Java's most striking claim is that it provides a secure programming environment. However, despite lots of discussion, few people understand precisely what Java's claims mean and how it backs up those claims. Java Security is an in-depth exploration aimed at developers, network administrators, and anyone who needs to work with or understand Java's security mechanisms. It discusses in detail what security does and doesn't mean, what Java's default security policies are, and how to create and implement your own policies.In doing so, Java Security provides detailed coverage of security managers, class loaders, the access controller, and much of the java.security package. It discusses message digests, certificates, and digital signatures, showing you how to use Java's facilities for signing classes or to implement your own signature facility. It shows you how to write a class loader that recognizes signed classes, verifies the signature, and cooperates with a security manager to grant additional privileges. It also discusses the problem of managing cryptographic keys and shows you how to implement your own key management systems.Java Security is an essential book for everyone using Java in real-world software. If you're deploying software written in Java, you need to know how to grant your classes the privileges they need, without granting privileges to untrusted classes. You need to know how to protect your systems against intrusion and corruption. Java provides the tools; this book shows you how to use them.
The second edition of
Java Security is intended to help you build and deploy secure Java programs on private and public networks. It covers Java 1.1, Java 2, JCE 1.2.1, JSSE and JAAS (the last two absent from the first edition) and combines coverage of the core Java security features with the three optional security APIs. They will be combined in the next Java release--so you're ahead of the curve.
Security has different meanings depending on context. Java's core sandbox security model was originally intended to defeat viruses and trojans. Authentication, encryption and other security models were added to provide different kinds of security. The authors explain how Java components work so they can show how they might be subverted. Without knowing what the risks are you can't apply effective security measures.
The Java security features examined include class loaders, cryptography, certificates, key management, signatures, SSL, authentication and permissions. The authors explain where and how particular security features are best implemented and explain their limitations in the real world. For example, many people routinely grant signed Java applets permission to read and write files on their system believing a signed certificate somehow makes the application safe. In practice, as anyone can create and sign a Java applet or application it proves nothing of the kind and can still be setting you up for a fall.
Java security is non-trivial. Security is an arms race in which the two sides constantly leapfrog each other. Java Security is well written with many examples but it's a fairly technical read. If you're serious about Java application development, however, you need to read it. Because you can be sure the bad guys will. --Steve Patient
