When I first mentioned to a colleague of mine that I was writing a book on JavaTM security, he immediately starting asking me questions about firewalls and Internet DMZs. Another colleague overheard us and started asking about electronic commerce, which piqued the interest of a third colleague who wanted to hear all about virtual private networks. All this was interesting, but what I really wanted to talk about was how a Java applet could be allowed to read a file.

Such is the danger of anything with the word “security” in its title: security is a broad topic, and everyone has his or her own notion of what security means. Complicating this issue is the fact that Java security and network security (including Internet security) are complementary and sometimes overlapping topics: you can send encrypted data over the network with Java, or you can set up a virtual private network that encrypts all your network traffic and remove the need for encryption within your Java programs.

This is a book about security from the perspective of a Java program. In this book, we discuss the basic platform features of Java that provide security -- the class loader, the bytecode verifier, the security manager -- and we discuss recent additions to Java that enhance this security model -- digital signatures, security providers, and the access controller. The ideas in this book are meant to provide an understanding of the architecture of Java’s security model and how that model can be used (both programmatically and administratively).