The five tenets of security are: containment, authentication, authorization, encryption, and auditing.
Security systems that are implemented at the JVM level are far less likely to contain holes than security implemented at the application level. When possible, try to use the security mechanisms provided in Java.
The new sandbox mechanism with Java 2 allows fine-grained access to system resources.
How Java Handles Security
Class-loaders are used for loading in classes from any byte-stream.
The byte-code verifier is used by the JVM to double-check the integrity of Java byte-code before running it.
Java protected domains is the API Java uses for allowing fine-grained access to system resources.
Potential Weaknesses in Java
Limit the number of transactions a client can perform on a server. This can be done by providing a single login account for each user.
Limit the number of threads that can be created on the server. If too many threads are in play, it should tell the user the system is busy rather than crashing.
Use an RMI Security Manager to restrict code from infiltrating your server as Trojan horses.
Coding Functional but Secure Java Applets
Message digests can be used to ensure that data has not been changed.
Digital signatures can be used to identify entities on the Internet.
Encryption allows data to remain private, even when transferred over the Internet.
Copyright Syngress Publishing, Inc. 2001 under license agreement with Books24x7