Java Security

General remarks

• While any of the following may help solve security-related problems, keep in mind that security is a process, not a single product or technology. A technologically secure computer system does not help if someone can steal its hard drive, it's not backed up properly, or if its password is written on a Post-It note.
• Introduction to various security topics
• An interview with Bruce Schneier gives an introduction of some of the non-technological issues and trade-offs to consider. His book Secrets & Lies is a good introduction to designing secure system.
• comp.risks is a newsgroup and mailing list where all matters related to computer security are discussed by highly knowledgeable practitioners of the field.
• Overview of Java security, Oracle's Secure Coding Guidelines for the Java Programming Language
• Java Security Evolution and Concepts series in JavaWorld: Part 1 Part 2 Part 3 Part 4 Part 5
• Pitfalls of the Java Permission model
• Jakarta EE 8 Security API

---

Web applications and HTTP

• Security Fundamentals in a Web Environment
• Overview of Web Application Security for Java web apps
• Some starting points are in the Servlet FAQ
• Guide to Building Secure Web Applications
• Form parameter checking
• Introduction to SQL injection
• Introduction to Cross-site scripting
• HTTP Response Splitting: Introduction, Detecting and Testing (a browser extension like HTTP-Header-Live for Firefox can also be very useful for this)
• The Open Web Application Security Project (OWASP) is a free and open application security community. The home page contains many useful links.
• OWASP's CSRFGuard project, which helps guard your web app against -wait for it- CSRF attacks.
• Books - Soft copies for many of the books can be downloaded for free.
• Video Links - Videos of presentations made by OWASP members at various conferences.
• OWASP Development Guide - Wiki link.
• Using Jakarta Security on Tomcat 10

Books

• Ajax Security
• The Web Application Hacker's Handbook
• XSS Attacks

---

JAAS

• Home page
• Authentication Tutorial - Authorization Tutorial
• Introduction 1 - Introduction 2 - Introduction 3
• JavaRanch? Journal articles: Authentication using JAAS - Authorization using JAAS
• Using JAAS in Java EE and SOA Environments - Adapting JAAS to SOA Environments: SOA Security Service

---

JCE - Encryption - Message Digests

• Home page
• Basic Triple-DES/3DES encryption/decryption with JCE
• Using AES with JCE, code example
• How do I work with message digests?, but Don't Hash Secrets
• A list of available algorithms

Using JCE I am getting a BadPaddingException?. What should I do?

Search the forums for BadPaddingException for several discussions on this. The gist is: don't use a String to store the encrypted text - use byte[].

Where can I get Java source code for the XYZ algorithm?

Bouncycastle is an open source library comprised of many and varied encryption algorithms, amongst them a full JCE implementation. The codes for the AES competition are also available. Those include Rijndael (which became AES), RC6, Serpent, Twofish and Mars.

I am getting an java.lang.SecurityException?: Unsupported keysize or algorithm parameters. What gives?

One reason may be that you're using incorrect parameters for the algorithm, mode or cipher. Check the above-mentioned list of algorithms for what is available. Another reason may be that you don't have the unlimited jurisdiction policy files installed; these can be downloaded from the same place you download the JDK.

How can I implement my own JCE provider?

This is described in detail in the article How To Implement a Provider for the Java Cryptography Architecture. Information on how to install the provider can be found in the sections on "How Provider Implementations Are Requested and Supplied" and "Installing Providers" in this article.

Which message digest (or hash) algorithm should I use?

At this point, the various RC, MD and SHA-1 algorithms should no longer be used. SHA-2 is the way to go; it's available in Java in the SHA-256, SHA-384 and SHA-512 variants. (A NIST competition has selected a SHA-3 standard, but it's not yet part of the JRE, and anyway offers no fundamental advantage over SHA-2.)

---

Libraries that help implement security features

• Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management and cryptography. Don't implement security on your own - use Shiro and be done with it.
• Google Tink is a multi-language, cross-platform, open source library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse, Guide to Google Tink
• OWASP's CSRFGuard project, which helps guard your web app against -wait for it- CSRF attacks.
• Single Sign-On (SSO) can be implemented with CAS, JOSSO, OpenAM (formerly OpenSSO) (looks dormant) or SPNEGO (for Windows authentication, looks dormant)
• OACC focuses on providing a fully featured API to both enforce and manage an application's authentication and authorization needs
• Cognicrypt allows developers to quickly identify and fix security-critical misuses of JCA, JSSE, BouncyCastle?, BouncyCastle? as a JCA provider, and Google Tink. article CogniCrypt: Kryptografie richtig nutzen (in German)
• Spring Security Spring Security is a powerful and highly customizable authentication and access-control framework. It is the de-facto standard for securing Spring-based applications.
• portecle is a user friendly GUI application for creating, managing and examining keystores, keys, certificates, certificate requests, certificate revocation lists and more
• Bouncycastle is an open source library comprised of many and varied encryption algorithms, amongst them a full JCE implementation.

---

Other topics

• Web services: This article is part of the Axis documentation, but it's generally applicable.
• Introduction to SecurityManagers
• Introduction to ClassLoaders
• Introduction to Policies
• Storing Passwords - done right!
• Introduction to Steganography with Java
• Secure Programming HOWTO - Creating Secure Software
• A simple demonstration of how OAuth 2.0 works: Part 1 - Part 2 - Part 3 - Part 4
• I'm getting a "javax.net.ssl.SSLHandshakeException?: sun.security.validator.ValidatorException?: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException?: unable to find valid certification path to requested target " exception. What gives? Don't Panic! Here's the solution. and here's the code that goes with it
• JavaDoc:org.apache.commons.net.util.TrustManagerUtils has utility methods that return either an all-trusting TrustManager? or one that only checks certificate validity
• Troy Hunt's Ultimate List of Security Links
• SSL checker for web sites
• How Can An Applet Read Files On The Local File System Applets are obsolete, this is just for historical reference.
• Java's API for Privileged Blocks

---

CategoryJava