Document Information

Preface

Part I Introduction

1.  Overview

2.  Using the Tutorial Examples

Part II The Web Tier

3.  Getting Started with Web Applications

4.  JavaServerTM Faces Technology

5.  Introduction to Facelets

6.  Unified Expression Language

7.  Using JavaServerTM Faces Technology in Web Pages

8.  Using Converters, Listeners and Validators

9.  Developing With JavaServerTM Faces Technology

10.  Java Servlet Technology

Part III Web Services

11.  Introduction to Web Services

12.  Building Web Services with JAX-WS

13.  Building RESTful Web Services with JAX-RS and Jersey

Part IV Enterprise Beans

14.  Enterprise Beans

15.  Getting Started with Enterprise Beans

16.  Running the Enterprise Bean Examples

Part V Contexts and Dependency Injection for the JavaTM EE Platform

17.  Introduction to Contexts and Dependency Injection for the JavaTM EE Platform

18.  Running the Basic Contexts and Dependency Injection Examples

Part VI Persistence

19.  Introduction to the Java Persistence API

20.  Running the Persistence Examples

21.  The Java Persistence Query Language

22.  Creating Queries Using the Criteria API

Part VII Security

23.  Introduction to Security in the Java EE Platform

Overview of Java EE Security

A Simple Security Example

Step 1: Initial Request

Step 2: Initial Authentication

Step 3: URL Authorization

Step 4: Fulfilling the Original Request

Step 5: Invoking Enterprise Bean Business Methods

Security Functions

Characteristics of Application Security

Securing Containers

Using Deployment Descriptors for Declarative Security

Using Annotations

Using Programmatic Security

Securing the Enterprise Server

Working with Realms, Users, Groups, and Roles

What Are Realms, Users, Groups, and Roles?

What Is a Realm?

What Is a User?

What Is a Group?

What Is a Role?

Some Other Terminology

Managing Users and Groups on the Enterprise Server

Adding Users to the Enterprise Server

Adding Users to the Certificate Realm

Setting Up Security Roles

Mapping Roles to Users and Groups

Establishing a Secure Connection Using SSL

Installing and Configuring SSL Support

Specifying a Secure Connection in Your Application Deployment Descriptor

Verifying SSL Support

Tips on Running SSL

Working with Digital Certificates

Creating a Server Certificate

Miscellaneous Commands for Certificates

Further Information about Security

24.  Getting Started Securing Enterprise Applications

25.  Getting Started Securing Web Applications

Part VIII JavaTM EE Supporting Technologies

26.  Introduction to JavaTM EE Supporting Technologies

27.  Transactions

28.  Resource Connections

Index

  
java.sun.com | docs.sun.com
The Java EE 6 Tutorial, Volume I
Home | Download | PDF | API | FAQ | Search | Feedback | History

Security Implementation Mechanisms

The characteristics of an application should be considered when deciding the layer and type of security to be provided for applications. The following sections discuss the characteristics of the common mechanisms that can be used to secure Java EE applications. Each of these mechanisms can be used individually or with others to provide protection layers based on the specific needs of your implementation.

Java SE Security Implementation Mechanisms

Java SE provides support for a variety of security features and mechanisms, including:

  • Java Authentication and Authorization Service (JAAS): JAAS is a set of APIs that enable services to authenticate and enforce access controls upon users. JAAS provides a pluggable and extensible framework for programmatic user authentication and authorization. JAAS is a core Java SE API and is an underlying technology for Java EE security mechanisms.

  • Java Generic Security Services (Java GSS-API): Java GSS-API is a token-based API used to securely exchange messages between communicating applications. The GSS-API offers application programmers uniform access to security services atop a variety of underlying security mechanisms, including Kerberos.

  • Java Cryptography Extension (JCE): JCE provides a framework and implementations for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms. Support for encryption includes symmetric, asymmetric, block, and stream ciphers. Block ciphers operate on groups of bytes while stream ciphers operate on one byte at a time. The software also supports secure streams and sealed objects.

  • Java Secure Sockets Extension (JSSE): JSSE provides a framework and an implementation for a Java version of the SSL and TLS protocols and includes functionality for data encryption, server authentication, message integrity, and optional client authentication to enable secure Internet communications.

  • Simple Authentication and Security Layer (SASL): SASL is an Internet standard (RFC 2222) that specifies a protocol for authentication and optional establishment of a security layer between client and server applications. SASL defines how authentication data is to be exchanged but does not itself specify the contents of that data. It is a framework into which specific authentication mechanisms that specify the contents and semantics of the authentication data can fit.

Java SE also provides a set of tools for managing keystores, certificates, and policy files; generating and verifying JAR signatures; and obtaining, listing, and managing Kerberos tickets.

For more information on Java SE security, visit its web page at http://java.sun.com/javase/6/docs/technotes/guides/security/.

Java EE Security Implementation Mechanisms

Java EE security services are provided by the component container and can be implemented using declarative or programmatic techniques (container security is discussed more in Securing Containers). Java EE security services provide a robust and easily configured security mechanism for authenticating users and authorizing access to application functions and associated data at many different layers. Java EE security services are separate from the security mechanisms of the operating system.

Application-Layer Security

In Java EE, component containers are responsible for providing application-layer security. Application-layer security provides security services for a specific application type tailored to the needs of the application. At the application layer, application firewalls can be employed to enhance application protection by protecting the communication stream and all associated application resources from attacks.

Java EE security is easy to implement and configure, and can offer fine-grained access control to application functions and data. However, as is inherent to security applied at the application layer, security properties are not transferable to applications running in other environments and only protect data while it is residing in the application environment. In the context of a traditional application, this is not necessarily a problem, but when applied to a web services application, where data often travels across several intermediaries, you would need to use the Java EE security mechanisms along with transport-layer security and message-layer security for a complete security solution.

The advantages of using application-layer security include the following:

  • Security is uniquely suited to the needs of the application.

  • Security is fine-grained, with application-specific settings.

The disadvantages of using application-layer security include the following:

  • The application is dependent on security attributes that are not transferable between application types.

  • Support for multiple protocols makes this type of security vulnerable.

  • Data is close to or contained within the point of vulnerability.

For more information on providing security at the application layer, read Securing Containers.

Transport-Layer Security

Transport-layer security is provided by the transport mechanisms used to transmit information over the wire between clients and providers, thus transport-layer security relies on secure HTTP transport (HTTPS) using Secure Sockets Layer (SSL). Transport security is a point-to-point security mechanism that can be used for authentication, message integrity, and confidentiality. When running over an SSL-protected session, the server and client can authenticate one another and negotiate an encryption algorithm and cryptographic keys before the application protocol transmits or receives its first byte of data. Security is “live” from the time it leaves the consumer until it arrives at the provider, or vice versa, even across intermediaries. The problem is that it is not protected once it gets to its destination. One solution is to encrypt the message before sending.

Transport-layer security is performed in a series of phases, which are listed here:

  • The client and server agree on an appropriate algorithm.

  • A key is exchanged using public-key encryption and certificate-based authentication.

  • A symmetric cipher is used during the information exchange.

Digital certificates are necessary when running secure HTTP transport (HTTPS) using Secure Sockets Layer (SSL). The HTTPS service of most web servers will not run unless a digital certificate has been installed. Digital certificates have already been created for the Enterprise Server. If you are using a different server, check to see if it has digital certificates, and, if not, use the procedure outlined in Working with Digital Certificates to set up a digital certificate that can be used by your web or application server to enable SSL.

The advantages of using transport-layer security include the following:

  • Relatively simple, well understood, standard technology.

  • Applies to message body and attachments.

The disadvantages of using transport-layer security include the following:

  • Tightly-coupled with transport-layer protocol.

  • All or nothing approach to security. This implies that the security mechanism is unaware of message contents, and as such, you cannot selectively apply security to portions of the message as you can with message-layer security.

  • Protection is transient. The message is only protected while in transit. Protection is removed automatically by the endpoint when it receives the message.

  • Not an end-to-end solution, simply point-to-point.

For more information on transport-layer security, read Establishing a Secure Connection Using SSL.

Message-Layer Security

In message-layer security, security information is contained within the SOAP message and/or SOAP message attachment, which allows security information to travel along with the message or attachment. For example, a portion of the message may be signed by a sender and encrypted for a particular receiver. When the message is sent from the initial sender, it may pass through intermediate nodes before reaching its intended receiver. In this scenario, the encrypted portions continue to be opaque to any intermediate nodes and can only be decrypted by the intended receiver. For this reason, message-layer security is also sometimes referred to as end-to-end security.

The advantages of message-layer security include the following:

  • Security stays with the message over all hops and after the message arrives at its destination.

  • Security can be selectively applied to different portions of a message (and to attachments if using XWSS).

  • Message security can be used with intermediaries over multiple hops.

  • Message security is independent of the application environment or transport protocol.

The disadvantage of using message-layer security is that it is relatively complex and adds some overhead to processing.

The Enterprise Server supports message security using Metro, a web services stack that uses Web Services Security (WSS) to secure messages. Because this message security is specific to Metro and is not a part of the Java EE platform, this tutorial does not discuss using WSS to secure messages. See the Metro User's Guide at https://metro.dev.java.net/guide/. Other sources of information for message security include Sun GlassFish Enterprise Server v3 Administration Guide and Sun GlassFish Enterprise Server v3 Application Development Guide.

The material in The Java EE 6 Tutorial, Volume I is copyright-protected and may not be published in other works without express written permission from Sun Microsystems.