Our Essential Java Security class will teach you how to ensure your Java applications are developed with the most advanced security measures available in Java today. The class begins by discussing threats and mitigation techniques, including conventional and public key cryptography, and the most popular authentication protocols, including SSL. Fundamental Java security concepts are covered, including principals, authorities, access control, and more.
You will learn the basis of Java security, class loaders, the Security Manager and the Access Controller. Security features of HTTP and Servlets are covered, as well as techniques for securing Web services. Full coverage of JAAS is provided, including using JAAS to provide authentication, illustrate authentication modules, and interacting with JAAS to provide single sign-on of users. The course also covers JAAS authorization and examines how it extends the original policy file based authorization mechanism. Secure coding techniques to avoid common security bugs such as buffer overflows.
Audience:
This course is designed for Java programmers who need to build secure applications. It has also proved helpful for system administrators and security officers who need a clear understanding of how security works within Java.
Objectives
- Learn the role of Java Authentication Authorization
Services (JAAS)
- Depict the usage of JAAS Authentication
- Depict the role of JAAS Authorization
- Illustrate the use of Policy Files
- Discuss the functions of the J2EE Security
Manager
- Demonstrate the capabilities of the Access
Controller
- JCA: Public Key Cryptography, Hashing and
Signatures
- JCE: Symmetric Encryption
- Discuss Threats and Mitigation Techniques
- Illustrate Digital Certificates and their
use with security
- Demonstrate the techniques for securing Web
Services
- SSL integration between Web and application
servers
- Illustrate the role of LDAP directories
- Discuss the role of SSL and its configuration
- HTTP Authentication and Authorization
- Servlets and Role Based Security
Prerequisites
Each student should have a basic understanding of the Java programming language.
Course duration
4 days
Course outline
IT
Security Status
- Security myths
- Application and Network flaws
- Impact of Web 2.0
- Security wheel
- Security patterns
- Template
- Categorizations
- Relationships
- Known risks
- Interceptor Gateway
- Message Interceptor
- Assertion Builder
- Audit Interceptor
- Best practices
Java Security Basics
- Core Java technology
- JVM Security
- Java language security
- Platform security
- Security models
- Permissions
- Java Policy files
- Security Manager
- Codebase
- Bytecode Verifier
- Class Loaders
- Java Web Start
- J2ME Security
- Key and Certificate Management
- Keystores
- Policy Tool
- JarSigner
- Keytool
- Public and Private Keys
- Exporting and Importing Certificates
- Signing Requests
- Securing Java source code
Java
Security Manager
- Security Goals
- Solution concepts
- Using UIDs
- Access Control Lists
- Language security
- Java Security mechanism
- Sandbox
- Trusted code
- Fine grained control
- Create Security policy
- Installation
- Stack inspection
- Beyond JVM Security
Using
Secure Socket Layers
- SSL Overview
- SSL Architecture
- Components
- Sessions and Connections
- State changes
- SSL Records
- Protocol processing
- Header
- MAC address
- Encryption
- Alert protocol
- Handshakes
- Key exchange methods
- Server certificate and key exchange
- Client authentication
- Cryptographic computations
- Analyzing SSL records
- Traffic analysis
- Confidentiality
- Authentication
- Cipher attacks
- Key exchange algorithm
Digital
Certificates
- Introduction
- Certificate Authorities
- X.509 Certificates
- Architecture
- Types
- Retrieval
- Distribution
- X.509 Certificate format
- Revocation
- Revocation lists
- Distribution
- Pre-existing Certificates
- Use with SSLs
Java
EE Security
- Relevant standards
- Role and use of annotations
- Defining JAAS
- Authentication vs. Authorization
- Role of Subject
- Defining Principal
- Pluggable Authentication modules
- Creating LoginContext
- LoginModule chaining
- Principal-based authorization
- Codesource vs. ProtectionDomain
- Using AccessController
- Security Policies and Infrastructure
- EJB Security
- Security context
- Use of role names
- Annotations
- Deployment descriptor elements
- Method permissions
- Propogation
- Programmatic vs. Declarative
- Web tier security
Encryption
using javax.crypto
- Cryptography Concepts
- Encryption Keys
- Cipher Algorithms
- Modes and Padding Schemes
- The Cipher Class
- Encrypting and Decrypting Data
- Cipher Output Stream
- Cipher Input Stream
- Encryption using Password Ciphers
- Exchanging Encrypted Keys
- Sealed Objects
Encryption
Methods
- Cryptography techniques
- Symmetric
- Asymmetric
- Combinations
- Standards
- DES
- AES
- Diffie-Hellman
- RSA
- Public vs. Private Keys
- Signing and Padding
- Hashing
- Digital signatures
- Usage
- Role of key
- Methodology
- Use of JCE
- Encryption Keys
- Performance considerations
Java
Authentication and Authorization services
- Authentication and Authorization
- JAAS Overview
- LoginContext
- Subjects, Principals, and PrivilegedActions
- Authentication with the NTLoginModule
- Defining Permissions in Policy Files
- KeyStoreLoginModule
- Callbacks
- NameCallback and PasswordCallback
- The Policy Class
Using
Java EE Security
- Authentication
- Authorization
- Security Layers
- Features
- Topology
- Protocols
- SSL
- Application Server Management
- LTPA
- SSO
- Identity Assertion
- Declarative Security
- Security Roles
- Run-As Delegation
- Securing resources
- Creating Constraints
- Authentication types
- Form
- Digital
- Basic
- Certificate
- Trust Association
- Custom Trust Assocation Interceptors
