Hack Proofing Your Web Applications

In this chapter, we have seen how Java addresses the five tenets of security: containment, authorization, authentication, encryption, and auditing. Java is very strong in some areas of security, especially with containment. It is apparent that Sun s first priority was building an environment that protects Java users from potential harm. There are also some weak points with Java security, however. Of the five tenets, auditing is perhaps the weakest link. No built-in system exists to keep an auditing trail of transactions. The second weakest link would probably be authentication and authorization of users to the system. The reason these weak links still exist even in version 1.3 of Java is obvious: There has been no huge demand for them. The majority of Java developers and users have gotten along fine without them, so Sun has had no urgent reason to implement them. If there was a large hue and cry for them, Sun would have implemented them in the early releases of Java.
Let s review the mechanisms that Java uses to provide security. Containment is achieved through the use of a security manager and a policy file. This technology allows fine-grained control of what resources a Java application will have access to on a system. Authentication is achieved primarily by using digital signatures. These signatures are also used in certificates, such as the X.509 certificate, and for JAR signing. Authorization is implemented by using a combination of containment and authentication. With authorization, we are concerned with allowing access to...