Java application security is facilitated by Java's extensive built-in security features. In Part 1, I examined security within the Java Runtime Environment, Java security management tools and Java

applet security. In Part 2, I'll review Java Web Start security and the Java Extensible Security Architecture and APIs.

Java Web Start Security
Java Web Start (JWS) is a full-fledged Java application that provides mechanisms for application distribution through a Web server and facilitates Java rich-client access to applications over a network. The underlying technology of JWS is the Java Network Launch protocol (JNLP), which provides a standard way for packaging and provisioning the Java programs (as JAR files) and then launching Java programs over a network. The JNLP-packaged applications are typically started from a Web browser that launches the client-side JWS software, which downloads, caches and then executes the application locally.

Typical to a stand-alone Java application, JWS applications run outside a Web browser using the sandbox features of the underlying Java platform. JWS also allows definition of security attributes for client-side Java applications and their access to local resources, such as file system access, making network connections, and so on. These security attributes are specified using XML tags in the JNLP descriptor file. The JNLP descriptor defines the application access privileges to the local and network resources.

In addition, JWS allows the use of digital signatures for signing JAR files in order to verify the application origin and its integrity so that it can be trusted before it is downloaded to a client machine. The certificate used to sign the JAR files is verified using the trusted certificates in the client Java keystore. This helps users avoid starting malicious applications and inadvertent downloads without knowing the originating source of the application.

Java Extensible Security Architecture and APIs
In addition to the runtime security architecture, the Java platform provides an extensible security API architectural model to support a variety of security infrastructures and services, including cryptographic services; certificate interfaces and classes for managing digital certificates; Public Key Infrastructure (PKI) interfaces and classes to access, modify and manage the key repository; certificates and secure socket communication to protect the privacy and integrity of data transited over the network; services for authentication and access control; and mechanisms for single sign-on (SSO) access to underlying applications.

The Java platform facilitates an extensible security architectural model via standards-based security API technologies that provide platform independence and allow interoperability among vendor implementations. It adds on a variety of security features to the core Java platform by integrating technologies to support cryptography, certificate management, authentication and authorization, secure communication, and other custom security mechanisms. The following illustrates the Java extensible security architecture and its core API mechanisms.

Java Platform Extensible Security Architecture and Elements

As part of the J2SE bundle, the Java extensible security architecture provides the following set of API frameworks, which contributes to the end-to-end of Java application security:

• Java Cryptography Architecture (JCA): The JCA provides basic cryptographic services and algorithms, which include support for digital signatures and message digests. The JCA facilitates support for various cryptographic algorithms by defining the types and functionalities of cryptographic services. The cryptographic services include support for message digests and digital signatures. The JCA also ensures interoperability among the provider implementations using a standardized set of APIs, which implements those required cryptographic algorithms and services. For example, using the same algorithms, a key generated by one provider can be used by another provider; likewise, a digital signature generated by one provider can be verified using another provider.
• Java Cryptographic Extension (JCE): The Java Cryptography Extension augments the JCA functionalities with added cryptographic services that were subjected to U.S. export control regulations and includes support for encryption and decryption algorithms. JCE facilitates the Java platform with cryptographic services and algorithms by providing implementations and interfaces support for cryptographic ciphers used for encryption and decryption, Password-based encryption, secret key generation used for symmetric algorithms, key agreement for encrypted communication among multiple parties, MAC algorithms to validate information transmitted between parties and support for PKCS#11 (Cryptographic Token Interface Standard), which allows devices to store cryptographic information and perform cryptographic services.
• Java Certification Path API (Java CertPath): The Java CertPath lets you check, verify and validate the authenticity of certificate chains. The Java CertPath APIs offers API-based mechanisms for parsing and managing certificates, certificate revocation lists (CRLs) and certification paths (also referred to as certificate chains). The API implementations can be plugged into any J2SE environment because the same JCA provider interfaces are used. The API includes algorithm-specific classes for building and validating X.509 certification paths according to IETF-defined PKIX standards.
• Java Secure Socket Extension (JSSE): The JSSE facilitates secure communication by protecting the integrity and confidentiality of data exchanged using SSL/TLS protocols. JSSE enables end-to-end communication security for Java applications by providing a standardized API framework and mechanisms for client/server communications. JSSE provides support for SSL and TLS protocols and includes functionalities related to data encryption, message integrity and peer authentication. With JSSE, it is possible to develop client and server applications that use secure transport protocols, which include support for Secure HTTP (HTTP over SSL, aka HTTPS), Secure Shell (Telnet over SSL), Secure SMTP (SMTP over SSL) IPSEC (Secure IP), Secure RMI or RMI/IIOP and other standards-based security protocols.

Java security resources Demystifying Java security -- Part 1 Learning Guide: Developing secure enterprise Java applications  Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management -- Chapter 8  Professional Java Development with the Spring Framework -- Chapter 10: Acegi Security System for Spring  Beginning Cryptography with Java -- Chapter 2, Symmetric Key Cryptography

• Java Authentication and Authorization Service (JAAS): JAAS provides the mechanisms to verify the identity of a user or a device to determine its accuracy and trustworthiness and then provide access rights and privileges depending on the requesting identity. It facilitates to adopt pluggable authentication mechanisms and user-based authorization.
  
  JAAS provides Java API mechanisms and services for enabling authentication and authorization in Java-based application solutions. JAAS is the Java implementation of the Pluggable Authentication Module (PAM) framework originally developed for Sun's Solaris operating system. PAM enables the plugging in of authentication mechanisms, which allows applications to remain independent of the underlying authentication technologies. Using a PAM-based approach, JAAS Authentication modules allow integrating authentication technologies such as Kerberos, RSA, smart cards and biometric authentication systems.
• Java Generic Secure Services (JGSS): JGSS provide the Java bindings for the GSS-API, which helps developing applications using Java-based GSS APIs to support a variety of authentication mechanisms, such as Kerberos-based authentication, and it facilitates single sign-on.
• Java Simple Authentication and Security Layer (Java SASL): The Java SASL defines Java API mechanisms for authentication and optional establishment of a security layer between client and server applications. SASL is used by protocols such as the Lightweight Directory Access Protocol, version 3 (LDAP v3) and the Internet Message Access Protocol, version 4 (IMAP v4) to enable pluggable authentication.
  
  Java SASL provides an authentication mechanism-neutral solution so the application that uses the API need not be hardwired to use any particular SASL mechanism. The API facilitates both client and server applications. It allows applications to select the mechanism based on desired security features such as whether they are susceptible to passive dictionary attacks or whether they accept anonymous authentication. The Java SASL API supports developers creating their own custom SASL mechanisms. SASL mechanisms are installed by using the JCA.

-------------------------------------
About the author: Ramesh Nagappan, CISSP, is a Java Technology Architect at Sun Microsystems who specializes in Java distributed computing architectures for mission-critical enterprise applications, Identity assurance and Access Management. Ramesh is the co-author of Core Security Patterns and also three other books on topics related to J2EE, EAI and Web Services. He frequently speaks at industry conferences related to Java, XML and Security. His current technology focus is on Web services security, identity assurance and strong authentication technologies using PKI, smart cards and biometrics.