Introduction to Java Security
The Java security architecture includes a large set of application programming interfaces (APIs), tools, and implementations of commonly-used security algorithms, mechanisms, and protocols.
The Java security APIs span a wide range of areas. Cryptographic and public key infrastructure (PKI) interfaces provide the underlying basis for developing secure applications. Interfaces for performing authentication and access control enable applications to guard against unauthorized access to protected resources.
The JDK includes a number of providers that implement a core set of security services. It also allows for additional custom providers to be installed. This enables developers to extend the platform with new security mechanisms.
The JDK is divided into modules. Modules that contain security APIs include the following:
Module
|
Description
|
Defines the foundational APIs of Java SE;
contained packages include java.security, javax.crypto, javax.net.ssl,
| |
Defines the Java binding of the IETF Generic Security Services API (GSS-API).
This module also contains GSS-API mechanisms including Kerberos v5 and SPNEGO
| |
Defines Java support for the IETF Simple Authentication and Security Layer (SASL).
| |
Defines the Java Smart Card I/O API
| |
Defines the API for XML cryptography
|
Java Language Security and Bytecode Verification
The Java language is designed to be type-safe and easy to use. It provides automatic memory management, garbage collection, and range-checking on arrays. This reduces the overall programming burden placed on developers, leading to fewer subtle programming errors and to safer, more robust code.
A compiler translates Java programs into a machine-independent bytecode representation. A bytecode verifier is invoked to ensure that only legitimate bytecodes are executed in the Java runtime. It checks that the bytecodes conform to the Java Language Specification and do not violate Java language rules or namespace restrictions. The verifier also checks for memory management violations, stack underflows or overflows, and illegal data typecasts. Once bytecodes have been verified, the Java runtime prepares them for execution.
In addition, the Java language defines different access modifiers that can be assigned to Java classes, methods, and fields, enabling developers to restrict access to their class implementations as appropriate. The language defines four distinct access levels:
private
: Most restrictive modifier; access is not allowed outside the particular class in which the private member (a method, for example) is defined.protected
: Allows access to any subclass or to other classes within the same package.- Package-private: If not specified, then this is the default access level; allows access to classes within the same package.
public
: No longer guarantees that the element is accessible everywhere; accessibility depends upon whether the package containing that element is exported by its defining module and whether that module is readable by the module containing the code that is attempting to access it.
Secure Communication
The data that travels across a network can be accessed by someone who is not the intended recipient. When the data includes private information, such as passwords and credit card numbers, steps must be taken to make the data unintelligible to unauthorized parties.
- TLS and DTLS Protocols
- Generic Security Service API and Kerberos
- Simple Authentication and Security Layer (SASL)
Simple Authentication and Security Layer(SASL)
Simple Authentication and Security Layer (SASL) is an Internet standard that specifies a protocol for authentication and optional establishment of a security layer between client and server applications