Wednesday, October 19, 2011

Java SE Security APIs and Frameworks


Java SE has a deep foundation for security – there are a variety of APIs and frameworks that plug on top of various security impls.

  1. JAAS: Java Authentication and Authorization Services
  2. GSS: Generic Security Services. Think Tokens.
  3. JCE: Java Cryptography Extension. Keys and Ciphers.
  4. JSSE: Java Secure Sockets Extensions. SSL and TLS.
  5. SASL: Simple Authentication and Security Layer. Layer between Client and Server – describes the how. RFC 2222


TLS (SSL) is a point-to-point, transient only solution which provides no context, discrimination to content. Authentication, confidentiality and integrity is provided.
MLS (Message Layer Security) is an end-to-end security because it stays encrypted at rest and in motion. It is encrypted by the sender and can only be decrypted by the intended recipient. It does not depend on the transport layer.

Realm is the complete database of users and group, a user is an individual, a group is a collection of individuals, each group or individual can be assigned a key to the locks (aka role). In Java EE you can specify whether to propagate a client identity to the bean container or specify a run as. There is no choice either way but to trust the identify – as there is not authentication data propagated just the identity.

The EJB interoperability protocol is based on IIOP/GIOP 1.2 and CSIv2 (Common Secure Interoperability protocol).