Security is one of the most important parts of application development. The Java language makes it easy to develop secure applications by providing many options and features that make applications secure. Because it is a big topic, this article shall a touch upon a few key aspects of the security features and APIs available in the Java platform.
The Java platform, from the ground up, is built keeping security in mind. The type safe property of the language and automatic garbage collection states that the Java architecture tried to imbibe security features right from its core.
In recent years, security has been a major focus. For example, modern browsers are working to restrict or reduce plug-in support such as Java, Silverlight, and Flash because they can be misused to incorporate mischievous code in a harmless-looking add-on. Although the Java environment is clean, the nature of the applet is that it downloads untrusted code from the public network. This can be a major security breach. Also, the browser world has changed significantly in the last few years. The absolute need for Applet has become almost obsolete. Perhaps this and primarily the increasing security concern made Applet deprecated from Java 9.
Java Security Framework
Java Security services have expanded and include a large set of application programming interfaces (APIs), tools, a number of security algorithm implementations, mechanisms, and protocols. This provides a comprehensive environment to develop secure applications and manage them accordingly.
The span of the Java security API is extensive. The basis of developing a secure application lies in the Cryptographic and public key infrastructure (PKI) interfaces, multiple interoperable common algorithmic implementation, and other security services. There are interfaces for performing authentication and access control. This enables applications to guard against unauthorized access to protected resources.
To begin with, the language itself is built with the concern for imbibing security into its core. The simplest example is perhaps the incorporation of type safety. Type safe means that programs have restricted access to memory at runtime. This is achieved by associating memory only to Java objects. Objects have a corresponding class that defines its behavior; this ensures that the program can act upon it only according to the behavior defined. This idea resonates with dynamic type checking, but Java also incorporates complex static type checking whenever possible to succumb the limitation of its dynamic counterpart. For example, the byte code verifier is an effective static type checker employed at compile time to surface any type of error and proactively report to the developer. The bytecode verifier ensures that a legit bytecode is executed by conforming to the Java Language Specification. Apart from this, it also checks for memory violation, stack under/overflows, proper typecasts, and so forth. In addition to this, there are modifiers like private, protected, and public to assert restricted access.
The services act as a provider for security. They, when plugged into the Java platform via standard interfaces, make it easy for the application to obtain security services. The advantage of this mechanism is that the developer does not have to know about the intricate details and instead can focus on integrating the security features into the application. This idea is encapsulated within the abstract class called java.security.Provider. The security service is obtained through the getInstance() method supplied by the Provider. There can be many providers configured where each has a name and a version number configured in each runtime it is installed in. For example, a program can obtain a particular message digest algorithm by optionally requesting a specific provider by its name as follows:
MessageDigest messageDigest = MessageDigest.getInstance("MD5", "MyProvider1");
Java cryptographic APIs are distributed among two packages: java.security and javax.crypto. Java provides a large variety of cryptographic services by implementing a number of cryptographic algorithms. A few of them are as follows:
- java.security.MessageDigest: This class provides the implementation of a one-way hash function that takes arbitrary sized data and outputs a fixed length hash value. The algorithm is named SHA-1 or SHA-256.
- java.security.Signature: This class is used to provide the functionality of a digital signature algorithm such as DSA, RSA, or DSA algorithms, using the SHA-256 message digest algorithm. A digital signature is especially used to ensure the integrity and authenticity of digital data.
- java.security.SecureRandom: This class provides functionality to generate a cryptographically strong random number.
Public Key Infrastructure (PKI)
The PKI infrastructure enables the secure exchange of data using public key cryptography. It encompasses keys, certificates, public key encryption, and digital certificates. The classes related to PKI are stored in java.security and java.security.cert packages.
Authentication is the process of verifying user identity. Java enables the application to perform user authentication with the help of the pluggable module. There is a class called LoginContext in the javax.security.auth.login package. This class is instantiated with a name and a CallbackHandler. The LoginContext uses the name as an index to the configuration. The configuration determines the specific LoginModule (javax.security.auth.spi.LoginModule). The CallbackHandler is passed to the LoginModule to prompt for username and password, in a GUI, for example.
The Java platform implements SSL and TLS protocols which provide functionality for message integrity, data encryption, and client and server authentication. This can be used to pave a secure passage of data communication between peers on top of HTTP or TCP/IP protocol. The API support for the implementation can be found in the javax.net.ssl package. There many supporting classes; for example, the SSLSocket class is an extension of the java.net.Socket class to provide a secure socket using SSL/TLS protocol. This is nothing but a normal stream socket with an added layer of protection over the transport layer protocol (TCP).
The access control class protects access to sensitive resources such as local files. The java.lang.SecurityManager class mediates all access. This class allows the application to implement a security policy. Therefore, a possible unsafe operation may be restricted in the attempt, thus the application has full control over allowable operations.
This is a quick tour over Java platform security features, functionality, and APIs. Java provides comprehensive support to implement security in an application where developers can be blissfully unaware of the complexities involved in implementing them, yet reap its benefit. This leverages quick and efficient delivery of the product without being have to build everything from scratch.
- Java API Documentation
- Java Security Overview