You are previewing J2EE™ Security for Servlets, EJBs and Web Services: Applying Theory and Standards to Practice.
O'Reilly logo
J2EE™ Security for Servlets, EJBs and Web Services: Applying Theory and Standards to Practice

Book Description

J2EE developers have an extraordinary array of powerful options for securing their Web services, Web applications, EJB components and RMI objects. Now, expert Java architect Pankaj Kumar helps developers make sense of Java's increasingly rich security APIs, tools, patterns, and best practices-showing how to use each of them in the right place, at the right time, and in the right way.

Kumar covers every significant J2SE and J2EE security mechanism, presenting practical implementation techniques for the entire J2EE project lifecycle: analysis, design, development, deployment and operations. The book's example-rich coverage includes:

  • Implementing cryptography with the JCA (Java Cryptography Architecture) and JCE (Java Cryptography Extension) security APIs

  • Building PKI systems with Java: implementing X.509 certificates, Certification Authorities, Certificate Revocation Lists, and repositories

  • Java security managers, policy files, and JAAS: implementing access control based on code origin, code signer and user credentials

  • Securing the wire: Using SSL and the JSSE API to secure data exchange over unprotected networks

  • Ensuring XML message integrity, authentication, and confidentiality with the standards: XML Signature & XML Encryption using the VeriSign TSIK, and Infomosaic SecureXML libraries

  • Addressing security issues in RMI-based distributed applications

  • Developing and deploying servlets and EJBs for authenticated and secure access

  • Securing Web services with transport- and message-based security: SSL for transport-based and WS Security for message-based security

  • Covering security aspects of best-of-breed products: Apache Tomcat, Apache Axis, and BEA WebLogic Server.

  • Table of Contents

    1. Copyright
    2. Praise for J2EE Security for Servlets, EJBs and Web Services
    3. Hewlett-Packard® Professional Books
    4. Preface
    5. The Background
      1. A Security Primer
        1. The Security Problem
        2. Computers, Networks and the Internet
        3. Security Concepts
        4. Security Attacks
        5. System Vulnerabilities
        6. Toward the Solution
        7. Summary
        8. Further Reading
      2. A Quick Tour of the Java Platform
        1. Packaging of Java Platform
        2. Evolution of Java
        3. Java Security Model
        4. J2SE Platform
        5. J2EE Platform
        6. Summary
        7. Further Reading
    6. The Technology
      1. Cryptography with Java
        1. Example Programs and crypttool
        2. Cryptographic Services and Providers
        3. Cryptographic Keys
        4. Encryption and Decryption
        5. Message Digest
        6. Message Authentication Code
        7. Digital Signature
        8. Key Agreement
        9. Summary of Cryptographic Operations
        10. Cryptography with crypttool
        11. Limited versus Unlimited Cryptography
        12. Performance of Cryptographic Operations
        13. Practical Applications
        14. Legal Issues with Cryptography
        15. Summary
        16. Further Reading
      2. PKI with Java
        1. Digital Certificates
        2. Managing Certificates
        3. Certification Authority
        4. PKI Architectures
        5. Java API for PKI
        6. Applications of PKI
        7. PKI Use-Cases
        8. Summary
        9. Further Reading
      3. Access Control
        1. A Quick Tour of Java Access Control Features
        2. Access Control Requirements for the Java Platform
        3. User Identification and Authentication
        4. Policy-Based Authorization
        5. Developing a Login Module
        6. Applying JASS to a Sample Application
        7. Performance Issues
        8. Summary
        9. Further Reading
      4. Securing the Wire
        1. Brief Overview of SSL
        2. Java API for SSL
        3. KeyManager and TrustManager APIs
        4. Understanding SSL Protocol
        5. HTTP over SSL
        6. RMI Over SSL
        7. Performance Issues
        8. Trouble Shooting
        9. Summary
        10. Further Reading
      5. Securing the Message
        1. Message Security Standards
        2. A Brief Note on Handling XML
        3. XML Signature
        4. Java API for XML Signature
        5. XML Encryption
        6. Java API for XML Encryption
        7. XML Signature and Encryption Combinations
        8. Summary
        9. Further Reading
    7. The Application
      1. RMI Security
        1. Sample Application Using RMI
        2. Security from Downloaded Code
        3. SSL for Transport Security
        4. RMI and Access Control
        5. Summary
        6. Further Reading
      2. Web Application Security
        1. Java Web Applications
        2. Apache Tomcat
        3. A Simple Web Application: RMB
        4. Security Requirements
        5. User Authentication Schemes
        6. Web Container Security Features
        7. HTTPS with Apache Tomcat
        8. Common Vulnerabilities
        9. Summary
        10. Further Reading
      3. EJB Security
        1. A Brief Overview of EJBs
        2. Working with WebLogic Server 7.0
        3. EJB Security Mechanisms
        4. Declarative Security for EJBs
        5. Declarative Security Example
        6. EJB Security and J2SE Access Control
        7. Summary
        8. Further Reading
      4. Web Service Security
        1. Web Services Standards
        2. Web Services in Java
        3. Apache Axis
        4. Servlet Security for Web Services
        5. SSL Security for Web Services
        6. WS Security
        7. WS Security with Apache Axis
        8. Summary
        9. Further Reading
      5. Conclusions
        1. Technology Stack
        2. Authentication and Authorization
        3. Distributed Application Security
        4. Comprehensive Security
      6. Public Key Cryptography Standards
      7. Standard Names—Java Cryptographic Services
      8. JSTK Tools
        1. crypttool
        2. certtool
        3. sslsetup
        4. ssltool
        5. asn1parse – Parser for DER or PEM encoded content
      9. Example Programs
      10. Products Used For Examples
        1. Java 2 Platform, Standard Edition
        2. Apache Tomcat
        3. Apache Axis
        4. BEA WebLogic Server
        5. VeriSign's Trust Services Integration Kit (TSIK)
        6. Infomosaic's Secure XML
      11. Standardization Bodies
        1. Internet Engineering Task Force (IETF)
        2. The World Wide Web Consortium (W3C)
        3. OASIS
        4. JCP (Java Community Process)
    8. References
    9. Index