Download Java Messaging Services

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
Document related concepts
no text concepts found
Transcript 
Java Security
CS-328
JDK 1.0 Security Model
Local Code
Java Virtual Machine
Sandbox
Local Host System Resources
(File System, Sockets, Printers…)
Remote Code
JDK 1.1 Security Model
Local Code
Java Virtual Machine
Remote
Trusted Code
Sandbox
Full Access
Limited Access
Local Host System Resources
(File System, Sockets, Printers…)
Remote
Untrusted Code
JDK 1.2 Security Model
All Code
Security Policy
Class Loader
Java Virtual Machine
Sandbox
Full Access
Limited Access
Local Host System Resources
(File System, Sockets, Printers…)
Java Security Attributes
•
•
•
•
Easy to use Fine Grained Access Control
Easy to Configure Security Policy
Easy to Extend Access Control Structure
Easy to Extend Security Checks to
Applications
The Security Model
• The Java Security Model is made up of
three primary pieces:
– The Bytecode Verifier
– The Class Loader
– The Security Manager
The Bytecode Verifier
• Once bytecodes have been loaded in to the
machine but before they are run:
– Opcodes are checked
– Addresses are verified to access only memory
in the virtual machine
– Strict type enforcement
• Only verified code is run on the JVM
The Class Loader
• Imported class are each run in their own namespace
• Built-in classes are all run in a single namespace
• Class loader always searches the built-in name space for a
requested class first so as to avoid running a downloaded
class with the same name.
• Built-in classes are considered to be “trusted” and are
always run in preference of a downloaded class of the
same name.
The Security Manager
• Each application can have an individual security policy
• Security policies are defined in external files that are
accessible by the security manager
• The security manager enforces the specified security policy
• The application security is made up of two pieces:
– A system piece, found in java.home\lib\security
– An application specific piece in user.home\lib\security (or
anywhere you want to put it)
Policy Files
grant [signedBy “signer_names”,] [codebase “URL”] {
permission permission_class_name
“target_name”, [“action”]
[, signedBy “signer_names”];
Ex.
grant signedBy “ACME Software” codebase http://www.acme.com/{ permission java.io.FilePermission “c:\\autoexec.bat”,”read”;
permission java.lang.RunTimePermission “queuePrintJob”;
}
Permissions
• java.security.AllPermission – allow the application to run with all
premissions; i.e. without any security restrictions
• java.awt.AWTPermission – allows access to GUI things, like the
Windows clipboard
• java.io.FilePermission – allows code access to read and write files
• java.net.NetPermission – allows code to perform certain network
related operations, such as requestPasswordAuthentication
• java.util.PropertyPermission – allows code access to property values
(read/write)
• Java.lang.ReflectPermission – allows code to query information about
classes (ex supressAccessChecks allows ability to find out about
public, private and protected fields and methods
Permissions (more)
• java.lang.RuntimePermission – allows the ability for code to perform
operations related to the performance of the JVM (ex. loadLibrary allows
the dynamic linking to a specific library; queuePrintJob allows the
queuing of a print job)
• java.security.SecurityPermission – allows code the ability to perform
operations related to policy enforcement
• java.io.SerializablePermission – allows code to perform operations related
to the serialization/deserialization of objects (ex. enableSubstitution
allows one object to be substituted for another during
serialization/deserialization).
• java.net.SocketPermission – allows code to perform operations related to
establishing connections to host systems. Targets are ports or ranges of
port numbers; actions are accept, connect, listen and resolve.
New in Java 1.4
• Separate packages that are now included as part of JDK
–
–
–
–
–
JCE - Java Cryptography classes
JSSE - Java Secure Sockets Extension
JAAS - Java Authentication and Authorization Services
Java GSS API - Java Generic Security Services API
Java Certification Path API
JCE – Java Encryption Extensions
• JCE covers
– encryption and decryption
•
•
•
•
•
symmetric bulk encryption, such as DES, RC2, and IDEA
Symmetric stream encryption, such as RC4
Asymmetric encryption, such as RSA
Password-based encryption (PBE)
– key agreement
– Message Authentication Code (MAC)
Strong Cryptography is the default
– unlimited is available (depending on export restrictions)
JSSE – Java Secure Sockets Extensions
• Provides support for communications using SSL (Secure Sockets
Layer) and TLS (Transport Layer Security)
– commonly thought of as HTTPS
• part of javax.net
• SSL (and thus HTTPS) permits encrypted traffic to be exchanged
between the client and server.
– After an SSL client initiates a conversation with an SSL server, the server sends an
X.509 certificate back to the client for authentication. The client then checks the
validity of the certificate. Assuming the server is verified, the client generates a
premaster secret key, encrypts it with the server's public key from the certificate,
and sends the encrypted key back to the server. From this premaster key, the client
and server generate a master key for the session. After some basic handshaking, the
encrypted exchange can commence.
• The JSSE library hides these inner workings of the SSL protocol from
you.
JAAS - Java Authentication and Authorization
Services
• JAAS provides for the authentication of users and the authorization of
tasks based upon that authentication
• Previously, anyone authenticated had access to the same security
restrictions. Now, you can control what tasks are available for a
specific authenticated user
• requires modification of security policies
Java GSS-API - Java Generic
Security Services API
• adds Kerberos V5 support to the Java platform.
• Kerberos originated at the Massachusetts Institute of Technology
(MIT) as project Athena back in 1987.
• Essentially, a network authentication protocol.
– Defined in RFC 1510 from 1993
– biggest draw is not having to send passwords over the net.
– offers single sign-on within one domain -- if everything within the domain
has been Kerberos-enabled.
– support is also provided for single sign-on across different security realms
over a network.
– Used in conjunction with JAAS, once a user's identity is established,
future authentication requests are no longer necessary.
Java Certification Path API
• Certification Path API provides classes for building and validating
certificate chains, an important requirement of a Public Key
Infrastructure (PKI).
• These certificates provide for the storage of security keys for users. By
trusting the issuer of a certificate that holds the keys, and trusting the
issuer of the certificate that trusts the original certificate, you establish
chains of trust
• Building and validating certification paths is an important part of many
standard security protocols, such as SSL/TLS, Secure/MIME
(S/MIME), and IP Security (IPsec).
Related documents
Chapter 1 questions
Chapter 1 questions
A Java Environment for High-Performance Computing
A Java Environment for High-Performance Computing
Programming
Programming
Java Development Kit and Installation Instructions for
Java Development Kit and Installation Instructions for
Name - ReachIvy
Name - ReachIvy
Academic Vocabulary Chap 1-3
Academic Vocabulary Chap 1-3
Our direct client has an urgent need for Java Developer for
Our direct client has an urgent need for Java Developer for
UNIT - I PRINCIPLES OF DYNAMICS (9)
UNIT - I PRINCIPLES OF DYNAMICS (9)
ECSP – EC-Council Certified Secure Programmer
ECSP – EC-Council Certified Secure Programmer
Java Basic Syntax
Java Basic Syntax
Java – Course Syllabus Standard Edition
Java – Course Syllabus Standard Edition