aspose file tools*
The moose likes Other JSE/JEE APIs and the fly likes This Weeks Giveaway Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Other JSE/JEE APIs
Bookmark "This Weeks Giveaway" Watch "This Weeks Giveaway" New topic
Author

This Weeks Giveaway

Carl Trusiak
Sheriff

Joined: Jun 13, 2000
Posts: 3340
This Week we are giving away four copies of the book "Professional Java Security".
And the best part... The Authors, Jess Garms and Daniel Somerfield, will be online to answer your questions!
For details, check out JavaRanch Book Promotion Page.
Let's all give Jess and Dan a warm JavaRanch welcome!
Remember, your UserName must meet the requirements of [http://www.javaranch.com/name.jsp]Naming Policy[/url] and the post you make has to deal with the Other Java API's.
Thanks to Wrox for the books

I Hope This Helps
Carl Trusiak, SCJP2, SCWCD
Jamie Young
Ranch Hand

Joined: Jun 19, 2001
Posts: 31
Thank you for joining us today. It is always nice to have an oportunity to win a free book. I never do, but one day I will get lucky :> )
I may have some java security questions soon in the future.
The program that I am working on now will adventually require the users to login to determine thier user priviliages. We are using Win2000 as our operating system. We are even using the jdk1.4 beta version because of certian required methods that are not in the 1.3 version.
Where would you think that I should start my research on how I should implement this security issue in my java program?
Would you recommend a certain package that I can import and use?
Does your book cover logging in and establishing users from a java program?
------------------
Gregg Bolinger
GenRocket Founder
Ranch Hand

Joined: Jul 11, 2001
Posts: 15286
    
    6

Hi, thanks for taking the time to talk to everyone today. I am coding an application with a client/server. I have a couple of questions.
First, how much JAVA cryptology does your book cover, if any, and what do you believe to be the best way to secure your class files? I realize that there is always a way to hack into anything, but I might as well make it as tough as possible.
Thanks for any help.
Gregg


GenRocket - A Test Data Generation Platform
David Weitzman
Ranch Hand

Joined: Jul 27, 2001
Posts: 1365
Is RMI safe?
Junilu Lacar
Bartender

Joined: Feb 26, 2001
Posts: 4419
    
    5

Just wondering what kind of coverage this book gives on security in J2EE applications. I'm looking for some discussion on various strategies for securing a J2EE application and pros and cons of the strategies. Any feedback would be greatly appreciated.

Junilu - [How to Ask Questions] [How to Answer Questions]
Jess Garms
Author
Greenhorn

Joined: Jul 16, 2001
Posts: 17
Thanks for the welcome. Of course the first place I'd recommend you look for Java security info is our book.
For what you're doing, it sounds like you'd be most interested in JAAS, the Java Authentication and Authorization Service. It's an optional package for JDK 1.3, but is included in 1.4. You can read the Sun documentation at http://java.sun.com/products/jaas/. Our book covers it, but somewhat briefly, as it had just been released when we were writing the book.
JAAS allows you to, as the name suggests, authenticate and authorize users to perform certain actions.
Originally posted by Jamie Young:
Thank you for joining us today. It is always nice to have an oportunity to win a free book. I never do, but one day I will get lucky :> )
I may have some java security questions soon in the future.
The program that I am working on now will adventually require the users to login to determine thier user priviliages. We are using Win2000 as our operating system. We are even using the jdk1.4 beta version because of certian required methods that are not in the 1.3 version.
Where would you think that I should start my research on how I should implement this security issue in my java program?
Would you recommend a certain package that I can import and use?
Does your book cover logging in and establishing users from a java program?


------------------

Jess Garms<br />Author of "<a href="http://www.amazon.com/exec/obidos/ASIN/1861004257/electricporkchop" target="_blank" rel="nofollow">Professional Java Security</a>"
Jess Garms
Author
Greenhorn

Joined: Jul 16, 2001
Posts: 17
Originally posted by Gregg Bolinger:
First, how much JAVA cryptology does your book cover, if any, and what do you believe to be the best way to secure your class files? I realize that there is always a way to hack into anything, but I might as well make it as tough as possible.

The book's main focus is using cryptography in Java for encryption and authentication. There are also chapters on using secure protocols, like SSL.
The best way to secure class files depends on your goal. If you're writing server-side code, you may not need to do anything because your classes are never exposed. If you're shipping a product or an applet though, you may want to use a byte-code obfuscator.
Obfuscators aren't realy protection though. They just make it more difficult to decompile your code. When you're implementing security in your programs, make sure that exposing the code wouldn't compromise the application. That is, try to keep the real security in a key or password that only an authorized user would have.
If you're looking for a free obfuscator, check out Retroguard: http://www.retrologic.com/

------------------
Jess Garms
Author
Greenhorn

Joined: Jul 16, 2001
Posts: 17
Originally posted by David Garland:
Is RMI safe?

By default, RMI isn't particularly safe, especially if used over the internet. All data is sent in clear text, and it is possible to spoof messages.
You can increase security when using RMI, however, by tunneling it over SSL, adding encryption and authentication to the communication. Sun includes an example of this with the JSSE download (http://java.sun.com/products/jsse/), which is their implementation of SSL for Java. Our book also contains some examples of tunneling RMI over SSL.

------------------
Jess Garms
Author
Greenhorn

Joined: Jul 16, 2001
Posts: 17
Originally posted by JUNILU LACAR:
Just wondering what kind of coverage this book gives on security in J2EE applications. I'm looking for some discussion on various strategies for securing a J2EE application and pros and cons of the strategies. Any feedback would be greatly appreciated.

Our book covers some J2EE security, but it's not the main focus. J2EE is fairly new, and people are still struggling to find the best way to secure J2EE applications. The first thing to look into is JAAS, which is being bundled into J2EE as a way to provide pluggable authentication and authorization.
I would still consider our book to be useful for J2EE security development, because we look at application security in general, in addition to specific APIs and pre-existing architectures. There are a number of techniques that apply to any server-side application, whether it's servlet- or J2EE-based.
------------------
Gina Peers
Greenhorn

Joined: Sep 19, 2000
Posts: 3
Do you have any idea when a production-quality release of J2SE 1.4 with JAAS will be coming out? I couldn't find it on Sun's site...
Thanks in advance,
Gina
ruilin yang
Ranch Hand

Joined: Feb 25, 2001
Posts: 334
Jess and others,
If I use only JSP/Servlet as server-side programs, my system would can not be as secue as a system built with EJB's since EJB technology gives you more chances/places to implement security protocols.
Is it correct ? This means with EJB you can have a more secure system.
Thanks,
Ruilin
Max Tomlinson
Ranch Hand

Joined: Jul 17, 2001
Posts: 365
Re: IS RMI Safe.
I was suprised to read Jesse's answer to this. I thought with Java2 and the use of policy files that RMI would be relatively (the magic word) secure.
Max Tomlinson
Daniel Somerfield
Author
Greenhorn

Joined: Jul 15, 2001
Posts: 11
Actually, that isn't really the case. Rather than thinking that extra tiers give you more places to implement security, think of each tier as a potential weak point where you NEED to implement security. Every time you go over the network, for example, you are exposing your data to attack.
EJB servers do provide you with some APIs for implementing security, such as method-level access control and JAAS. However, there really isn't anything there that you can't either write yourself, or download seperately.
If you are only using Servlet/JSP then SSL with client authentication and some sort of security model either based on the Java Security APIs or a simpler home-brewed solution.
Assuming you use a separate database, you also have to worry about securing that connection. Our book has a couple of strategies for doing just that. Some databases have built-in encryption and authentication functionality which will save you some work. Finally, you can partition off the database with network infrastructure, preventing outside connections.
Overall, EJB isn't going to help you much with these problems. It just adds an extra tier that needs to be protected.
Originally posted by ruilin yang:
Jess and others,
If I use only JSP/Servlet as server-side programs, my system would can not be as secue as a system built with EJB's since EJB technology gives you more chances/places to implement security protocols.
Is it correct ? This means with EJB you can have a more secure system.
Thanks,
Ruilin


------------------
Daniel Somerfield
Author of Professional Java Security


Daniel Somerfield<br />Author of <a href="http://www.amazon.com/exec/obidos/ASIN/1861004257/ref=ase_electricporkchop" target="_blank" rel="nofollow">Professional Java Security</a>
ruilin yang
Ranch Hand

Joined: Feb 25, 2001
Posts: 334
Thanks a lots Daniel. I learnt a lots.
Jess Garms
Author
Greenhorn

Joined: Jul 16, 2001
Posts: 17
Originally posted by Gina Peers:
Do you have any idea when a production-quality release of J2SE 1.4 with JAAS will be coming out? I couldn't find it on Sun's site...

Last I heard, the plan was to release 1.4 by the end of the year. I would imagine that means December.

------------------
David Bejjam
Greenhorn

Joined: Aug 16, 2001
Posts: 17
Is JCE & JSSE bundled with the current version of J2EE.
mohit joshi
Ranch Hand

Joined: Sep 23, 2000
Posts: 243
I have been trying for more then a year to make the sample JSSE example work. if you look at sample\sockets\server\ClassFileServer.java
Theoretically you should be able to start this service and then access it over https, but I have not suceeded in doing this. Earlier it used to get stuck while doing the Handshake.
Now it throws
java.security.NoSuchAlgorithmException: Algorithm TLS not available
at com.sun.net.ssl.b.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.SSLContext.getInstance([DashoPro-V1.2-120198])
at ClassFileServer.getServerSocketFactory(ClassFileServer.java:138)
at ClassFileServer.main(ClassFileServer.java:115)
Exception in thread "main" java.lang.NullPointerException
at ClassFileServer.main(ClassFileServer.java:116)

Can anybody help me with this..
Madhav Lakkapragada
Ranch Hand

Joined: Jun 03, 2000
Posts: 5040

<wishpering>Welcome, Jess and Daniel. </wishpering>
thats secrure info...
ssshhhhhh!!!
- satya

Take a Minute, Donate an Hour, Change a Life
http://www.ashanet.org/workanhour/2006/?r=Javaranch_ML&a=81
Ricardo Polero
Ranch Hand

Joined: May 18, 2001
Posts: 128
Hi, It's nice to have a good book on security !
I planed to take SCEA and will be nice to win this book !!!
Thanks
Jess Garms
Author
Greenhorn

Joined: Jul 16, 2001
Posts: 17
Originally posted by David Bejjam:
Is JCE & JSSE bundled with the current version of J2EE.

I believe that JSSE is included in J2EE, but not the JCE. JDK 1.4 will contain both though, so once J2EE upgrades to that, it will automatically contain the JCE as well.
------------------
Jess Garms
Author of "Professional Java Security"
ruilin yang
Ranch Hand

Joined: Feb 25, 2001
Posts: 334
Jess/Daniel,
When we implement security to an application/system what kind of granuality should you recommend ? I mean what is the guideline to design a security system for an application ? Are there any pattern to follow ?
My question may appear to be silly since I do not know a lots about the topic.
Thanks,
Ruilin
Jess Garms
Author
Greenhorn

Joined: Jul 16, 2001
Posts: 17
Originally posted by mohit joshi:
I have been trying for more then a year to make the sample JSSE example work. if you look at sample\sockets\server\ClassFileServer.java
Theoretically you should be able to start this service and then access it over https, but I have not suceeded in doing this. Earlier it used to get stuck while doing the Handshake.
Now it throws
java.security.NoSuchAlgorithmException: Algorithm TLS not available
at com.sun.net.ssl.b.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.SSLContext.getInstance([DashoPro-V1.2-120198])
at ClassFileServer.getServerSocketFactory(ClassFileServer.java:138)
at ClassFileServer.main(ClassFileServer.java:115)
Exception in thread "main" java.lang.NullPointerException
at ClassFileServer.main(ClassFileServer.java:116)

Can anybody help me with this..

It's possible that you don't have the JSSE provider registered. Try the following line of code before connecting:
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
Also make sure all three of the JSSE jars are on your classpath.

------------------
Jess Garms
Author of "Professional Java Security"
mohit joshi
Ranch Hand

Joined: Sep 23, 2000
Posts: 243
thanks for the prompt reply. However I have statically registered the provider as follows in the file:
<java-home>\lib\security\java.security
#
# List of providers and their preference orders (see above):
#
security.provider.1=sun.security.provider.Sun
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
which should have the same effect? Or do you think Dynamic registration might help in my case?
Also I do have the three jar files in my classpath..., since I am able to compile the sample files.
Regards
Mohit Joshi
[This message has been edited by mohit joshi (edited August 22, 2001).]
Jess Garms
Author
Greenhorn

Joined: Jul 16, 2001
Posts: 17
Originally posted by mohit joshi:
thanks for the prompt reply. However I have statically registered the provider as follows in the file:
<java-home>\lib\security\java.security
#
# List of providers and their preference orders (see above):
#
security.provider.1=sun.security.provider.Sun
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
which should have the same effect? Or do you think Dynamic registration might help in my case?
Also I do have the three jar files in my classpath..., since I am able to compile the sample files.
Regards
Mohit Joshi
[This message has been edited by mohit joshi (edited August 22, 2001).]

Go ahead and try dynamically adding the provider and let us know what happens. Sometimes there are several VMs installed on a machine, and java_home isn't where you might expect it to be.

------------------
Jess Garms
Author of "Professional Java Security"
Jess Garms
Author
Greenhorn

Joined: Jul 16, 2001
Posts: 17
Originally posted by ruilin yang:
Jess/Daniel,
When we implement security to an application/system what kind of granuality should you recommend ? I mean what is the guideline to design a security system for an application ? Are there any pattern to follow ?

Well, this is a pretty enormous topic, and it's difficult to provide a comprehensive response in a short space. To determine the granularity you need, you have to ask yourself what are you trying to protect? If it's a single network connection to a database, then it's easy: protect that one connection with SSL or network infrastructure.
Typically though, things aren't that simple. Perhaps you have multiple users of the system who each might have sensitive information. Then at the very least, you need to implement security that's granular enough to distinguish between users. Alternatively, maybe there are only two *types* of users: regular and administrative. Then your job is easier: you only need to deal with those two types in your application.
One of the things to remember when implementing security is to keep it simple. The more complex your security gets, the more likely you or some other programmer is to route around it in order to accomplish a task when time is tight. By keeping things as straight-forward as possible, people are much more likely to use the system as it was intended.


------------------
Jess Garms
Author of "Professional Java Security"
ravi bask
Ranch Hand

Joined: Jul 05, 2001
Posts: 58
Jess/Daniel
Is Java the best language for implementation security,
and is the Book u guys wrote is for beginners or is it for above beginners,

And Does it tells how to implement security in effecient way, b'cos some books doesn't tell how we can improve our performance while coding for Security,
i guess anyone can implement security in their applications by using Java API's, but how do we implement the security is the real problem i guess,

Thanks for joining us,

mohit joshi
Ranch Hand

Joined: Sep 23, 2000
Posts: 243
hello Jess,
I tried dynamically adding the provider and it is working now. Also there is no Handshake problem now, Thanks for the help.

Regards
Mohit Joshi
mohit joshi
Ranch Hand

Joined: Sep 23, 2000
Posts: 243
Now I am trying to run the sample client to connect to the SSLServer on local machine. It is throwing the following exception while doing the handshake ( It is not recognizing the certificate produced by the Server. In case of a browser, you can click on an option and accept a certificate, but how can we do it with the Sample client? any feedback..)

D:\jdk1.2\jsse\samples\sockets\client>java SSLSocketClient
before handshake
javax.net.ssl.SSLException: untrusted server cert chain
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-V1.2-120198
])
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage([DashoPr
o-V1.2-120198])
at com.sun.net.ssl.internal.ssl.Handshaker.process_record([DashoPro-V1.2
-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.AppOutputStream.write([DashoPro-V1.2-120
198])
at java.io.OutputStream.write(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V
1.2-120198])
at SSLSocketClient.main(SSLSocketClient.java:58)
I guess one way to solve this is to install the certificate with the client, but I suppose there would be an option to accept unknown certificates.
[This message has been edited by mohit joshi (edited August 22, 2001).]
mohit joshi
Ranch Hand

Joined: Sep 23, 2000
Posts: 243
Figured out a way of doing it..
One has to define a new TrustManager and use it while creating the SSLSocketFactory as follows..
SSLContext sc = SSLContext.getInstance("TLS");
TrustManager []tma = {new MyX509TrustManager()};
sc.init(null, tma , null );
SSLSocketFactory factory = sc.getSocketFactory();
SSLSocket socket =
(SSLSocket)factory.createSocket("localhost", 443);
The MyX509TrustManager class can be defined as..
class MyX509TrustManager implements X509TrustManager
{
public boolean isClientTrusted
(java.security.cert.X509Certificate [] chain)
{return true;
}
public boolean isServerTrusted
(java.security.cert.X509Certificate [] chain)
{return true;
}
public java.security.cert.X509Certificate[]
getAcceptedIssuers ()
{return null;
}
}
Of course these methods could be more elaborate depending on your requirements...
Regards
Mohit Joshi
Jess Garms
Author
Greenhorn

Joined: Jul 16, 2001
Posts: 17
Originally posted by ravi bask:
Jess/Daniel
Is Java the best language for implementation security,
and is the Book u guys wrote is for beginners or is it for above beginners,

And Does it tells how to implement security in effecient way, b'cos some books doesn't tell how we can improve our performance while coding for Security,
i guess anyone can implement security in their applications by using Java API's, but how do we implement the security is the real problem i guess,

I think Java is the best language for implementing secure applications, but I'm pretty biased. I like the fact that the most common server security problem, buffer overruns, are impossible in Java due to the language itself.
Our book is for intermediate to advanced Java programmers. You don't need any security knowledge to understand it, but you will need to know Java pretty well.
In answer to your question about efficiency, we discuss it at various times throughout the book. Security implementation is often limited by what is computationally feasible, and you need to be cognizant of that when writing your applications.

------------------
Jess Garms
Author of "Professional Java Security"
Jess Garms
Author
Greenhorn

Joined: Jul 16, 2001
Posts: 17
That will do the trick, but you're no longer checking the server's certificate for authenticity. This means it might be possible for someone to mount a man-in-the-middle attack on your communications. A more secure solution would be to install the server's certificate in the client's trust store, or to use a certificate signed by a certificate authority like Verisign.
Of course, if you're just looking to test out some JSSE stuff, and not planning on putting it into production, this is a fine solution.
Originally posted by mohit joshi:
Figured out a way of doing it..
One has to define a new TrustManager and use it while creating the SSLSocketFactory as follows..
SSLContext sc = SSLContext.getInstance("TLS");
TrustManager []tma = {new MyX509TrustManager()};
sc.init(null, tma , null );
SSLSocketFactory factory = sc.getSocketFactory();
SSLSocket socket =
(SSLSocket)factory.createSocket("localhost", 443);
The MyX509TrustManager class can be defined as..
class MyX509TrustManager implements X509TrustManager
{
public boolean isClientTrusted
(java.security.cert.X509Certificate [] chain)
{return true;
}
public boolean isServerTrusted
(java.security.cert.X509Certificate [] chain)
{return true;
}
public java.security.cert.X509Certificate[]
getAcceptedIssuers ()
{return null;
}
}
Of course these methods could be more elaborate depending on your requirements...
Regards
Mohit Joshi


------------------
Jess Garms
Author of "Professional Java Security"
mohit joshi
Ranch Hand

Joined: Sep 23, 2000
Posts: 243
well I was just trying to simulate what happens when a browser points to a https site. Usually the user is presented with the certificate information and if he decides to trust the certificate, he can install it on his machine. To implement this would require further work on my part..
Thanks for your comments
Mohit Joshi
PAVAN KUMAR99
Greenhorn

Joined: Jun 20, 2001
Posts: 6
Does the book cover Java security in relation with some of the authentication systems like Kerberos.
Also one more basic question is? Is there a way to decode a MD5 Hashed string, using the MessageDigest class.
Jess Garms
Author
Greenhorn

Joined: Jul 16, 2001
Posts: 17
Originally posted by PAVAN KUMAR99:
Does the book cover Java security in relation with some of the authentication systems like Kerberos.
Also one more basic question is? Is there a way to decode a MD5 Hashed string, using the MessageDigest class.

The book covers authentication using SSL and custom solutions, but not Kerberos.
There is no way to decode a message digest. It's a one-way transformation.

------------------
Jess Garms
Author of "Professional Java Security"
Dirk Trompetter
Greenhorn

Joined: Aug 21, 2001
Posts: 13
Hi,
does the book cover java security on mobile phones?
thanks,
dirk
Thomas Paul
mister krabs
Ranch Hand

Joined: May 05, 2000
Posts: 13974
As regular visitors to the "Meaningless Drivel" forum know, book covers are a serious topic of discussion. Jesse and Daniel may wish to drop in here:

http://www.javaranch.com/ubb/Forum32/HTML/000817-4.html
[This message has been edited by Thomas Paul (edited August 23, 2001).]


Associate Instructor - Hofstra University
Amazon Top 750 reviewer - Blog - Unresolved References - Book Review Blog
Kris Decker
Ranch Hand

Joined: Jul 25, 2001
Posts: 38
If I remember correctly, one uses MD5 or SHA to create a digest. Then, you can send the digest along with a file, so the receiver can create its own digest and compare. If the digests match, then the file is unadulterated.

Originally posted by PAVAN KUMAR99:
Does the book cover Java security in relation with some of the authentication systems like Kerberos.
Also one more basic question is? Is there a way to decode a MD5 Hashed string, using the MessageDigest class.

Daniel Somerfield
Author
Greenhorn

Joined: Jul 15, 2001
Posts: 11
Originally posted by Dirk Trompetter:
Hi,
does the book cover java security on mobile phones?
thanks,
dirk

No, I am afraid not. Some of the server-side APIs we cover are perfectly valid whether you are using mobile phones or some other client, but we don't talk about phones specificially.
I should say that I don't think the processors on phones (or the Palm for that matter) aren't really fast enough for PKI yet. They can do symmetric encryption relatively well, but are a little pokey for asymmetric.

------------------
Daniel Somerfield
Author of Professional Java Security
ruilin yang
Ranch Hand

Joined: Feb 25, 2001
Posts: 334
Jess/Daniel
Some architecture design can solve some security problems. In order to get a good security implementation on a system, it is better to start from architecture design with combination of security consideration.
How much does your book cover/discuss the archetecture design in terms of a better security. I mean some security problems can be solved purely by a proper architecture design. Sometime we have to do a trade-off between architecture design, performance consideration, and security. I would like to get some comments from you - experts.
Thanks in advance.
Ruilin
Ivan Tamayo
Ranch Hand

Joined: Aug 13, 2001
Posts: 49
Hi,
�There are desing patterns for security?
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: This Weeks Giveaway
 
Similar Threads
This Weeks Book Giveaway!!!!
java & AI ,
This Weeks Giveaway
This weeks book Giveaway:
This Weeks Giveaway