Security Faq at JavaRanch

Security Faq
Useful pages FrontPage List of all FAQs Content categories RecentChanges Upload files Java Forums Top viewed pages ScjpMockTests ScjpFaq ItextExample AssociationVsAggregati... BookPromotions FrontPage HowToSetTheClasspath SceaFaq WebServicesHowTo WebServicesFaq Recently edited pages ScjpWallOfFame ScjdWallOfFame JavascriptLinks	This is work in progress. Feel free to add content as you see fit. General Applets Security managers and class loaders Policies Web applications and HTTP JAAS Encryption, message digests and JCE Web services Certifications Other topics General remarks While any of the following may help solve security-related problems, keep in mind that security is a process, not a single product or technology. A technologically secure computer system does not help if someone can steal its hard drive, it's not backed up properly, or if its password is written on a Post-It note. Introduction to various security topics An interview with Bruce Schneier gives an introduction of some of the non-technological issues and trade-offs to consider. His book Secrets & Lies is a good introduction to designing secure system. comp.risks is a newsgroup and mailing list where all matters related to computer security are discussed by highly knowledgeable practitioners of the field. Overview of Java security, Sun's Secure Coding Guidelines for the Java Programming Language Java Security Evolution and Concepts series in JavaWorld: Part 1 Part 2 Part 3 Part 4 Part 5 Pitfalls of the Java Permission model Applet security HowCanAnAppletReadFilesOnTheLocalFileSystem Security managers and class loaders Introduction to SecurityManagers Class loaders as a namespace mechanism Introduction to ClassLoaders Introduction to the class loader hierarchy and the boot classpath Writing a ClassLoader Policies Introduction Web applications and HTTP Some starting points are in the ServletsFaq Guide to Building Secure Web Applications Form parameter checking a couple of introductions to SQL injection Cross-site scripting/JS-injection HTTP Response Splitting: Introduction, Detecting and Testing (a browser extension like LiveHTTPHeaders for Firefox can also be very useful for this) Single Sign-On (SSO) can be implemented with CAS, JOSSO, OpenSSO (now called OpenAM) or SPNEGO JAAS Home page Authentication Tutorial - Authorization Tutorial Introduction 1 - Introduction 2 - Introduction 3 JavaRanch Journal articles: Authentication using JAAS - Authorization using JAAS Extend JAAS for class instance-level authorization Using JAAS in Java EE and SOA Environments - Adapting JAAS to SOA Environments: SOA Security Service JCE - Encryption - Message Digests Home page Basic DES encryption/decryption with JCE (you should really use "Triple-DES/3DES" instead of the obsolete DES) Basic Triple-DES/3DES encryption/decryption with JCE Using AES with JCE How do I work with message digests? A list of available algorithms Q: Using JCE I am getting a BadPaddingException. What should I do? A: You should read this thread. The gist is: don't use a String to store the encrypted text - use byte[]. Q: Where can I get Java source code for the XYZ algorithm? A: Bouncycastle is an open source library comprised of many and varied encryption algorithms, amongst them a full JCE implementation. The codes for the AES competition are also available. Those include Rijndael (which became AES), RC6, Serpent, Twofish and Mars. Q: I am getting an java.lang.SecurityException: Unsupported keysize or algorithm parameters. What gives? A: One reason may be that you're using incorrect parameters for the algorithm, mode or cipher. Check the above-mentioned list of algorithms for what is available. Another reason may be that you don't have the unlimited jurisdiction policy files installed; these can be downloaded from the same place you download the J2SE JDK. Q: How can I implement my own JCE provider? A: This is described in detail in the article How To Implement a Provider for the Java Cryptography Architecture. Information on how to install the provider can be found in the sections on "How Provider Implementations Are Requested and Supplied" and "Installing Providers" in this article. Q: Which message digest (or hash) algorithm should I use? A: At this point, the various RC, MD and SHA-1 algorithms should no longer be used. SHA-2 is the way to go; it's available in Java in the SHA-256, SHA-384 and SHA-512 variants. A NIST competition is under way to create a SHA-3 standard, but a winner won't be selected before 2011. Web service security This article is part of the Axis documentation, but it's generally applicable. Certifications GSSP - Secure Software Programmer Certification CISSP - Certified Information Systems Security Professional CISM - Certified Information Security Manager CEH - Certified Ethical Hacker OWASP (in planning) Other topics Creating an x509 certificate programmatically Introduction to Steganography with Java Secure Programming for Linux and Unix HOWTO Apache Shiro "is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management and cryptography." I'm getting a "javax.net.ssl.SSLHandshakeException?: sun.security.validator.ValidatorException?: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException?: unable to find valid certification path to requested target " exception. What gives? Don't Panic! Here's the solution. CategoryFaq