Inside Java(TM) 2 Platform Security: Architecture, API Design, and Implementation - Softcover

About the Author

Li Gong is a Distinguished Engineer and Director of Engineering, Peer-to-Peer Networking, at Sun Microsystems. He was Director, Server Products, at the Consumer and Embedded Division, and was the founding chair of OSGi's Java Expert Group, where he led the completion of OSGi's Service Gateway Specification 1.0. He received B.S. and M.S. degrees from Tsinghua University, Beijing, China, and a Ph.D. from the University of Cambridge, England. He is the author of Inside Java™ 2 Platform Security (Addison-Wesley, 1999). 0201310007AB08012001

From the Back Cover

"The book is of enormous consequence and potential value. The Java 2 Platform Security represents an advance of major proportions, and the information in this book is captured nowhere else." --Peter G. Neumann, Principal Scientist, SRI International Computer Science Lab, author of Computer-Related Risks, and Moderator of the Risks Forum

"Profound! There are a large number of security pearls. I enjoyed and was very impressed by both the depth and breadth of the book." --Stephen Northcutt, Director of Research for Intrusion Detection and Response, SANS Institute

Inside the Java 2 Platform Security is the definitive and comprehensive guide to the Java security platform. Written by the Chief Java Security Architect at Sun, it provides a detailed look into the central workings of the Java security architecture and describes security tools and techniques for successful implementation.

This book features detailed descriptions of the many enhancements incorporated within the security architecture that underlies the Java 2 platform. It also provides a practical guide to the deployment of Java security, and shows how to customize, extend, and refine the core security architecture. For those new to the topic, the book includes an overview of computer and network security concepts and an explanation of the basic Java security model.

You will find detailed discussions on such specific topics as:
* The original Java sandbox security model
* The new Java 2 Platform permission hierarchy
* How Java security supports the secure loading of classes
* Java 2 access control mechanisms
* Policy configuration
* Digital certificates
* Security tools, including Key Store and Jar Signer
* Secure Java programming techniques
* Ways to customize the Java security architecture with new permission types
* How to move legacy security code onto the Java 2 Platform

In addition, the book discusses techniques for preserving object security--such as signing, sealing, and guarding objects--and outlines the Java cryptography architecture. Throughout, the book points out common mistakes and contains numerous code examples demonstrating the usage of classes and methods.

With this complete and authoritative guide, you will gain a deeper understanding into how and why the Java security technology functions as it does, and will be better able to utilize its sophisticated security capabilities in the development of your applications. 0201310007B04062001

From the Inside Flap

Give me a lever and a fulcrum, and I can move the globe. --Archimedes

Since Java technology's inception, and especially its public debut in the spring of 1995, strong and growing interest has developed regarding the security of the Java platform, as well as new security issues raised by the deployment of Java technology. This level of attention to security is a fairly new phenomenon in computing history. Most new computing technologies tend to ignore security considerations when they emerge initially, and most are never made more secure thereafter. Attempts made to do so typically are not very successful, as it is now well known that retrofitting security is usually very difficult, if not impossible, and often causes backward compatibility problems. Thus it is extremely fortunate that when Java technology burst on the Internet scene, security was one of its primary design goals. Its initial security model, although very simplistic, served as a great starting place, an Archimedean fulcrum. The engineering talents and strong management team at JavaSoft are the lever; together they made Java's extensive security architecture a reality.

From a technology provider's point of view, security on the Java platform focuses on two aspects. The first is to provide the Java platform, primarily through the Java Development Kit, as a secure, platform on which to run Java-enabled applications in a secure fashion. The second is to provide security tools and services implemented in the Java programming language that enable a wider range of security-sensitive applications, for example, in the enterprise world.

I wrote this book with many purposes in mind. First, I wanted to equip the reader with a brief but clear understanding of the overall picture of systems and network security, especially in the context of the Internet environment within which Java technology plays a central role, and how various security technologies relate to each other.

Second, I wanted to provide a comprehensive description of the current security architecture on the Java platform. This includes language features, platform APIs, security policies, and their enforcement mechanisms. Whenever appropriate, I discuss not only how a feature functions, but also why it is designed in such a way and the alternative approaches that we--the Java security development team at Sun Microsystems--examined and rejected. When demonstrating the use of a class or its methods, I use real-world code examples whenever appropriate. Some of these examples are synthesized from the JDK 1.2 code source tree.

Third, I sought to tell the reader about security deployment issues, both how an individual or an enterprise manages security and how to customize, extend, and enrich the existing security architecture. Finally, I wanted to help developers avoid programming errors by discussing a number of common mistakes and by providing tips for safe programming that can be immediately applied to ongoing projects. How This Book Is Organized

This book is organized as follows: Chapter 1. A general background on computer, network, and information security Chapter 2. A review of the original Java security model, the sandbox Chapter 3. An in-depth look at the new security architecture in JDK 1.2, which is policy-driven and capable of enforcing fine-grained access controls Chapter 4. An explanation of how to deploy and utilize the new security features in JDK 1.2, including security policy management, digital certificates, and various security tools Chapter 5. A demonstration of how to customize various aspects of the security architecture, including how to move legacy security code onto the JDK 1.2 platform Chapter 6. A review of techniques to make objects secure and tips for safe programming Chapter 7. An outline of the Java cryptography architecture along with usage examples Chapter 8. A look ahead to future directions for Java security

This book is primarily for serious Java programmers and for security professionals who want to understand Java security issues both from a macro (architectural) point of view as well as from a micro (design and implementation) perspective. It is also suitable for nonexperts who are concerned about Internet security as a whole, as this book clears up a number of misconceptions around Java security.

Throughout this book, I assume that the reader is familiar with the fundamentals of the Java language. For those who want to learn more about that language, the book by Arnold and Gosling is a good source. This book is not a complete API specification. For such details, please refer to JDK 1.2 documentation. Acknowledgments

It is a cliche to say that writing a book is not possible without the help of many others, but it is true. I am very grateful to Dick Neiss, my manager at JavaSoft, who encouraged me to write the book and regularly checked on my progress. Lisa Friendly, the Addison-Wesley Java series editor, helped by guiding me through the writing process while maintaining a constant but "friendly" pressure. The team at Addison-Wesley was tremendously helpful. I'd like particularly to thank Mike Hendrickson, Katherine Kwack, Marina Lang, Laura Michaels, Marty Rabinowitz, and Tracy Russ. They are always encouraging, kept faith in me, and rescued me whenever I encountered obstacles.

This book is centered around JDK 1.2 security development, a project that lasted fully two years, during which many people inside and outside of Sun Microsystems contributed in one way or another to the design, implementation, testing, and documentation of the final product. I would like to acknowledge Dirk Balfanz, Bob Blakley, Josh Bloch, David Bowen, Gilad Bracha, David Brownell, Eric Chu, David Connelly, Mary Dageforde, Drew Dean, Satya Dodda, Michal Geva, Gadi Guy, Graham Hamilton, Mimi Hills, Larry Koved, Charlie Lai, Sheng Liang, Tim Lindholm, Jan Luehe, Gary McGraw, Marianne Mueller, Tony Nadalin, Don Neal, Jeff Nisewanger, Yu-Ching Peng, Hemma Prafullchandra, Benjamin Renaud, Roger Riggs, Jim Roskind, Nakul Saraiya, Roland Schemers, Bill Shannon, Tom van Vleck, Dan Wallach, and Frank Yellin. I also appreciate the technical guidance from James Gosling and Jim Mitchell, as well as management support from Dick Neiss, Jon Kannegaard, and Alan Baratz. I have had the pleasure of chairing the Java Security Advisory Council, and I thank the external members, Ed Felten, Peter Neumann, Jerome Saltzer, Fred Schneider, and Michael Schroeder for their participation and superb insights into all matters that relate to computer security.

Isabel Cho, Lisa Friendly, Charlie Lai, Jan Luehe, Teresa Lunt, Laura Michaels, Stephen Northcutt, Peter Neumann, and a number of anonymous reviewers provided valuable comments on draft versions of this book.

G. H. Hardy once said that young men should prove theorems, while old men should write books. It is now time to prove some more theorems. Li Gong
Los Altos, California
June 1999 0201310007P04062001

Excerpt. © Reprinted by permission. All rights reserved.

Give me a lever and a fulcrum, and I can move the globe. --Archimedes

Since Java(tm) technology's inception, and especially its public debut in the spring of 1995, strong and growing interest has developed regarding the security of the Java platform, as well as new security issues raised by the deployment of Java technology. This level of attention to security is a fairly new phenomenon in computing history. Most new computing technologies tend to ignore security considerations when they emerge initially, and most are never made more secure thereafter. Attempts made to do so typically are not very successful, as it is now well known that retrofitting security is usually very difficult, if not impossible, and often causes backward compatibility problems. Thus it is extremely fortunate that when Java technology burst on the Internet scene, security was one of its primary design goals. Its initial security model, although very simplistic, served as a great starting place, an Archimedean fulcrum. The engineering talents and strong management team at JavaSoft are the lever; together they made Java's extensive security architecture a reality.

From a technology provider's point of view, security on the Java platform focuses on two aspects. The first is to provide the Java platform, primarily through the Java Development Kit, as a secure, platform on which to run Java-enabled applications in a secure fashion. The second is to provide security tools and services implemented in the Java programming language that enable a wider range of security-sensitive applications, for example, in the enterprise world.

I wrote this book with many purposes in mind. First, I wanted to equip the reader with a brief but clear understanding of the overall picture of systems and network security, especially in the context of the Internet environment within which Java technology plays a central role, and how various security technologies relate to each other.

Second, I wanted to provide a comprehensive description of the current security architecture on the Java platform. This includes language features, platform APIs, security policies, and their enforcement mechanisms. Whenever appropriate, I discuss not only how a feature functions, but also why it is designed in such a way and the alternative approaches that we--the Java security development team at Sun Microsystems--examined and rejected. When demonstrating the use of a class or its methods, I use real-world code examples whenever appropriate. Some of these examples are synthesized from the JDK 1.2 code source tree.

Third, I sought to tell the reader about security deployment issues, both how an individual or an enterprise manages security and how to customize, extend, and enrich the existing security architecture. Finally, I wanted to help developers avoid programming errors by discussing a number of common mistakes and by providing tips for safe programming that can be immediately applied to ongoing projects.

How This Book Is Organized

This book is organized as follows:

* Chapter 1. A general background on computer, network, and information security * Chapter 2. A review of the original Java security model, the sandbox * Chapter 3. An in-depth look at the new security architecture in JDK 1.2, which is policy-driven and capable of enforcing fine-grained access controls * Chapter 4. An explanation of how to deploy and utilize the new security features in JDK 1.2, including security policy management, digital certificates, and various security tools * Chapter 5. A demonstration of how to customize various aspects of the security architecture, including how to move legacy security code onto the JDK 1.2 platform * Chapter 6. A review of techniques to make objects secure and tips for safe programming * Chapter 7. An outline of the Java cryptography architecture along with usage examples * Chapter 8. A look ahead to future directions for Java security

This book is primarily for serious Java programmers and for security professionals who want to understand Java security issues both from a macro (architectural) point of view as well as from a micro (design and implementation) perspective. It is also suitable for nonexperts who are concerned about Internet security as a whole, as this book clears up a number of misconceptions around Java security.

Throughout this book, I assume that the reader is familiar with the fundamentals of the Java language. For those who want to learn more about that language, the book by Arnold and Gosling is a good source. This book is not a complete API specification. For such details, please refer to JDK 1.2 documentation.

Acknowledgments

It is a cliche to say that writing a book is not possible without the help of many others, but it is true. I am very grateful to Dick Neiss, my manager at JavaSoft, who encouraged me to write the book and regularly checked on my progress. Lisa Friendly, the Addison-Wesley Java series editor, helped by guiding me through the writing process while maintaining a constant but "friendly" pressure. The team at Addison-Wesley was tremendously helpful. I'd like particularly to thank Mike Hendrickson, Katherine Kwack, Marina Lang, Laura Michaels, Marty Rabinowitz, and Tracy Russ. They are always encouraging, kept faith in me, and rescued me whenever I encountered obstacles.

This book is centered around JDK 1.2 security development, a project that lasted fully two years, during which many people inside and outside of Sun Microsystems contributed in one way or another to the design, implementation, testing, and documentation of the final product. I would like to acknowledge Dirk Balfanz, Bob Blakley, Josh Bloch, David Bowen, Gilad Bracha, David Brownell, Eric Chu, David Connelly, Mary Dageforde, Drew Dean, Satya Dodda, Michal Geva, Gadi Guy, Graham Hamilton, Mimi Hills, Larry Koved, Charlie Lai, Sheng Liang, Tim Lindholm, Jan Luehe, Gary McGraw, Marianne Mueller, Tony Nadalin, Don Neal, Jeff Nisewanger, Yu-Ching Peng, Hemma Prafullchandra, Benjamin Renaud, Roger Riggs, Jim Roskind, Nakul Saraiya, Roland Schemers, Bill Shannon, Tom van Vleck, Dan Wallach, and Frank Yellin. I also appreciate the technical guidance from James Gosling and Jim Mitchell, as well as management support from Dick Neiss, Jon Kannegaard, and Alan Baratz. I have had the pleasure of chairing the Java Security Advisory Council, and I thank the external members, Ed Felten, Peter Neumann, Jerome Saltzer, Fred Schneider, and Michael Schroeder for their participation and superb insights into all matters that relate to computer security.

Isabel Cho, Lisa Friendly, Charlie Lai, Jan Luehe, Teresa Lunt, Laura Michaels, Stephen Northcutt, Peter Neumann, and a number of anonymous reviewers provided valuable comments on draft versions of this book.

G. H. Hardy once said that young men should prove theorems, while old men should write books. It is now time to prove some more theorems.

Li Gong, Los Altos, California, June 1999