Security Facilities in Java

Posted by arlene

Java was designed with security in mind from its first implementation. The reason behind this was the potential insecurities that were introduced by applets. However, the designers of the language, having targeted Java at the Internet, realised that much stronger facilities than those associated with applets were needed in the language. As a consequence some of the earliest APIs that were released were concerned with security.

The Java security model

Before looking at the facilities found in the main Java security API it is worth outlining the security facilities of the language itself. Java is based on a sandbox model of security, where the sandbox is a restricted environment in which the program resides. A Java program running on a computer can access a number of resources associated with that computer: memory files, the cpu and any other computer connected to it. The sandbox model of security builds into Java a set of facilities which monitor access to these resources. What resources can be accessed is determined by a security policy which can range from the least restrictive (access anything) to the most restrictive (access only to cpu, keyboard, mouse and memory).

In Java there are two types of programs: applets which are programs loaded down from a Web server and applications, normal programs. Applets are potentially hugely damaging to a computer system as they could, in theory, carry out dangerous acts such as deleting files. When Java was announced its opponents often referred to it as the best way of creating viruses that had been developed.

Applets have a very restrictive security policy in that any action which could cause damage to the client computer or the user is disallowed, for example they cannot delete a file or read the contents of a file on the client. Applications are more flexible in that from Java 1.2 it is possible to run an application within a sandbox whose security policy has been specified by a system administrator or even the user.

The Java Cryptography Extension

Many of the current Java security facilities are embedded in a collection of classes known as the Java Cryptography Extension (ICE). This section looks at some of the facilities and provides you with enough knowledge of the facilities of the API for you to carry out a programming exercise.

The JCE contains a number of facilities for the implementation of the technologies detailed in the previous sections, they include:

• Coding messages using a number of popular encryption algorithms such as DES.
• Producing message digests from a series of bytes.
• Generating digital signatures using the facilities for message digests. Generating keys for a wide variety of cryptographic algorithms. Managing a database of keys.
• Processing security certificates.

Many of the methods within the JCE process streams of data or arrays of data and transform them into some encrypted entity by means of a number of engines.

Possibly related posts: (automatically generated)
Security Facilities in Java

• Java Database, J2EE Framework
• Network and Programming: the .Net framework
• The Apache Web server, a rich Java Web site continue...
• Website Designing and Enhancements
• VBScript and JScript continue...
• Why your Computers get attacked and how? PC Privacy Security Issues continued
• Adding JavaScript to the HTML Form
• Client-Side Scripting
• HTML Coding for different E-mail Reader Platforms
• VBScript and JScript