This chapter gives an overview of the security model (the Java sandbox) used in Java applications and sets the stage for the rest of the book.

This chapter discusses the parameters of the default sandbox and how the sandbox may be changed administratively. It provides instructions for end users and administrators on how to set up Java security policies (including the use of policytool) and introduces the concepts by which these policies are implemented.

This chapter discusses the memory protections built into the Java language, how those protections provide a measure of security, and how they are enforced by the bytecode verifier.

This chapter discusses the security manager, which is the primary interface to application-level security in Java. The security manager is responsible for arbitrating access to all local resources: files, the network, printers, etc.

The access controller is the basis for security manager implementations in Java 2. This chapter discusses how to use the access controller to achieve fine-grained levels of security in your application.

This chapter discusses the class loader, which is the class that reads in Java class files and turns them into classes. From a security perspective, the class loader is important in determining where classes originated and whether or not they were digitally signed (and if so, by whom), so the topic of class loaders appears throughout this book.

This chapter provides an overview to the cryptographic algorithms of the Java security package. It provides a background for the remaining chapters in the book.

This chapter discusses the architecture of the Java security package and how that architecture may be used to extend or supplant the default cryptographic algorithms that come with the SDK.

This chapter discusses the APIs available to model cryptographic keys and certificates.

This chapter discusses how keys can be managed within a Java program: how and where they may be stored and how they can be retrieved and validated. It also discusses programmatic transfer of digital keys.

This chapter discusses message digests: how to create them, how to use them, and how to implement them.

This chapter discusses how to create, use, and implement digital signatures. It also contains a discussion of signed classes.

This chapter discusses the encryption available within Java Cryptography Extension (JCE), which allows developers to encrypt and decrypt arbitrary data.

This chapter discusses how the Java Secure Sockets Extension (JSSE) provides SSL encryption, which can be used to encrypt data over TCP sockets. It also provides an implementation of the HTTPS Internet protocol.

This chapter discusses how the Java Authentication and Authorization Service (JAAS) enables applications to authenticate users and grant them particular permissions based on their login ID or other credentials.

This appendix provides an annotated listing of the java.security file, which is the standard configuration file for the Java security architecture.

This appendix discusses how to keep up-to-date with information about Java’s security implementation, including a discussion of Java security bugs and general resources for further information.

Key management in Java 1.1 was radically different than the systems we explored in the main text. This appendix discusses how key management was handled in Java 1.1; it uses classes that are still present (but deprecated) in Java 2.

This appendix details how the security manager operated in Java 1.1 (in the absence of an access controller) and shows how you can write an application that uses the 1.1 security model. Although most of the techniques in this appendix have been superseded in Java 2, there are exceptional cases in Java 2 when you might want to follow the tips given in this appendix.

In the text, we discuss how to implement standard security providers. JCE security providers require some additional steps that are outlined in this appendix.

This appendix is a simple reference guide to the classes discussed in this book.