Inside Java 2 Platform Security: Architecture, API Design, and Implementation (2nd Edition)
Editorial Reviews
Amazon.com
An expert tour of security on the new Java 2 platform, Inside Java 2 Security will find an enthusiastic audience among advanced Java developers and system administrators. As the author notes during the general discussion on network security, safeguarding your system goes far beyond mere cryptography.
This book reviews multiple security threats and the strategies used to combat them, such as denial of service attacks, Trojan horses, and covert channels. In addition, it touches on the evolution of Java security from the restrictive days of the JDK 1.0 sandbox to the sophisticated security features available in Java 2, including a section that presents a list of 11 security bugs found in early versions of Java.
Because Java 2 security is now policy-based, it must be managed by system administrators as part of enterprise security. A chapter on Java 2 security presents the "big picture" as well as the classes used to implement policy-based security where developers can control access to an entire system like files, network resources, or runtime permissions on code. The book also discusses the rather primitive tools used for Java 2 security management such as the policytool utility. For advanced developers, further sections demonstrate how to create new permission classes and how to make JDK 1.1 security code migrate to Java 2.
A section on the Java Cryptography Architecture (JCA) shows that Java 2 supports the latest in encryption standards like SHA, DSA, RSA, and X.509 certificates. The text concludes with some well-considered predictions for the future of security on the Java platform. In the meantime, this book shows you what you will need to know about security when committing to Java 2 on the enterprise. Security is now part of the picture and will require both extra development time and administrative effort. --Richard Dragan
--This text refers to an out of print or unavailable edition of this title.
Book Description
Inventing is a combination of brains and materials. The more brains you use, the less material you need. -;Charles Kettering The phrases "computer security," "network security," and "information security" conjure up various notions and precepts to a given audience. Some people tend to envision technical measures, such as cryptography, as the sole means by which security is attained. Other people recognize the limitations of various technical measures and treat them as tools that, when used in combination with other technical measures, can accomplish the task at hand. The distinction is subtle but important. The phrase "platform security" reflects a holistic view of security, suggesting that the foundation is secure and can be relied on as is or used as a secure subsystem to leverage when building larger systems. Building a secure platform is a very difficult and exacting task that historically has been accomplished only when security is a design requirement that is taken into consideration at the onset. The idea that security can be "bolted on" has proved frail and wrought with failure modes, which has led to a mulititude of security breaches. Java technology is possibly the only general-purpose secure computing platform to become commercially successful. This would never have happened had the designers not taken security seriously from the start. The security properties of Java technology are many, and the Java platform builds on itself to create a reliable and secure platform. The Java 2 security model would be impossible to make trustworthy if it were not for the safety net provided by the Java language itself. The Java language specifies the semantics to ensure type safety and referential integrity and yet would fail miserably if it were not for the enforcement and assurances the Java virtual machine provides. Thus, from these various secure subsystems, we have created a greater whole. The target audience of this book is varied. We believe this book will be a useful resource to those seeking a general understanding of the security foundation the Java 2 security architecture provides and relies on. The book should also prove particularily useful to software practitioners building enterprise-class applications that must meet varied security requirements, ranging from authentication to authorization to information protection. This book provides insight into some of the design trade-offs we made as we developed the platform and the lessons we have learned as we continue to evolve and enhance the platform. We provide guidance to those needing to customize the security model for their specific purposes. We describe the inflection points we designed into the platform to accommodate those rare but critical customizations. Most of the aforementioned topics are targeted to system developers, yet we recognize that security is not limited to the implementation of an application. Equally important is the deployment of the application. For deployers, we supply descriptions ranging from expressing security policy to hardening the installation of the runtime environment. This book does not explain to any level of detail the Java programming language. We recommend the book by Arnold and Gosling 3 as a good starting point. Also, we do not cover the various security APIs in their entirety, and thus we refer the reader to the Java 2 SDK documentation. How This Book Is Organized The text of this book is organized to cater to its various audiences. The first two chapters supply background information providing the basis for more specific topics covered in subsequent chapters. The reader need not be proficient in the Java language to understand these introductory chapters. Chapters 3 through 6 describe the Java 2 security architecture, starting with general concepts and ending with comprehensive coverage of security policy enforcement. Chapters 7 through 11 are targeted toward the enterprise application developer, covering topics ranging from trust establishment to cryptography and network security. For these chapters, Java language proficiency is assumed. Chapter 12 is directly targeted toward deployers, who should also read Chapter 8 for additional details about trust establishment. It is our belief that deployers need not be proficient in the Java language and that they can ignore the sections of Chapter 8 describing APIs. The content of each chapter of this book is as follows: Chapter 1: A general background on computer, network, and information security Chapter 2: A review of the Java security models, starting with the original sandbox and progressing to the fine-grained access control model Chapter 3: An in-depth look at the Java 2 security architecture, which is policy driven and capable of enforcing fine-grained access controls Chapter 4: Detailed coverage of class loading, including a description of the class loader inheritance hierarchy and the runtime delegation hierarchy Chapter 5: An explanation of the security classes that supply the foundation for the enforcement of security policy at runtime Chapter 6: Thorough coverage of the policy enforcement classes and the design of the Java 2 security architecture access control algorithm Chapter 7: An explanation of the customization points provided for systems programmers who need to enhance the core security architecture Chapter 8: An outline of the trust establishment capabilities and mechanisms supplied by the security architecture Chapter 9: A presentation of common pitfalls and defensive programming strategies Chapter 10: Comprehensive coverage of the cryptography-related APIs Chapter 11: An operational overview of the APIs used to secure network protocols, including those for authentication, confidentiality, and integrity protection Chapter 12: A presentation of the deployment options that may be used to securely deploy the Java runtime and Java technology-based applications Chapter 13: A look at the various Java technology platforms and a glance toward the future of Java security 0201787911P05222003
Inside Java 2 Platform Security: Architecture, API Design, and Implementation (2nd Edition)
Inside Java 2 Platform Security: Architecture, API Design, and Implementation (2nd Edition),Li Gong,Gary Ellison,Mary Dageforde,Addison-Wesley Professional,0201787911,Computer Architecture - General,Computer Books: General,Computer Networks,Computer Programming Languages,Computer security,Computers,Computers - Languages / Programming,Java (Computer program languag,Java (Computer program language),Programming Languages - Java,Security - General,Computers / Programming Languages / Java
Fun Book:
Recommended Books