2. Using the Tutorial Examples
3. Getting Started with Web Applications
5. JavaServer Pages Technology
7. JavaServer Pages Standard Tag Library
10. JavaServer Faces Technology
11. Using JavaServer Faces Technology in JSP Pages
12. Developing with JavaServer Faces Technology
13. Creating Custom UI Components
14. Configuring JavaServer Faces Applications
15. Internationalizing and Localizing Web Applications
16. Building Web Services with JAX-WS
17. Binding between XML Schema and Java Classes
19. SOAP with Attachments API for Java
21. Getting Started with Enterprise Beans
23. A Message-Driven Bean Example
24. Introduction to the Java Persistence API
25. Persistence in the Web Tier
26. Persistence in the EJB Tier
27. The Java Persistence Query Language
28. Introduction to Security in the Java EE Platform
Step 2: Initial Authentication
Step 4: Fulfilling the Original Request
Step 5: Invoking Enterprise Bean Business Methods
Characteristics of Application Security
Security Implementation Mechanisms
Java SE Security Implementation Mechanisms
Using Deployment Descriptors for Declarative Security
Securing the Application Server
Working with Realms, Users, Groups, and Roles
What Are Realms, Users, Groups, and Roles?
Managing Users and Groups on the Application Server
Adding Users to the Application Server
Adding Users to the Certificate Realm
Mapping Roles to Users and Groups
Establishing a Secure Connection Using SSL
Installing and Configuring SSL Support
Specifying a Secure Connection in Your Application Deployment Descriptor
Working with Digital Certificates
Using a Different Server Certificate with the Application Server
Miscellaneous Commands for Certificates
Enabling Mutual Authentication over SSL
Creating a Client Certificate for Mutual Authentication
Further Information about Security
29. Securing Java EE Applications
31. The Java Message Service API
32. Java EE Examples Using the JMS API
36. The Coffee Break Application
Security Implementation Mechanisms
The characteristics of an application should be considered when deciding the layer andtype of security to be provided for applications. The following sections discuss thecharacteristics of the common mechanisms that can be used to secure Java EEapplications. Each of these mechanisms can be used individually or with others toprovide protection layers based on the specific needs of your implementation.
Java SE Security Implementation Mechanisms
Java SE provides support for a variety of security features and mechanisms, including:
Java Authentication and Authorization Service (JAAS): JAAS is a set of APIs that enable services to authenticate and enforce access controls upon users. JAAS provides a pluggable and extensible framework for programmatic user authentication and authorization. JAAS is a core Java SE API and is an underlying technology for Java EE security mechanisms.
Java Generic Security Services (Java GSS-API): Java GSS-API is a token-based API used to securely exchange messages between communicating applications. The GSS-API offers application programmers uniform access to security services atop a variety of underlying security mechanisms, including Kerberos.
Java Cryptography Extension (JCE): JCE provides a framework and implementations for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms. Support for encryption includes symmetric, asymmetric, block, and stream ciphers. Block ciphers operate on groups of bytes while stream ciphers operate on one byte at a time. The software also supports secure streams and sealed objects.
Java Secure Sockets Extension (JSSE): JSSE provides a framework and an implementation for a Java version of the SSL and TLS protocols and includes functionality for data encryption, server authentication, message integrity, and optional client authentication to enable secure Internet communications.
Simple Authentication and Security Layer (SASL): SASL is an Internet standard (RFC 2222) that specifies a protocol for authentication and optional establishment of a security layer between client and server applications. SASL defines how authentication data is to be exchanged but does not itself specify the contents of that data. It is a framework into which specific authentication mechanisms that specify the contents and semantics of the authentication data can fit.
Java SE also provides a set of tools for managing keystores, certificates, andpolicy files; generating and verifying JAR signatures; and obtaining, listing, and managing Kerberostickets.
For more information on Java SE security, visit its web page athttp://download.oracle.com/javase/6/docs/technotes/guides/security/.
Java EE Security Implementation Mechanisms
Java EE security services are provided by the component container and can beimplemented using declarative or programmatic techniques (container security is discussed more inSecuring Containers). JavaEE security services provide a robust and easily configured security mechanism for authenticatingusers and authorizing access to application functions and associated data at many differentlayers. Java EE security services are separate from the security mechanisms of theoperating system.
Application-Layer Security
In Java EE, component containers are responsible for providing application-layer security. Application-layer securityprovides security services for a specific application type tailored to the needs ofthe application. At the application layer, application firewalls can be employed to enhanceapplication protection by protecting the communication stream and all associated application resources from attacks.
Java EE security is easy to implement and configure, and can offerfine-grained access control to application functions and data. However, as is inherent to securityapplied at the application layer, security properties are not transferable to applications runningin other environments and only protect data while it is residing in theapplication environment. In the context of a traditional application, this is not necessarilya problem, but when applied to a web services application, where data oftentravels across several intermediaries, you would need to use the Java EE securitymechanisms along with transport-layer security and message-layer security for a complete security solution.
The advantages of using application-layer security include the following:
Security is uniquely suited to the needs of the application.
Security is fine-grained, with application-specific settings.
The disadvantages of using application-layer security include the following:
The application is dependent on security attributes that are not transferable between application types.
Support for multiple protocols makes this type of security vulnerable.
Data is close to or contained within the point of vulnerability.
For more information on providing security at the application layer, readSecuring Containers.
Transport-Layer Security
Transport-layer security is provided by the transport mechanisms used to transmit information overthe wire between clients and providers, thus transport-layer security relies on secure HTTPtransport (HTTPS) using Secure Sockets Layer (SSL). Transport security is a point-to-point security mechanismthat can be used for authentication, message integrity, and confidentiality. When running overan SSL-protected session, the server and client can authenticate one another and negotiatean encryption algorithm and cryptographic keys before the application protocol transmits or receivesits first byte of data. Security is “live” from the time it leavesthe consumer until it arrives at the provider, or vice versa, even acrossintermediaries. The problem is that it is not protected once it gets toits destination. One solution is to encrypt the message before sending.
Transport-layer security is performed in a series of phases, which are listed here:
The client and server agree on an appropriate algorithm.
A key is exchanged using public-key encryption and certificate-based authentication.
A symmetric cipher is used during the information exchange.
Digital certificates are necessary when running secure HTTP transport (HTTPS) using Secure SocketsLayer (SSL). The HTTPS service of most web servers will not run unlessa digital certificate has been installed. Digital certificates have already been created forthe Application Server. If you are using a different server, use the procedureoutlined inWorking with Digital Certificates to set up a digital certificate that can beused by your web or application server to enable SSL.
The advantages of using transport-layer security include the following:
Relatively simple, well understood, standard technology.
Applies to message body and attachments.
The disadvantages of using transport-layer security include the following:
Tightly-coupled with transport-layer protocol.
All or nothing approach to security. This implies that the security mechanism is unaware of message contents, and as such, you cannot selectively apply security to portions of the message as you can with message-layer security.
Protection is transient. The message is only protected while in transit. Protection is removed automatically by the endpoint when it receives the message.
Not an end-to-end solution, simply point-to-point.
For more information on transport-layer security, readEstablishing a Secure Connection Using SSL.
Message-Layer Security
In message-layer security, security information is contained within the SOAP message and/or SOAPmessage attachment, which allows security information to travel along with the message orattachment. For example, a portion of the message may be signed by asender and encrypted for a particular receiver. When the message is sent fromthe initial sender, it may pass through intermediate nodes before reaching its intendedreceiver. In this scenario, the encrypted portions continue to be opaque to anyintermediate nodes and can only be decrypted by the intended receiver. For thisreason, message-layer security is also sometimes referred to asend-to-end security.
The advantages of message-layer security include the following:
Security stays with the message over all hops and after the message arrives at its destination.
Security can be selectively applied to different portions of a message (and to attachments if using XWSS).
Message security can be used with intermediaries over multiple hops.
Message security is independent of the application environment or transport protocol.
The disadvantage of using message-layer security is that it is relatively complex andadds some overhead to processing.
The Application Server supports message security. It uses Web Services Security (WSS) tosecure messages. Because this message security is specific to the Application Serverand not a part of the Java EE platform, this tutorial does notdiscuss using WSS to secure messages.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.Legal Notices