Everything you need to Know about Java Security

A definitive in-depth look at authentication, encryption, keys, signatures, digests, policies and much more.


The issues surrounding security are varied, complex and deeply intertwined. It is often difficult to make sense of these interlinked technologies unless you’ve been exposed to them for a long time. O’Reilly’s "Java Security" tries to overcome these barriers by collecting all the relevant information into a single book. This book stops short of exploring cryptographic issues in depth, referring the reader to a companion book called "Java Cryptography". Instead, we get the lay of the land in this treatment and enough information to put us in a position to capitalize on the solutions offered by Java, in particular version 1.2.

The book starts off by exploring what security entails, talking about the Java sandbox, applications and digital signatures that allow you to gain broader access to system software. No Java security book would be complete without an in depth discussion of the basic security features in the Java virtual machine, class loaders and the security manager architecture, and all that material is covered thoroughly in the first few chapters. Java 1.2 offers multiple levels of protection and access through policies and chapter 6 focusses on exactly what that means to you if you’re responsible for configuring your environment.

Chapter 7 starts covering cryptography issues, with chapter 8 discussing security providers and the implications of applying encryption technology in your applications. Message digests provide a way of securing data streams. These are explored in chapter 9. The next sequence of chapters covers keys, certificates, key management, and digital signatures. These are the means that programmers use to authenticate users or code originators. Chapter 13 revisits encryption issues, this time covering export restrictions and the various engines provided in the JCE (Java Cryptographic Extensions). Finally, the appendices cover the security tools provided with Java, identity-based key management, providing a list of resources and a quick reference to the security API.

This books is extremely well written and provides an accessible map to readers interested in this complex programming arena. Making this material accessible is no small task, but "Java Security" rises to the challenge and does a great job of putting all the tangled issues in perspective. If you intend to work with Java in an enterprise environment, need to develop secure applications or simply want to understand what decisions you might have to make to implement effective security measures with Java, this book is for you. It covers a lot of ground in a well crafted format and makes an otherwise difficult set of ideas much more comprehensible and a pleasure to read about.