Enterprise Java Security: Building Secure J2EE Applications

Enterprise Java Security: Building Secure J2EE Applications

By Marco Pistoia, Nataraj Nagaratnam, Larry Koved, Anthony Nadalin

Table of Contents

Enterprise Java Security: Building Secure J2EE Applications

By Marco Pistoia, Nataraj Nagaratnam, Larry Koved, Anthony Nadalin

Publisher : Addison Wesley

Pub Date : February 20, 2004

ISBN : 0-321-11889-8

Pages : 608

Slots : 1.0

Copyright

Foreword

Preface

About the Authors

Part I:  Enterprise Security and Java

Chapter 1.  An Overview of Java Technology and Security

Section 1.1.  Why Java Technology for Enterprise Applications?

Section 1.2.  Enterprise Java Technology

Section 1.3.  Java Technology as Part of Security

Section 1.4.  An Overview of Enterprise Security Integration

Section 1.5.  Time to Market

Chapter 2.  Enterprise Network Security and Java Technology

Section 2.1.  Networked Architectures

Section 2.2.  Network Security

Section 2.3.  Server-Side Java Technology

Section 2.4.  Java and Firewalls

Section 2.5.  Summary

Part II:  Enterprise Java Components Security

Chapter 3.  Enterprise Java Security Fundamentals

Section 3.1.  Enterprise Systems

Section 3.2.  J2EE Applications

Section 3.3.  Secure Interoperability between ORBs

Section 3.4.  Connectors

Section 3.5.  JMS

Section 3.6.  Simple E-Business Request Flow

Section 3.7.  J2EE Platform Roles

Section 3.8.  J2EE Security Roles

Section 3.9.  Declarative Security Policies

Section 3.10.  Programmatic Security

Section 3.11.  Secure Communication within a WAS Environment

Section 3.12.  Secure E-Business Request Flow

Chapter 4.  Servlet and JSP Security

Section 4.1.  Introduction

Section 4.2.  Advantages of Servlets

Section 4.3.  Servlet Life Cycle

Section 4.4.  The Deployment Descriptor of a Web Module

Section 4.5.  Authentication

Section 4.6.  Authorization

Section 4.7.  Principal Delegation

Section 4.8.  Programmatic Security

Section 4.9.  Runtime Restrictions for Web Components

Section 4.10.  Usage Patterns

Section 4.11.  Partitioning Web Applications

Chapter 5.  EJB Security

Section 5.1.  Introduction

Section 5.2.  EJB Roles and Security

Section 5.3.  Authentication

Section 5.4.  Authorization

Section 5.5.  Delegation

Section 5.6.  Security Considerations

Chapter 6.  Enterprise Java Security Deployment Scenarios

Section 6.1.  Planning a Secure-Component System

Section 6.2.  Deployment Topologies

Section 6.3.  Secure Communication Channel

Section 6.4.  Security Considerations

Part III:  The Foundations of Java 2 Security

Chapter 7.  J2SE Security Fundamentals

Section 7.1.  Access to Classes, Interfaces, Fields, and Methods

Section 7.2.  Class Loaders

Section 7.3.  The Class File Verifier

Section 7.4.  The Security Manager

Section 7.5.  Interdependence of the Three Java Security Legs

Section 7.6.  Summary

Chapter 8.  The Java 2 Permission Model

Section 8.1.  Overview of the Java 2 Access-Control Model

Section 8.2.  Java Permissions

Section 8.3.  Java Security Policy

Section 8.4.  The Concept of CodeSource

Section 8.5.  ProtectionDomain s

Section 8.6.  The Basic Java 2 Access-Control Model

Section 8.7.  Privileged Java 2 Code

Section 8.8.  ProtectionDomain Inheritance

Section 8.9.  Performance Issues in the Java 2 Access-Control Model

Section 8.10.  Summary

Chapter 9.  Authentication and Authorization with JAAS

Section 9.1.  Overview of JAAS and JAAS Terminology

Section 9.2.  Authentication

Section 9.3.  Authorization Overview

Section 9.4.  JAAS and J2EE

Section 9.5.  Additional Support for Pluggable Authentication

Part IV:  Enterprise Java and Cryptography

Chapter 10.  The Theory of Cryptography

Section 10.1.  The Purpose of Cryptography

Section 10.2.  Secret-Key Cryptography

Section 10.3.  Public-Key Cryptography

Chapter 11.  The Java 2 Platform and Cryptography

Section 11.1.  The JCA and JCE Frameworks

Section 11.2.  The JCA API

Section 11.3.  The JCE API

Section 11.4.  JCE in Practice

Section 11.5.  Security Considerations

Chapter 12.  PKCS and S/MIME in J2EE

Section 12.1.  PKCS Overview

Section 12.2.  S/ MIME Overview

Section 12.3.  Signing and Verifying Transactions with PKCS and S/ MIME

Section 12.4.  Encrypting Transactions with PKCS and S/ MIME

Section 12.5.  Security Considerations

Section 12.6.  Future Directions

Chapter 13.  The SSL and TLS Protocols in a J2EE Environment

Section 13.1.  The SSL and TLS Protocols

Section 13.2.  HTTPS

Section 13.3.  Using the SSL Support Built into J2EE Products

Section 13.4.  Using SSL from within J2EE Programs

Section 13.5.  Examples

Section 13.6.  Summary

Part V:  Advanced Topics

Chapter 14.  Enterprise Security for Web Services

Section 14.1.  XML

Section 14.2.  SOAP

Section 14.3.  WSDL

Section 14.4.  Security for Web Services: Motivations

Section 14.5.  Security Technologies

Section 14.6.  Web Services Security Model Principles

Section 14.7.  Application Patterns

Section 14.8.  Use Scenario

Section 14.9.  Web Services Provider Security

Section 14.10.  Security Considerations

Section 14.11.  Futures

Chapter 15.  Security Considerations for Container Providers

Section 15.1.  Understanding the Environment

Section 15.2.  Authentication

Section 15.3.  Authorization

Section 15.4.  Secure Communication

Section 15.5.  Secure Association

Section 15.6.  Access to System Resources

Section 15.7.  Mapping Identities at Connector Boundaries

Chapter 16.  Epilogue

Part VI:  Appendixes

Appendix A.  Security of Distributed Object Architectures

Section A.1.  RMI

Section A.2.  Stubs and Skeletons

Section A.3.  RMI Registry

Section A.4.  The Security of RMI

Appendix B.  X.509 Digital Certificates

Section B.1.  X.509 Certificate Versions

Appendix C.  Technical Acronyms Used in This Book