Johnny
Johnny

Reputation: 1575

Java Security Framework

I'm kind of new to Java platform. I need to work with some security frameworks of Java for both desktop application and web application. Now I need to know, which frameworks should I study for desktop application (suppose for Java SE or Java EE) and for web application (suppose for JSP)?

Upvotes: 0

Views: 1841

Answers (2)

Al Baker
Al Baker

Reputation: 534

I assume you are creating an overarching security architecture, governing remote connections and other aspects of the overall system. The desktop application security and web security are going to be different, but still solve a lot of the same problems in their own way.

Just some of the topics to include will be Authentication, Authorization, and Auditing (AAA), data security in-ransit and at rest, non-repudiation, transport layer security, platform security (e.g. managing platform priviledges).

The two most common Java security frameworks are Spring Security and Apache Shiro. Both of these address a number of topics above, but they are frameworks - meaning you need to define the security architecture and policies, and then configure/extend the frameworks into your specific domain.

Bouncy Castle provides a bunch of off the shelf crypto, including being a compliant Java Cryptography Extension (JCE) - it is also FIPS 140-2 compliant, but not certified. There is a whole another game/industry on those selling the certified solutions.

Here is an example - let's say that your desktop application is going to use a Smart card with an X.509 certificate to gain access and interact with the web application. In that case, you have a bunch of security things to do with the smart card - PINs, encryption, etc. You then may want to use the client certificate on the server side, and an X.509 authentication provider on the server side. You may even then have some authorization routines based on the Distinguished Name provided in the certificate. You will find trust store access, authentication providers, role based access control and the like within the above security frameworks - but you have to put the pieces together.

You may also want to take a look @ OWASP for web security guidelines: https://www.owasp.org/index.php/Main_Page

If you are responsible for providing the security solution and you're starting with looking at the frameworks, I should give you a heads up that there is a knowledge sharing gap between security experts/analysts and software developers -- i.e. the people who tell you about how to exploit the weaknesses are usually not the same people who tell you how to configure the Spring Security or use the JCE API.

A decent mitigation strategy is to look at some of the "security wrapper" solutions, that essentially create small enclaves with hardened/secure entry points into the enclave. An example of a product like this would be Layer-7, which is commonly used as a web services security gateway.

Happy hunting!

Upvotes: 7

rit
rit

Reputation: 2308

There are several frameworks available:

If you build a webapplication together with Spring I would recommend to look at the Spring Security suite as it perfectly integrates into the other Spring environment. Also JBoss Seam has some interesting approaches.

Also some related stackoverflow links:

And of course:

Upvotes: 1

Related Questions