Java and Security, Part 1

Resources Links

Ajax
Articles
Bioinformatics-Tutorials
Database-Tutorials
Free Books
Hibernate-Tutorials
J2EE-Tutorials
J2ME-Tutorials
Java-Tutorials
JavaScript
JDBC-Tutorials
JMS-Tutorials
JSP-Tutorials
Linux-Tutorials
MS Technology
PHP
RMI-Tutorials
Servlets-Tutorials
Struts-Tutorials
Tools For Java Technology
UML-Tutorials
Web Graphics Designing
Web Hosting Tutorial
Web-Services-Tutorials

More Tutorials

JSP Tutorials
Hibernate Tutorials
Struts Tutorials
JSF Tutorials MySQL Tutorials
Spring Tutorials
EAI Tutorials
JAXB Tutorials
Web Services Tutorials
JDO Tutorials
Java Tutorials
Java Certification
Linux Tutorials
Java Servlets
WAP Tutorials
EJB Tutorials
JDBC Tutorials
Bio Informatics
Java Server Faces Java Interview Questions

Tutorial: Java and Security, Part 1

Java and Security WebLogic provides a comprehensive suite of security services that can be used to protect all aspects of a domain and its deployments. These security services affect all aspects of your domain: from the lowest level provided by the Jav

Tutorial Details:

Let\'s begin at the JVMlevel. Here, the Java Security Manager uses a security policy file to restrict access to specific runtime operations. This ensures that programs running on the JVM, including WebLogic Server itself, can access protected resources in permitted ways only. For instance, you can configure the Java Security Manager so that all Java threads have write-access only to specific directories in the filesystem. WebLogic enhances the Security Manager by allowing you to define additional security policies for resource adapters and EJBs, thereby ensuring that these components have access to defined resources only. There are also other global, higher-level security permissions that apply to these resources and application code.

WebLogic can filter connection requests from clients. A connection filter defines rules that determine what basis the server accepts or denies client connections. These rules are based on several parameters: typically, the client\'s IP address and port; the protocol used to establish the connection; and the server\'s listen address and port. You can assign multiple connection filters to a server, or perhaps even write your own connection filter class that implements custom filtering logic. Using connection filters, you can easily ensure that the server accepts only T3 connections from within your intranet, for example. SSL security is another mechanism available at the socket level, which we encountered in Chapter 16. SSL protects network communication provided through its support for data integrity, confidentiality, and authentication.

WebLogic provides partial support for standard JAAS. The JAAS framework is a standard extension to J2SE v1.3 and is now part of the J2SE v1.4 platform. Authentication enables the server to verify the identity of the user who is running the Java code, whether it is an applet, servlet, EJB, or application. Authorization is the server\'s ability to enforce access control based on the user\'s identity, security privileges, and policies. WebLogic allows Java clients to use JAAS authentication, and login modules are implemented using JAAS. If you need to use JAAS authorization, you will have to code your own schema above WebLogic\'s infrastructure.

WebLogic\'s security infrastructure is founded on a set of modular, extensible security service provider interfaces (SSPIs). This architecture allows you to plug in new security providers, swap out old ones, and run WebLogic\'s default providers alongside your own. Your WebLogic distribution is equipped with a set of security providers that provide the default implementations for the SSPIs. WebLogic\'s security providers implement the underlying security framework for your J2EE applications. That is, the standard J2EE-defined security mechanisms are implemented (and extended) through the SSPIs. Often, WebLogic\'s security providers will refine the existing security constraints. For instance, the standard ejb-jar.xml deployment descriptor allows you to restrict access to an EJB method to authenticated users in a specific role. WebLogic allows you to refine this constraint by ensuring that the user has access only during certain times of the day. In fact, the SSPIs are an open architecture, and you can easily plug in a third-party security provider from a security vendor. Alternatively, you can build new security services by implementing your own security providers.

WebLogic\'s default security providers are quite versatile. A security realm is a logical grouping of users, groups, roles, and security policies, along with the complete set of security providers. Security policies assigned to server resources can be used to determine who is authorized to access the resource. WebLogic lets you protect a whole range of resources: individual EJB methods, a web application, a collection of web pages, connection pools, data sources, or any administered object. You even can protect a branch within the JNDI tree, thereby preventing unauthorized clients from looking up objects in the JNDI tree. All this security data is stored in an embedded LDAP server. WebLogic also can be configured to use an external LDAP repository, such as Open LDAP, Active Directory, or Novell NDS. These external repositories can be used for authentication only, not authorization.

Finally, WebLogic allows you to set up a trust mechanism between two domains. This ensures that authenticated users from one domain can then access resources in another domain.

This chapter examines all of these security mechanisms. Although they are all quite different from each other, they complement each other quite well. We begin with a look at the Java Security Manager and how WebLogic is able to filter connection requests. We then examine WebLogic\'s authentication and authorization framework and learn how it supports the standard J2EE security services. We also coverthe various security providers available within a security realm and their default implementations. Finally, we end with a look at how to authenticate using JAAS, and examples of Authentication and Identity Assertion providers.
The Java Security Manager

At the JVMlevel, WebLogic can use the standard Java Security Manager to prevent untrusted code from performing unwanted actions. Using a security policy file, you can configure the JVMso that all threads running on the JVMhave restricted access to sensitive runtime operations. The security policy file encapsulates a set of permissions that are granted to (or revoked from) all classes loaded within the current instance of the JVM. You can define a whole range of security permissions to control access to particular resources—e.g., \"write\" access to certain folders on the filesystem, \"connect\" access to a particular host and range of ports, \"read\" access to environment variables, \"get\" access to the current class loader, and more. Refer to your JDK documentation for more information on the Security Manager and security policy files.

Java\'s Security Manager ensures that any code running within WebLogic accesses these critical resources only in the permitted ways.

Read Tutorial at: Click here to view the tutorial

Rate Tutorial: Java and Security, Part 1

View Tutorial: Java and Security, Part 1

Related Tutorials:

Building a bigger sandbox - JavaWorld - August 1998
Building a bigger sandbox - JavaWorld - August 1998

Understanding Java Card 2.0 - JavaWorld March 1998
Understanding Java Card 2.0 - JavaWorld March 1998

Create forward-compatible beans in EJB, Part 2 - JavaWorld January 2000
Create forward-compatible beans in EJB, Part 2 - JavaWorld January 2000

Java security evolution and concepts, Part 1: Security nuts and bolts - JavaWorld April 2000
Java security evolution and concepts, Part 1: Security nuts and bolts - JavaWorld April 2000

Java security evolution and concepts, Part 3: Applet security - JavaWorld December 2000
Java security evolution and concepts, Part 3: Applet security - JavaWorld December 2000

Secure thread collaboration across protection domains - JavaWorld December 2000
Secure thread collaboration across protection domains - JavaWorld December 2000

Construct secure networked applications with certificates, Part 1 - JavaWorld January 2001
Construct secure networked applications with certificates, Part 1 - JavaWorld January 2001

Secure your Java apps from end to end, Part 1 - JavaWorld June 2001
Secure your Java apps from end to end, Part 1 - JavaWorld June 2001

Integrate security infrastructures with JBossSX
Integrate security infrastructures with JBossSX

Web services hits the Java scene, Part 1
Web services hits the Java scene, Part 1

Java security evolution and concepts, Part 2
Java security evolution and concepts, Part 2

Java security evolution and concepts, Part 4
Java security evolution and concepts, Part 4

Java security evolution and concepts, Part 5
Java security evolution and concepts, Part 5

Customized EJB security in JBoss
Customized EJB security in JBoss

Rumble in the jungle: J2EE versus .Net, Part 1
Rumble in the jungle: J2EE versus .Net, Part 1

Yes, you can secure your Web services documents, Part 1
Yes, you can secure your Web services documents, Part 1

All that JAAS
All that JAAS

Jini Starter Kit 2.0 tightens Jini's security framework
Jini Starter Kit 2.0 tightens Jini's security framework

Java and Security, Part 1
Java and Security WebLogic provides a comprehensive suite of security services that can be used to protect all aspects of a domain and its deployments. These security services affect all aspects of your domain: from the lowest level provided by the Jav

Java and Security, Part 2
Java and Security The Providers Now we\'ll take a closer look at the different SSPIs that constitute a security realm. We\'ll learn about WebLogic\'s default implementation of these security providers and how to configure them. The default implementat

Site navigation