aspose file tools*
The moose likes Security and the fly likes Structure of Book - Enterprise Java 2 Security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Structure of Book - Enterprise Java 2 Security" Watch "Structure of Book - Enterprise Java 2 Security" New topic
Author

Structure of Book - Enterprise Java 2 Security

Xie Ruchang
Ranch Hand

Joined: Dec 25, 2003
Posts: 160
Hi,
I have learnt that the basic concepts of security are covered by these four areas.
1. Authentication
2. Authorisation
3. Confidentiality
4. Non-repudiation
(Pls comment if I missed out other basic security concepts)
I would like to find out whether the book relates the security APIs or features with regard to these basic security concepts or it is oriented using another framework.
Another question related to non-repudiation, I found it confusing after reading a few books on security. Does digital certificates address this issue adequately. Is it covered in the book?
Best Regards
Warren Dew
blacksmith
Ranch Hand

Joined: Mar 04, 2004
Posts: 1332
    
    2
I'm thinking a general table of contents for the book could be really useful....
Marco Pistoia
Author
Greenhorn

Joined: Apr 19, 2004
Posts: 27
Hi Frankie. My answers below.
I have learnt that the basic concepts of security are covered by these four areas.
1. Authentication
2. Authorisation
3. Confidentiality
4. Non-repudiation
(Pls comment if I missed out other basic security concepts)
ANSWER: I would add access control to your list.
I would like to find out whether the book relates the security APIs or features with regard to these basic security concepts or it is oriented using another framework.
ANSWER: Absolutely: we show all the security APIS that can be used to achieve the security requirements above. We go over all the topics you listed in a very deep details, with lots of sample code.
Another question related to non-repudiation, I found it confusing after reading a few books on security. Does digital certificates address this issue adequately. Is it covered in the book?
ANSWER: Yes, non-repudiation is covered in the book. We talk about two types of non-repudiation: the sender of a message cannot deny having sent the message, and the receiver of a message cannot deny having received the message. For this to work, cryptographic functions need to be applied.
I hope this helps,
Marco
P.S. The Table of Contents of the book is available online at http://www.aw-bc.com/catalog/academic/product/0,4096,0321118898-TOC,00.html


Marco Pistoia, Ph.D.<br /><a href="http://www.research.ibm.com/people/p/pistoia/" target="_blank" rel="nofollow">http://www.research.ibm.com/people/p/pistoia/</a>
Xie Ruchang
Ranch Hand

Joined: Dec 25, 2003
Posts: 160
Thank Marco for the quick reply.
In response to the fifth added to the list, access control. I thought that is the same as authorisation. Could you please explain the difference between access control and authorisation.
Best Regards
Nicholas Cheung
Ranch Hand

Joined: Nov 07, 2003
Posts: 4982
In addition to the 5th elements you added, there is one more: Data Integrity, which means data has not been changed during transmission.
Nick


SCJP 1.2, OCP 9i DBA, SCWCD 1.3, SCJP 1.4 (SAI), SCJD 1.4, SCWCD 1.4 (Beta), ICED (IBM 287, IBM 484, IBM 486), SCMAD 1.0 (Beta), SCBCD 1.3, ICSD (IBM 288), ICDBA (IBM 700, IBM 701), SCDJWS, ICSD (IBM 348), OCP 10g DBA (Beta), SCJP 5.0 (Beta), SCJA 1.0 (Beta), MCP(70-270), SCBCD 5.0 (Beta), SCJP 6.0, SCEA for JEE5 (in progress)
Nicholas Cheung
Ranch Hand

Joined: Nov 07, 2003
Posts: 4982

Could you please explain the difference between access control and authorisation.

I would say they are similar thing.
Access Contrl List (ACL) usually is a complete list of resources in the system among all users. When a user access to resource X, the system checks with the ACL to see whether the user can access that resource. Thus, I feel access control may even be a subset of authorization in certain means.
Nick
Xie Ruchang
Ranch Hand

Joined: Dec 25, 2003
Posts: 160
Nick,
Isn't Data Integrity and Confidentiality the same thing?
Best Regards,
Nicholas Cheung
Ranch Hand

Joined: Nov 07, 2003
Posts: 4982
No.
Data Integrity and Confidentiality refers to different things.
For Data Integrity, A just wanna to make sure that the message sends to B does not change by a hacker X. The message can be public, everyone can read it. For example, a public notice is put on the board, but A need to make sure that the content of notice does not be changed.
For Confidentiality, A sends B a message, but A dont wanna persons other than B can read the message. Thus, the message is private to B ONLY. An example can be some legal documents, or contracts.
Nick
Nicholas Cheung
Ranch Hand

Joined: Nov 07, 2003
Posts: 4982
In addition, confidentiality does not necessary means the content cannot be changed.
A wants send a message to B, A can encrypt the message using B's public key. However, a bad guy, X, can capture this message from the network. X can then create a fake message, and encrypt this message using B's public key and sends it to B, pretenting that this message is sent by A.
As a result, the A's message is keep confidential, becos X cannot decrypt it and get its content, however, the message received by B is NOT the one actually sent by A.
To avoid such case, in addition to encrypt the message with B's public key, A needs to sign on the encrypted message with his private key, so that B knows the message is actually from A, and the content does not change.
Nick
bas duijzings
Ranch Hand

Joined: Apr 07, 2004
Posts: 83
this is all nice, but a real question. How many of us/you have gone beyond authentication / authorisation / access control lists and maybe ssl for security ?
I assume we are still talking web application, so what sort of applications are actually using these technologies.
Please note, I do not mean that these technologies should not be used. I am only asking it out of curiosity
bas


have a nice one
Nicholas Cheung
Ranch Hand

Joined: Nov 07, 2003
Posts: 4982

How many of us/you have gone beyond authentication / authorisation / access control lists and maybe ssl for security ?

I think those are already the most common security measurements. Most of the system will use these measurements or their variance.

I assume we are still talking web application, so what sort of applications are actually using these technologies.

Any applications that need a user login requires Authentication.
Applications that provide different information or services to different users will use Authorization. Like Amazon's customers can only view book info and purchase book, but they cannot add a new book to the book list. Actions that can be performed by a certain user is governed by ACL.
Applications that need exchanging sensitive data point to point may require SSL. Data within the channel are encrypted, and so, secure the transmission. Such as sending login name and password over the Internet to logon to the system.
Secure Electronic Transaction (SET) is used when you checkout books from Amazon using Credit Card.
There are many places that need security measurements, especially E-commerce systems.
Nick
bas duijzings
Ranch Hand

Joined: Apr 07, 2004
Posts: 83
thanks for getting it out of context. I know what the different security measures entail. I wanted to know how many of us/you have gone beyond authentication / authorisation / access control lists and maybe ssl for security ?
Your remark :
Secure Electronic Transaction (SET) is used when you checkout books from Amazon using Credit Card.

still stands, but only if you worked on it yourself which I doubt.
baz
Nicholas Cheung
Ranch Hand

Joined: Nov 07, 2003
Posts: 4982

still stands, but only if you worked on it yourself which I doubt.

There are 2 ways for implementing SET. One has been suggested by you that we need to implement it by ourselves.
We have 4 parties, customer, amazon, customer's bank and amazon's bank. Of course, we can always implements the protocol by working around with the authentication of digital certificates, and perform the transaction.
Another way is that, we have a payment gateway, this gateway obtains the necessary info, and do the rest of things (according to SET protocol) for us.
We send credit card info to Amazon, in fact, Amazon may not carry out the $ transfer, it may simply pass the card into to customer's bank, as well as Amazon's bank to a payment gateway. This gateway, can be either a trusted third party, like Visa or Master, or the customer's bank. Then, SET is performed by that gateway, while Amazon does not involve. It will only be notified whether the transaction succeed.
In such sense, we may not really need to implement SET protocol in our own programs or systems, if we make use of a third party.
Nick
 
 
subject: Structure of Book - Enterprise Java 2 Security