| Acknowledgments | p. xiii |
| Introduction | p. xv |
| Case Study | p. xxi |
| J2EE Architecture and Technology Introduction | |
| The Java Basics: Security from the Ground Up | p. 3 |
| Java Then and Now | p. 4 |
| Java Language Architecture | p. 5 |
| The Java Virtual Machine | p. 5 |
| An Interpreted Language: Java Bytecodes | p. 6 |
| The Java Class Loader and Built-in Security | p. 6 |
| Other Language Features | p. 7 |
| Java Security Architecture | p. 7 |
| Protection Domains | p. 8 |
| Security Controls for Java Class Loading | p. 10 |
| Java Permissions | p. 12 |
| Java Security Policies | p. 13 |
| The Java Security Properties File | p. 14 |
| The Java Security Policy File | p. 15 |
| Security Manager Checking | p. 18 |
| Java Principals and Subjects | p. 19 |
| Summary | p. 20 |
| Introduction to JAAS, JCE, and JSSE | p. 21 |
| Java Authentication and Authorization Services (JAAS) | p. 22 |
| JAAS Architecture | p. 23 |
| JAAS Authentication | p. 24 |
| JAAS Authorization | p. 38 |
| Java Encryption | p. 41 |
| Encryption Fundamentals | p. 41 |
| Java Cryptography Extension (JCE) | p. 43 |
| The Keytool Utility | p. 46 |
| Java Secure Sockets Extension (JSSE) | p. 48 |
| SSL Fundamentals | p. 48 |
| Library and Certificate Installation | p. 49 |
| JSSE Demonstration Program | p. 50 |
| Securing JAR Files | p. 56 |
| The jarsigner Utility | p. 57 |
| The Sealed Directive | p. 57 |
| Summary | p. 58 |
| J2EE Architecture and Security | p. 59 |
| Middleware and Distributed Software Components | p. 60 |
| Middleware Development | p. 60 |
| Multitiered Application Development | p. 61 |
| The Multitiered Environment | p. 62 |
| J2EE Multitiered Technologies | p. 63 |
| Web Tier Components: Servlets and JSP | p. 65 |
| Servlets | p. 65 |
| JSP | p. 69 |
| JSP Use | p. 70 |
| Business Tier Components: EJBs | p. 71 |
| Services Provided by the EJB Container | p. 71 |
| Types of EJBs | p. 73 |
| EJB Deployment | p. 75 |
| Development Roles with J2EE | p. 75 |
| EJB Development | p. 78 |
| Other J2EE APIs | p. 85 |
| EJB Security Architecture | p. 87 |
| Principals and Roles | p. 87 |
| Declarative Security and Programmatic Security | p. 88 |
| System-Level Security | p. 89 |
| Security on the Presentation Tier | p. 89 |
| Security on the Business Tier | p. 92 |
| Defining Security Roles | p. 92 |
| Mapping Roles | p. 93 |
| Assigning Principals to Roles | p. 94 |
| Security for Resources | p. 95 |
| Summary | p. 97 |
| Java Application and Network Security | |
| Using Encryption and Authentication to Protect an Application | p. 101 |
| Application Security: The Process | p. 102 |
| System-level versus Application-level Security | p. 102 |
| Application Security Techniques | p. 103 |
| The Dangers of Storing Data Locally | p. 104 |
| Summary | p. 134 |
| Software Piracy and Code Licensing Schemes | p. 137 |
| The Dangers of Code Misuse | p. 138 |
| Another Licensing Strategy | p. 147 |
| Secret Key Storage | p. 148 |
| Summary | p. 156 |
| The Exposure of Bytecodes | p. 157 |
| The Dangers of Reverse-Engineering | p. 158 |
| The Dangers of Embedded Strings | p. 178 |
| Summary | p. 180 |
| Hacking Java Client-Server Applications: Another Tier to Attack | p. 181 |
| The Client-Server Implementation | p. 182 |
| The Dangers of A Client-Server Architecture | p. 183 |
| Watching the Basket: Application Database Security | p. 185 |
| Securing the Database Connection | p. 187 |
| Protecting the Client-Tier | p. 201 |
| Protecting Applet-based Clients | p. 213 |
| Protecting WebStart-based Clients | p. 227 |
| Summary | p. 233 |
| Java Network Applications: Potential Security Flaw Attacks | p. 235 |
| The Dangers of RMI | p. 236 |
| The Original RMI Application | p. 236 |
| Encrypting the Account Number and Balance | p. 245 |
| Using an SSL Connection between the Client and Server | p. 252 |
| Implementing Challenge/Response Authentication | p. 257 |
| Using an Authenticated Communications Channel | p. 260 |
| The Dangers of Loading Class and JAR Files Remotely | p. 274 |
| Summary | p. 276 |
| J2EE Security on the Web and Business Tiers | |
| This is .WAR: Exploiting Java Web Tier Components | p. 279 |
| The Sample Application: Web-Enabled | p. 281 |
| Implementing our Cache-Control Strategy | p. 315 |
| Summary | p. 319 |
| Shaking the Foundation: Web Container Strengths and Weaknesses | p. 321 |
| The Effects of Directory Listing | p. 322 |
| The Invoker Servlet | p. 324 |
| Stealing a Session | p. 328 |
| Generating a Server Key | p. 331 |
| Enabling HTTPS in Tomcat | p. 332 |
| Testing the Installation | p. 333 |
| Adding a Transport Guarantee | p. 334 |
| Client Certificate Authentication | p. 335 |
| Configuring Tomcat to use SSL with Client Authentication | p. 336 |
| Container Authentication Using a Client Certificate | p. 337 |
| Dealing with Overlapping Application Roles | p. 342 |
| Summary | p. 345 |
| Java Web Services Security | p. 347 |
| Web Services in Java | p. 348 |
| Web Services Technologies | p. 349 |
| The Web Services Developer Pack | p. 350 |
| The Web Services-Enabled Application Implementation | p. 351 |
| The Retirement Web Services Suite: Server Side | p. 352 |
| The Retirement Web Services Suite: Client Side | p. 355 |
| Web Services Application Vulnerabilities | p. 358 |
| Requiring SSL Connections | p. 361 |
| Implementing HTTP Authentication | p. 366 |
| Disabling WSDL Distribution | p. 368 |
| Enabling Programmatic Authorization | p. 370 |
| Passing Database Passwords As Context Parameters | p. 373 |
| Web Services Workflow Security | p. 374 |
| The Future of Web Services Security | p. 378 |
| SOAP Security Extensions: Digital Signature | p. 378 |
| WS-Security | p. 379 |
| Summary | p. 380 |
| Enterprise Java Beans: Security for the Business Tier | p. 381 |
| The EJB Application Implementation | p. 382 |
| The EJB Persistence Service | p. 383 |
| The Get and Set Balance Methods | p. 384 |
| The Beans | p. 385 |
| EJB Application Vulnerabilities | p. 389 |
| Common Pitfalls When Using Message-Driven Beans | p. 400 |
| The Message-Driven Bean Implementation | p. 401 |
| Summary | p. 411 |
| Index | p. 413 |
| Table of Contents provided by Syndetics. All Rights Reserved. |
