Monday, October 3, 2011

Java EE 5 Security

Enterprise Java provides abstracted security APIs and concept that sit on a robust security foundation at the Java Language Specification and implemented by Java Virtual Machines:

Automatic Memory Management

Secure Class Loading

Strong Typing

Byte code Verification

At the time the security design was unprecedented, nothing came close to the security model of an interoperable platform. However with the advent of Java Applets and sandboxing, clunky jar signing processes and key stores, users and system designers shed away.

Java EE 5 continues to build and extend a robust security platform for its EJB and Web containers – the simplified API looks for isCallerInRole and isUserInRole respectively. Unfortunately not all real security threats can be handled from within the container.

Denial Of Service attacks require man-in-the-middle and session hijacking to be addressed, typically outside the container – at the network layer. Additionally, nothing can be done to prevent social engineering. That’s a human only vector.