Li Gong0201310007, 9780201310009
Table of contents :
How This Book Is Organized……Page 4
Acknowledgments……Page 5
Preface to the First Edition……Page 7
Acknowledgments for the First Edition……Page 8
1.1 Cryptography versus Computer Security……Page 10
1.2 Threats and Protection……Page 11
1.3 Perimeter Defense……Page 12
1.3.1 Firewalls……Page 13
1.3.2 Inadequacies of Perimeter Defense Alone……Page 14
Figure 1.3. MAC security model……Page 15
1.4.2 Access to Data and Information……Page 16
1.4.4 Considerations for Using Security Models……Page 17
1.5.1 One-Way Hash Functions……Page 18
Figure 1.4. One-way hash function……Page 19
Figure 1.5. Symmetric cipher……Page 20
Figure 1.6. Asymmetric cipher used for encryption and decryp……Page 21
Figure 1.7. Use of authentication server……Page 22
1.7 Mobile Code……Page 24
1.8 Where Java Technology–Based Security Fits In……Page 25
2.1 The Java Programming Language and Platform……Page 26
2.2 Original Basic Security Architecture……Page 27
2.3 Bytecode Verification and Type Safety……Page 28
Figure 2.1. JDK 1.1 security model……Page 30
2.5 Further Enhancements……Page 31
3.1.1 Flexible Access Control……Page 32
3.1.4 Flexible and Customizable Security Policy……Page 33
3.3 Architecture Summary……Page 34
3.4 Lessons Learned……Page 36
4.1 Class Files, Types, and Defining Class Loaders……Page 38
Figure 4.1. Subclassing Classleader……Page 39
4.3.2 Class Loader Delegation Hierarchy……Page 40
Figure 4.2. Class loading relationship……Page 41
4.4 Loading Classes……Page 42
Figure 4.3. ClassLoader searching for classes……Page 43
4.4.2 Defining the Class……Page 44
4.4.3 Other ClassLoader Methods……Page 45
4.5 SecureClassLoader Details……Page 46
4.6 URLClassLoader Details……Page 47
4.7 Class Paths……Page 48
5.1 Permissions……Page 50
Figure 5.1. Common Permission subclasses……Page 51
java.security.Permission……Page 52
java.security.BasicPermission……Page 53
java.security.UnresolvedPermission……Page 55
5.1.3 Permission Sets……Page 57
5.1.4 Implications of Permission Implications……Page 58
5.2.1 CodeSource……Page 59
5.2.2 Testing for CodeSource Equality and Using Implication……Page 61
5.3 ProtectionDomain……Page 63
5.3.1 ProtectionDomain Constructors……Page 64
5.3.2 ProtectionDomain implies Method……Page 65
5.3.3 ProtectionDomain Finer Points……Page 66
Figure 5.2. Policy matrix……Page 67
5.5 Assigning Permissions……Page 70
5.6 Dynamic Security Policy……Page 71
6.1.1 Example Use of the Security Manager……Page 73
6.1.2 SecurityManager API……Page 74
6.2 AccessControlContext……Page 75
6.3 DomainCombiner……Page 76
6.4 AccessController……Page 77
6.4.2 The Basic Access Control Algorithm……Page 78
Figure 6.1. Stack frame snapshot……Page 79
Figure 6.2. Stack frame execution context……Page 80
Figure 6.3. Method inheritance……Page 81
6.4.4 Extending the Basic Algorithm with Privileged Operatio……Page 82
6.4.5 Privileged Actions Programming Idioms……Page 84
6.4.6 The Inherited Access Control Context……Page 87
6.4.7 The Privileged Access Control Context……Page 88
6.4.8 The Full Access Control Algorithm……Page 89
6.4.9 SecurityManager versus AccessController……Page 90
6.4.10 A Brief History of Privileged Operations……Page 91
7.1 Creating New Permission Types……Page 93
7.2.1 Customizing Security Policy Enforcement……Page 97
7.2.2 Customizing Security Policy Decisions……Page 98
Bootstrapping Security Policy……Page 99
Spanning Permissions……Page 101
7.3 Customizing the Access Control Context……Page 102
8.1 Digital Certificates……Page 103
8.1.2 X.509 Certificate Versions……Page 104
8.1.3 X.509 Certificate Contents……Page 105
Figure 8.1. Certification path……Page 106
8.2.1 Core Certificate API……Page 107
8.2.2 Basic Certification Path Classes……Page 108
8.2.4 Certification Path Building Classes……Page 109
8.2.6 PKIX Classes……Page 110
8.3.2 JAR File Format Overview……Page 111
8.3.3 Runtime Trust Establishment……Page 112
8.4 User-Centric Authentication and Authorization Using JAAS……Page 113
8.4.1 Subjects and Principals……Page 114
8.4.3 Pluggable and Stacked Authentication……Page 115
Figure 8.3. Stacked authentication……Page 116
8.4.5 Authorization……Page 118
8.4.7 Access Control Implementation……Page 119
8.5 Distributed End-Entity Authentication……Page 120
8.5.2 Single Sign-on in a Kerberized Environment……Page 121
The Kerberos Login Module……Page 122
Authenticating the Server……Page 123
9.1 Security Exceptions……Page 125
9.2 Fields and Methods……Page 126
9.4 Private Object State and Object Immutability……Page 127
9.5 Privileged Code……Page 129
9.6 Serialization……Page 130
9.8 Native Methods……Page 132
Figure 9.1. Signed object……Page 133
9.10 Sealing Objects……Page 135
Figure 9.2. Guard and GuardedObject……Page 136
10.1 Cryptographic Concepts……Page 140
10.2 Design Principles……Page 141
10.3 Cryptographic Services and Service Providers……Page 142
Table 10.1. Java 2 SDK 1.4 Engine Classes……Page 144
Figure 10.2. API class and corresponding SPI class……Page 145
10.4.2 Provider……Page 147
10.4.3 MessageDigest……Page 148
10.4.4 Signature……Page 149
AlgorithmParameterSpec……Page 151
AlgorithmParameters……Page 152
AlgorithmParameterGenerator……Page 153
Key……Page 154
KeySpec……Page 155
KeyFactory……Page 157
CertificateFactory……Page 158
10.4.8 KeyPair and KeyPairGenerator……Page 159
10.4.9 KeyStore……Page 160
10.4.10 Randomness and Seed Generators……Page 162
Creating a Cipher Object……Page 164
Initializing a Cipher Object……Page 165
Encrypting and Decrypting Data……Page 166
Managing Algorithm Parameters……Page 167
Creating a Key Generator……Page 169
10.5.3 SecretKeyFactory……Page 170
Executing a KeyAgreement Phase……Page 172
Initializing a Mac Object……Page 173
10.6.1 Computing a Message Digest……Page 174
10.6.2 Generating a Public/Private Key Pair……Page 175
10.6.3 Generating and Verifying Signatures……Page 176
10.6.4 Reading a File That Contains Certificates……Page 178
Creating a Cipher……Page 179
10.6.6 Using Password-Based Encryption……Page 180
10.7.1 Message Digest Algorithms……Page 182
10.7.4 Random-Number Generation Algorithms……Page 183
Algorithms……Page 184
Padding……Page 185
10.8 Algorithm Specifications……Page 186
10.8.4 Digital Signature Algorithm……Page 187
10.8.6 DSA Key-Pair Generation Algorithm……Page 188
10.8.8 DSA Parameter-Generation Algorithm……Page 189
11.1.1 Using Kerberos Credentials with Java GSS-API……Page 190
Delegation of Credentials……Page 192
Credential Acquisition……Page 193
Credential Delegation……Page 194
11.1.2 Establishing a Security Context……Page 195
11.2 JSSE……Page 196
11.2.2 SocketFactory and ServerSocketFactory Classes……Page 197
11.2.4 SSLSocketFactory and SSLServerSocketFactory Classes……Page 198
Setting the Assigned SSLSocketFactory……Page 199
11.2.9 Creating an SSLContext Object……Page 200
11.2.10 TrustManager Interface……Page 201
11.2.11 TrustManagerFactory Class……Page 202
11.2.13 KeyManagerFactory Class……Page 203
11.3.2 RMI Activation……Page 205
11.3.3 Securing RMI Communications……Page 206
12.1 Installing the Latest Java 2 Platform Software……Page 208
12.3.1 Setting System Properties……Page 209
12.3.3 Setting Security Properties……Page 210
12.4.1 Restricting Property Override Mechanisms……Page 211
12.4.2 Configuring Application-Specific Policies……Page 212
12.5.1 Installing the Provider Classes……Page 213
12.5.2 Configuring the Provider……Page 214
12.6.1 Configuring Systemwide and User-Specific Policies……Page 215
Keystore Entry……Page 216
Grant Entries……Page 217
12.6.3 Policy File Examples……Page 220
12.6.4 Property Expansion in Policy Files……Page 222
12.7 JAAS Login Configuration Files……Page 224
12.7.1 Login Configuration File Structure and Contents……Page 225
12.7.2 Login Configuration File Location……Page 226
Figure 12.1. Keystore……Page 227
12.8.2 keytool……Page 229
Certificate Signing Requests and Certificate Chains……Page 230
Importing Certificates……Page 231
Exporting a Certificate……Page 232
keytool Usage Example……Page 233
Signing a JAR File……Page 236
The Signed JAR File……Page 237
Verifying a JAR File……Page 238
Code Signing and Verification Example……Page 239
12.9 X.500 Distinguished Names……Page 240
12.10 Managing Security Policies for Nonexperts……Page 241
13.1 Introduction to Java Card……Page 243
13.1.1 Virtual Machine Lifetime……Page 244
13.1.3 Java Card’s Applet Isolation and Object-Sharing Model……Page 245
13.2 Introduction to Java 2 Micro Edition……Page 246
13.3.1 Virtual Machine Enhancements……Page 247
13.3.3 Trusted Computing Base Enhancements……Page 248
13.3.5 Security Expressions……Page 249
13.4.1 Overview of Jini Technology Security Architecture……Page 250
13.4.3 Establishing Proxy Trust……Page 251
13.5 Brief Introduction to J2EE……Page 252
13.6 Client Containers……Page 253
13.7 Final Remarks……Page 254
Bibliography……Page 255
Reviews
There are no reviews yet.