Stream Ciphers, PBE, and Blowfish Part V: Resource Access Using Java This part provides an overview of the common criteria for security It also helps you understand the need for security in your applications and how to satisfy those requirements using Java It presents JAAS, Kerberos, GSS-API, and the Security Manager It includes examples on security context, policies, configurations, guarded objects, signed objects, and JAAS Part VI: Enterprise Data Security This part covers the needs to secure your enterprise data This is mainly a discussion of why and how you can secure your database, and the communication between your application and the data repository It contains container-managed and application sign-on, and a discussion on the connector API Part VII: Network Access This part focuses on network security and architecture It discusses the OSI model, DMZs, firewalls, HTTP tunneling, Java Sockets, SSL, TLS, and JSSE It includes socket examples (including the server, client, and channel), routing tables, and X509 examples Part VIII: Public Key Management This part discusses Java digital certificates such as X500, and X.509 Also, this part describes PKI management with certificate chaining, X.500, LDAP, and the need for non-repudiation, including how to import certificates, CRL, CertPath, and LDAP examples Part IX: Enterprise Access This part covers the need for security of enterprise solutions It describes, including programming examples, the Java security model, Java permissions, Web-tier security, Web Services, JNDI, RMI, IIOP, and EJB security Finally, it presents a discussion of how BEA's WebLogic, IBM's WebSphere, and Borland's Enterprise Server handle security Chapter 9: Ensuring Data Integrity Figure 9-1: Different classifications of hash algorithms Figure 9-2: The message digest process Chapter 11: Signature Integrity Figure 11-1: The FIPS approved digital signatures Figure 11-2: Digital signature steps Figure 11-3: Signature generation variables Figure 11-4: Verification generation variables Chapter 12: Understanding Ciphers Figure 12-1: The key stream Figure 12-2: The S-box substitution Figure 12-3: The ECB mode Figure 12-4: A CBC overview Figure 12-5: Overview of the CBC8 Figure 12-6: The OFB mode Figure 12-7: Padding in ciphers Chapter 13: Extending New Ciphers with the JDK Figure 13-1: The Provider and CipherSpi mapping Figure 13-2: An XORed byte stream Chapter 14: Applying Ciphers Figure 14-1: The PBE key for DES and Triple-DES Figure 14-2: Blowfish encryption Figure 14-3: Blowfish decryption Figure 14-4: A native network cipher example Figure 14-5: A secure network file system example Figure 14-6: The smart card Figure 14-7: The Java smart card development environment Figure 14-8: The Java smart card interface Chapter 15: Securing Enterprise Resources Figure 15-1: Understanding your security needs Chapter 16: Java Authentication and Authorization Through Kerberos Figure 16-1: Kerberos messaging Figure 16-2: The v5 flags Chapter 17: Securing Messages with the Java GSS-API Figure 17-1: GSS-API overview Figure 17-2: The JAAS implementation Chapter 18: Java Access: The Security Manager Figure 18-1: The basic class flow Figure 18-2: Some ClassLoader extension classes Figure 18-3: The Protection Domain Figure 18-4: Immediate java.security.Permission derived classes Chapter 19: Java Authentication and Authorization Service Figure 19-1: The Pluggable Authentication Module Figure 19-2: Java Authentication Class interaction Figure 19-3: Java Authorization Class interaction Figure 19-4: The Java subject Figure 19-5: The Java subject extended Figure 19-6: The Java group Figure 19-7: ACL and AclEntry objects Figure 19-8: The Java ACL table Chapter 20: Working with Database Security Figure 20-1: Different JDBC driver types Figure 20-2: The Common Client Interface Chapter 21: Network Security Architecture Figure 21-1: Two LANs by address Figure 21-2: Two LANs by domain name Figure 21-3: IP packet Figure 21-4: UDP packet Figure 21-5: TCP packet Figure 21-6: The OSI model Figure 21-7: The routing OSI model Figure 21-8: ICMP packet Figure 21-9: The ICMP packet with type and code Figure 21-10: The RR IP address header Figure 21-11: A organization's LAN example Figure 21-12: Firewall Figure 21-13: Firewall configurations Figure 21-14: DMZ Figure 21-15: Distributed objects Figure 21-16: The GIOP proxy Figure 21-17: The SOAP proxy Figure 21-18: HTTP tunneling Figure 21-19: The Sockets in the OSI model Figure 21-20: Streaming implementation Chapter 22: SSL and TLS Figure 22-1: SSL layering Figure 22-2: Key derivation process Figure 22-3: Basic SSL Handshake Protocol Figure 22-4: SSL record Figure 22-5: SSL Handshake with client authentication Figure 22-6: WAP protocol stack Chapter 23: Java Secure Socket Extension Figure 23-1: JSSE encapsulates sockets and TCP/IP layers Figure 23-2: Client/server communication using the JSSE API Figure 23-3: The SSLContext interface Figure 23-4: SSLServer, SSLContext, KeyManager,and KeyStore UML sequence Chapter 24: Java Digital Certificates Figure 24-1: The organization of X.500 Figure 24-2: Certificate basic structure Figure 24-3: Version extensions Figure 24-4: The X509CRL and X509CRLEntry classes Chapter 25: PKI Management Figure 25-1: Basic certificate path Figure 25-2: Certificate chaining Figure 25-3: An X.500 DIB Figure 25-4: OU removal Figure 25-5: DUA Figure 25-6: Netscape Directory Server 5.1 Users and Groups console Figure 25-7: User console for the Netscape Directory Server 5.1 Figure 25-8: Basic path validation algorithm Chapter 26: Java Enterprise Security and Web Services Security Figure 26-1: The original sandbox model Figure 26-2: Web Service overview Chapter 27: Securing Client-Side Components Figure 27-1: The J2EE containers Figure 27-2: The JNDI architecture Figure 27-3: Project Info App components and their corresponding containers Figure 27-4: The login page for the Project Info App Figure 27-5: The welcome page for the Project Info App Figure 27-6: The Project List page for the Project Info App Figure 27-7: The Project Detail page for the Project Info App Chapter 28: Securing Server-Side Components Figure 28-1: Generic ORB architecture Figure 28-2: Parts of a distributed object using RMI List of Tables Chapter 26: Java Enterprise Security and Web Services Security Table 26-1: Basic Java Built-in Permission Classes Chapter 28: Securing Server-Side Components Table 28-1: CORBA Services Table 28-2: CORBA/ORB Security List of Listings Chapter 2: Hackers and Their Tools Listing 2-1: FTP entries Listing 2-2: Sniffer output example Chapter 3: Java Security Components Listing 3-1: Understanding an XOR Listing 3-2: Understanding a hash Chapter 4: Key Management Algorithms Listing 4-1: SecretKey cipher pseudocode Listing 4-2: The key pair cipher pseudocode Listing 4-3: Modular exponential Listing 4-4: The TestRandomMod class: A sample code for performing the modular exponential Listing 4-5: Output of Listing 4-4 Listing 4-6: Diffie-Hellman example Listing 4-7: The DHSimpleApp class: A sample application generating keys Listing 4-8: Listing 4-7 output Listing 4-9: Generating the DH key: An excerpt from Listing 4-7 Listing 4-10: An example output of a man-in-the-middle attack Listing 4-11: The DHAgreement class: Java code for the man-in-the-middle attack Listing 4-12: Encrypting/decrypting the RSA message Listing 4-13: Verifying the RSA algorithm Listing 4-14: Service providers installed Listing 4-15: The GetProviderInfo class: Code for generating Listing 4-14 Listing 4-16: The RSASimpleApp class: An RSA sample application Listing 4-17: Output for Listing 4-16 Listing 4-18: Triple-DES two-key implementation Listing 4-19: Triple-DES three-key implementation Chapter 5: Elliptic Curve Cryptography Listing 5-1: Modulo examples Listing 5-2: The ECCProvider class: The Provider class Listing 5-3: Adding the ECCProvider class Listing 5-4: The ECCSimpleApp class: The sample application Listing 5-5: The ECCKeyFactory class: The factory class Listing 5-6: The ECCKeyPairGenerator class Chapter 6: Key Management Through the Internet Protocol Listing 6-1: The IPSec operation modes Chapter 7: Implementing Keys with Java Listing 7-1: KeyPairGenerator creation Listing 7-2: Key pair generation Listing 7-3: An entry for Sun Listing 7-4: Associating the DSA algorithm to a class Listing 7-5: The RichSeed class: Setting the seed twice Listing 7-6: Output from Listing 7-5 Listing 7-7: Selecting the entropy source for the SecureRandom seed Listing 7-8: The RichDSAKey class: Writing and reading a DSAPublicKeySpec Listing 7-9: Output for Listing 7-8 Listing 7-10: The SunJCE entry Listing 7-11: The SunJCE put entry for DES Listing 7-12: The RichDESKey class: A demonstration of the DES secret key Listing 7-13: Demonstration of the DES secret key: An output of Listing 7-12 Chapter 8: Java Implementation of Key Management Listing 8-1: Interaction with keytool Listing 8-2: Output of keytool -list Listing 8-3: RFC 1421-generated certificate Listing 8-4: Output of keytool –printcert Listing 8-5: Signing the Java2.jar Listing 8-6: Signature File example Listing 8-7: DSA file example Listing 8-8: Grant entry example Listing 8-9: jdk1.4 policy file entries Chapter 9: Ensuring Data Integrity Listing 9-1: The MD5 implementation Listing 9-2: An example SHA-1 algorithm Listing 9-3: Output from Listing 9-2 Chapter 10: Ensuring Message Authentication Listing 10-1: The RichMAC class a: MAC algorithm Listing 10-2: The output of Listing 10-1 Chapter 11: Signature Integrity Listing 11-1: The RichDSA class: The DSA Signature sample application Chapter 12: Understanding Ciphers Listing 12-1: The RichRSACipher class: An RSA cipher implementation Chapter 13: Extending New Ciphers with the JDK Listing 13-1: The TestRSACiphers class: RSA test for the cipher Listing 13-2: The RichProvider class: The Provider implementation Listing 13-3: The RC4 algorithm Chapter 14: Applying Ciphers Listing 14-1: The TestPBECiphers class: PBE cipher testing Listing 14-2: The TestBFCipher class: A Blowfish example Chapter 16: Java Authentication and Authorization Through Kerberos Listing 16-1: The kinit command Listing 16-2: The kpasswd command Listing 16-3: Kerberos commands and tools Listing 16-4: The /etc/srvtab file Chapter 17: Securing Messages with the Java GSS-API Listing 17-1: The RichGSSService class: An example in creating the security context Listing 17-2: The context loop, wrap, and unwrap methods Listing 17-3: Basic configuration file Listing 17-4: Client/server configuration file Listing 17-5: RichGSSInitiator's policy file Listing 17-6: RichGSSService's policy file Chapter 18: Java Access: The Security Manager Listing 18-1: The FileInputStream Listing 18-2: Grant entry Listing 18-3: A doPrivileged action Listing 18-4: Code fragment to get the context Listing 18-5: The RichGuard class: An example of a guarded object Listing 18-6: The RichSign class: A signed object example Listing 18-7: The grant entry structure Listing 18-8: signedBy example Listing 18-9: CodeBase example Listing 18-10: Principal example Listing 18-11: The RichPolicy class: A policy example code Listing 18-12: Policy example code output Listing 18-13: FilePermission example Chapter 19: Java Authentication and Authorization Service Listing 19-1: Grant entry Listing 19-2: Grant entry with principal Listing 19-3: The doAs method Listing 19-4: The LoginContext class Listing 19-5: The login configuration file Listing 19-6: Defining the ConfigFile for reading login configurations Listing 19-7: Runtime definitions Listing 19-8: The JAASApp class: A JAAS application Listing 19-9: The JAAS login configuration Listing 19-10: The RichCallbackHandler class: An example of runtime definitions Listing 19-11: Callback handler interaction Listing 19-12: The permissions Listing 19-13: Populating the callback list Listing 19-14: A configuration file example Listing 19-15: The JAASAction class: A privileged action example Listing 19-16: A permission entry Chapter 20: Working with Database Security Listing 20-1: Container-managed sign-on Listing 20-2: Deployment descriptor for container-managed sign-on Listing 20-3: Application-managed sign-on Chapter 21: Network Security Architecture Listing 21-1: The SocketServer class: A socket listener example Listing 21-2: The SocketClient class: A socket client example Listing 21-3: Ping output Listing 21-4: Ping showing an IP record route Listing 21-5: netstat –rn run on a Windows 2000 machine Listing 21-6: Adding to the routing table Listing 21-7: The Client_Socket class: An example of a client for Listing 21-8 Listing 21-8: The Server_Socket class: An example of a server for Listing 21-7 Listing 21-9: SocketChannel connection completion Chapter 23: Java Secure Socket Extension Listing 23-1: Server socket creation Listing 23-2: X509-based key manager Listing 23-3: Getting the SSLSession Listing 23-4: The SSLServer class: An example for creating SSL server sockets Listing 23-5: The SSLClient class: An example usage of SSLSocketFactory Chapter 24: Java Digital Certificates Listing 24-1: The RichCertificate class: Importing X509Certificate version in Java Listing 24-2: Output for Listing 24-1 Listing 24-3: The generated certificate Listing 24-4: The ASN.1 notation of a CRL Listing 24-5: The RichCRL class: Importing the CRL and CRL entries and adding extensions Listing 24-6: The output for Listing 24-5 Listing 24-7: The CRL entry Chapter 25: PKI Management Listing 25-1: The RichPath: A CertPath initialization example Listing 25-2: Building parameters with the PKIXParameters class Listing 25-3: Retrieving CRLs from the LDAP server Listing 25-4: Final validation Chapter 26: Java Enterprise Security and Web Services Security Listing 26-1: Digital signature Listing 26-2: A WSDL document skeleton Listing 26-3: A SOAP request message example Listing 26-4: A SOAP message response example Chapter 27: Securing Client-Side Components Listing 27-1: Configuring the admin directory structure using the web.xml file Listing 27-2: Simple JSP example Listing 27-3: The login.jsp file for the Project Info App Listing 27-4: The web.xml file for the Project Info App Listing 27-5: A isUserInRole method example Listing 27-6: The ProjSelectionServlet class: The main page for the Project Info App Listing 27-7: The projectDetail.jsp for the Project Info App Listing 27-8: The admin/projectedit.jsp for the Project Info App Chapter 28: Securing Server-Side Components Listing 28-1: ProjectHome.java Listing 28-2: Project.java Listing 28-3: ProjectBean.java Listing 28-4: Project-cmp-rdbms-jar.xml Listing 28-5: RMIClient.java Listing 28-6: CORBAClient.java Table of Contents Back Cover Back Cover In this unique guide, two Java security experts show you how to take full advantage of Java security technologies cryptogography, algorithms, and architecture They explain today's Java security tools, concepts, protocols, and specifications, including ECC, RSA, MAC, ciphers, Kerberos, JAAS, JSSE, PISec X.509 certificates, PKI, and RMI The book not only describes what each of the technologies is but also explains why it exists, when you should use it, and how to implement it Packed with practical security solutions and lots of source code examples, it delivers all the know-how you need to work with Java security components and extend them in the real world This book enables you to: Apply Java security features effectively and efficiently Implement the cryptography components of JDK 1.4 Work with security algorithms and ciphers Maintain secure communications within the enterprise Add security features to enterprise applications Ensure message authentication and data integrity Understand network security architecture Work with authentication, authorization, confidentiality, non-repudiation, and integrity About the Authors Rich Helton has more than two decades of experience in computer and security systems For the last twelve years, he has built secure NFS, Internet, and intranet systems as well as monitoring software for a wide variety of companies He has served as lead Java architect specializing in security in such industries as brokerage, financial, telecommunications, and logistics He is a certified Sun Java Developer, Sun Java Programmer, and BEA WebLogic 6.0 Developer, and he holds a masters degree in computer science from the University of Colorado He contributed toBEA WebLogic Server Bible (Wiley, 2002) Johennie Helton has nearly a decade of experience in object-oriented design and implementation for the automotive, financial, helathcare, and retail industries She has a masters degree in computer science from the University of Colorado She contributed chapters to Java Data Access: JCBC, JNDI, and JAXP (Wiley, 2002) wiley.com Java™ Security Solutions by Rich Helton and Johennie Helton Bonus Content Java™ Security Solutions is your complete guide to the what, why, where, and how of Java Security You'll learn how to the following: Apply Java security features effectively and efficiently Implement the cryptography components of JDK 1.4 Work with security algorithms and ciphers Maintain secure communications within the enterprise Add security features to enterprise applications Ensure message authentication and data integrity Understand network security architecture Work with authentication, authorization, confidentiality, non-repudiation, and integrity Source Code for Java™ Security Solutions Click a link below to download code corresponding to the chapters in the book, or you can download all the code from the book in one file To unzip the code archives, you need an unzipping tool, such as WinZip 549286 ch04 source.zip 549286 ch05 source.zip 549286 ch07 source.zip 549286 ch09 source.zip 549286 ch10 source.zip 549286 ch11 source.zip 549286 ch12 source.zip 549286 ch13 source.zip 549286 ch14 source.zip 549286 ch17 source.zip 549286 ch18 source.zip 549286 ch19 source.zip 549286 ch21 source.zip 549286 ch23 source.zip 549286 ch24 source.zip 549286 ch25 source.zip 549286 ch27 and ch28 source.zip 549286 entire book source.zip Back to Extras Copyright © 2000-2003 by John Wiley & Sons, Inc or related companies All rights reserved Please read our Privacy Policy ... Welcome to Java Security Solutions, a book that explains security in general and Java security in particular This book includes cryptography, algorithms, and architecture It provides practical solutions. .. need for security of enterprise solutions It describes, including programming examples, the Java security model, Java permissions, Web-tier security, Web Services, JNDI, RMI, IIOP, and EJB security. .. Proofreading Kim Cofer Indexing Johnna VanHoose Dinse For Ashley and Courtney Table of Contents Java Security Solutions Preface Part I - Introduction to Security Chapter - Security Basics Chapter -