JavaRanch Home    
This page:         last edited 29 September 2015         What's Changed?         Edit

Security FAQ   

This is work in progress. Feel free to add content as you see fit.

  General remarks

  • While any of the following may help solve security-related problems, keep in mind that security is a process, not a single product or technology. A technologically secure computer system does not help if someone can steal its hard drive, it's not backed up properly, or if its password is written on a Post-It note.

  • comp.risks is a newsgroup and mailing list where all matters related to computer security are discussed by highly knowledgeable practitioners of the field.

  Applet security

  Security managers and class loaders


  Web applications and HTTP



  JCE - Encryption - Message Digests

Q: Using JCE I am getting a BadPaddingException. What should I do?

A: Search the forums for "BadPaddingException" for several discussions on this. The gist is: don't use a String to store the encrypted text - use byte[].

Q: Where can I get Java source code for the XYZ algorithm?

A: Bouncycastle is an open source library comprised of many and varied encryption algorithms, amongst them a full JCE implementation. The codes for the AES competition are also available. Those include Rijndael (which became AES), RC6, Serpent, Twofish and Mars.

Q: I am getting an java.lang.SecurityException: Unsupported keysize or algorithm parameters. What gives?

A: One reason may be that you're using incorrect parameters for the algorithm, mode or cipher. Check the above-mentioned list of algorithms for what is available. Another reason may be that you don't have the unlimited jurisdiction policy files installed; these can be downloaded from the same place you download the J2SE JDK.

Q: How can I implement my own JCE provider?

A: This is described in detail in the article How To Implement a Provider for the Java Cryptography Architecture. Information on how to install the provider can be found in the sections on "How Provider Implementations Are Requested and Supplied" and "Installing Providers" in this article.

Q: Which message digest (or hash) algorithm should I use?

A: At this point, the various RC, MD and SHA-1 algorithms should no longer be used. SHA-2 is the way to go; it's available in Java in the SHA-256, SHA-384 and SHA-512 variants. (A NIST competition has selected a SHA-3 standard, but it's not yet part of the JRE, and anyway offers no fundamental advantage over SHA-2.)

  Web service security

  • This article is part of the Axis documentation, but it's generally applicable.


  • The Open Web Application Security Project (OWASP) is a free and open application security community. The OWASP page contains many useful links.
  • Books - Soft copies for many of the books can be downloaded for free.
  • Video Links - Videos of presentations made by OWASP members at various conferences.
  • OWASP Development Guide - Wiki link.


  • GSSP - Secure Software Programmer Certification
  • CISSP - Certified Information Systems Security Professional
  • CISM - Certified Information Security Manager
  • CEH - Certified Ethical Hacker
  • OWASP (on hold)
  • various certifications

  Other topics

  • Apache Shiro "is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management and cryptography."

  • I'm getting a " PKIX path building failed: unable to find valid certification path to requested target " exception. What gives?


JavaRanchContact us — Copyright © 1998-2014 Paul Wheaton