Security Implementation Mechanisms

<< Characteristics of Application Security | Java EE Security Implementation Mechanisms >>

Security Implementation Mechanisms

Auditing

: The means used to capture a tamper-resistant record of securityrelated events for

the purpose of being able to evaluate the effectiveness of security policies and mechanisms.
To enable this, the system maintains a record of transactions and security information.

Security Implementation Mechanisms

The characteristics of an application should be considered when deciding the layer and type of
security to be provided for applications. The following sections discuss the characteristics of the
common mechanisms that can be used to secure Java EE applications. Each of these
mechanisms can be used individually or with others to provide protection layers based on the
specific needs of your implementation.

Java SE Security Implementation Mechanisms

Java SE provides support for a variety of security features and mechanisms, including:

Java Authentication and Authorization Service (JAAS)

: JAAS is a set of APIs that enable

services to authenticate and enforce access controls upon users. JAAS provides a pluggable
and extensible framework for programmatic user authentication and authorization. JAAS is
a core Java SE API and is an underlying technology for Java EE security mechanisms.

Java Generic Security Services (Java GSS-API)

: Java GSS-API is a token-based API used to

securely exchange messages between communicating applications. The GSS-API offers
application programmers uniform access to security services atop a variety of underlying
security mechanisms, including Kerberos.

Java Cryptography Extension (JCE)

: JCE provides a framework and implementations for

encryption, key generation and key agreement, and Message Authentication Code (MAC)
algorithms. Support for encryption includes symmetric, asymmetric, block, and stream
ciphers. Block ciphers operate on groups of bytes while stream ciphers operate on one byte
at a time. The software also supports secure streams and sealed objects.

Java Secure Sockets Extension (JSSE)

: JSSE provides a framework and an implementation

for a Java version of the SSL and TLS protocols and includes functionality for data
encryption, server authentication, message integrity, and optional client authentication to
enable secure Internet communications.

Simple Authentication and Security Layer (SASL)

: SASL is an Internet standard (RFC

2222) that specifies a protocol for authentication and optional establishment of a security
layer between client and server applications. SASL defines how authentication data is to be
exchanged but does not itself specify the contents of that data. It is a framework into which
specific authentication mechanisms that specify the contents and semantics of the
authentication data can fit.

Java SE also provides a set of tools for managing keystores, certificates, and policy files;
generating and verifying JAR signatures; and obtaining, listing, and managing Kerberos tickets.

Security Implementation Mechanisms

Chapter 28 · Introduction to Security in the Java EE Platform

771