Java Security


Java's most striking claim is that it provides a secure programming environment. However, despite lots of discussion, few people understand precisely what Java's claims mean and how it backs up those claims. Java Security is an in-depth exploration aimed at developers, network administrators, and anyone who needs to work with or understand Java's security mechanisms. It discusses in detail what security does and doesn't mean, what Java's default security policies are, and how to...
See more details below
Paperback (Second Edition)
$48.88 price
(Save 11%)$54.99 List Price
Other sellers (Paperback)
  • All (26) from $1.99   
  • New (7) from $32.43   
  • Used (19) from $1.99   
Java Security

Available on NOOK devices and apps  
  • NOOK Devices
  • Samsung Galaxy Tab 4 NOOK 7.0
  • Samsung Galaxy Tab 4 NOOK 10.1
  • NOOK HD Tablet
  • NOOK HD+ Tablet
  • NOOK eReaders
  • NOOK Color
  • NOOK Tablet
  • Tablet/Phone
  • NOOK for Windows 8 Tablet
  • NOOK for iOS
  • NOOK for Android
  • NOOK Kids for iPad
  • PC/Mac
  • NOOK for Windows 8
  • NOOK for PC
  • NOOK for Mac

Want a NOOK? Explore Now

NOOK Book (eBook)
$25.49 price
(Save 42%)$43.99 List Price


Java's most striking claim is that it provides a secure programming environment. However, despite lots of discussion, few people understand precisely what Java's claims mean and how it backs up those claims. Java Security is an in-depth exploration aimed at developers, network administrators, and anyone who needs to work with or understand Java's security mechanisms. It discusses in detail what security does and doesn't mean, what Java's default security policies are, and how to create and implement your own policies.

In doing so, Java Security provides detailed coverage of security managers, class loaders, the access controller, and much of the package. It discusses message digests, certificates, and digital signatures, showing you how to use Java's facilities for signing classes or to implement your own signature facility. It shows you how to write a class loader that recognizes signed classes, verifies the signature, and cooperates with a security manager to grant additional privileges. It also discusses the problem of managing cryptographic keys and shows you how to implement your own key management systems.

Java Security is an essential book for everyone using Java in real-world software. If you're deploying software written in Java, you need to know how to grant your classes the privileges they need, without granting privileges to untrusted classes. You need to know how to protect your systems against intrusion and corruption. Java provides the tools; this book shows you how to use them.

Read More Show Less

Editorial Reviews

From Barnes & Noble
The Barnes & Noble Review
Is Java secure? That depends, says Scott Oaks: What are you going to use it for? Fortunately, Oaks doesn't stop there: His latest book presents a systematic, realistic tour of Java security, showing how it's evolved to include options never included in the original Java sandbox (such as support for digital signatures and external auditing security managers). Oaks focuses on what programmers need to know to implement security (with plenty of code samples). However, the book will also be useful to sysadmins and managers who must clearly understand the security issues associated with the Java software they're running.

Java Security, Second Edition covers virtually every Java security-related feature and architectural issue developers will encounter in building secure applications: the security manager; the class loader; security providers; keys and certificates; and many other key topics. Java security continues to evolve rapidly, so Oaks doesn't stop with the major changes introduced by the Java 2 security model; he reviews optional Java 1.3 security extensions that will move into the core SDK in release 1.4. These include the Java Secure Sockets Extension (JSSE) 1.0.2 (for performing key management and SSL operations); and the Java Authentication and Authorization Service (JAAS) 1.0.

You'll learn how to build Java applications that implement your organization's custom security policies; as well as how to leverage "generic" security features such as digital signatures. He pulls no punches; to the extent that Java security remains limited, he tells you ("If you really need conformance with a U.S. government-approved definition of security, Java is not the platform for you.") (Bill Camarda)

Bill Camarda is a consultant and writer with nearly 20 years' experience in helping technology companies deploy and market advanced software, computing, and networking products and services. His 15 books include Special Edition Using Word 2000 and Upgrading & Fixing Networks For Dummies®, Second Edition.

From The Critics
Focusing on security from the perspective of the Java programmer, this guide describes the architecture of Java's security model and explains its uses, both for programming and administration. The book covers Java's basic platform security features as well as recent additions that enhance its utility. In so doing, it describes the default policies and offers advice on designing and implementing customized polices. Particular attention is paid to APIs within Java. Oaks is a software engineer. Annotation c. Book News, Inc., Portland, OR (
Read More Show Less

Product Details

  • ISBN-13: 9780596001575
  • Publisher: O'Reilly Media, Incorporated
  • Publication date: 5/24/2001
  • Series: Java Series
  • Edition description: Second Edition
  • Edition number: 2
  • Pages: 620
  • Product dimensions: 6.49 (w) x 9.75 (h) x 1.19 (d)

Meet the Author

Scott Oaks is a Java Technologist at Sun Microsystems, where he has worked since 1987. While at Sun, he has specialized in many disparate technologies, from the SunOS kernel to network programming and RPCs. Since 1995, hes focused primarily on Java and bringing Java technology to end-users. Scott also authored OReillys Java Security, Java Threads and Jini in a Nutshell titles.

Read More Show Less

Read an Excerpt

Chapter 1: Java Application Security

In this chapter:
  • What Is Security?
  • Software Used in this Book
  • The Java Sandbox
  • Security Debugging
When Java was first released by Sun Microsystems, it attracted the attention of programmers throughout the world. These developers were attracted to Java for different reasons: some were drawn to Java because of its cross-platform capabilities, some because of its ease of programming (especially compared to object-oriented languages like C++), some because of its robustness and memory management, some because of Java's security, and some for still other reasons.

Just as different developers came to Java with different expectations, so too did they bring different expectations as to what was meant by the ubiquitous phrase "Java is secure." Security means different things to different people, and many developers who had certain expectations about the word "security" were surprised to find that their expectations were not necessarily shared by the designers of Java.

This book discusses the features of Java that make it secure. In this book, we'll discuss why Java is said to be secure, what that security means (and doesn't mean), and--most importantly--how to use the security features of the Java platform within your own programs. This last point is actually the focus of this book: while some of Java's security features are automatically a part of all Java programs, many of them are not. In this book, we'll learn about all those features and how to utilize them in our own Java applications.

What Is Security?

The first thing that we must do to facilitate our discussion of Java security is to discuss just what Java's security goals are. The term "security" is vague unless it is discussed in some context; different expectations of the term "security" might lead us to expect that Java programs would be:

Safe from malevolent programs

Programs should not be allowed to harm a user's computing environment. This includes Trojan horses as well as harmful programs that can replicate themselves--computer viruses.


Programs should be prevented from discovering private information on the host computer or the host computer's network.


The identity of parties involved in the program--both the author and the user of the program--should be verified.


Data that the program sends and receives--over the network or through a persistent store such as a filesystem or database--should be encrypted.


Potentially sensitive operations should always be logged.


A well-defined security specification should be followed.


Rules of operation should be set and verified.


Programs should be prevented from consuming too many system resources: too much CPU time, too much memory, and so on.

C2 or B1 certified

Programs should have certification from the U.S. government that certain security procedures are followed.

In fact, while all of these features could be part of a secure system, only the first two were within the province of Java's 1.0 default security model. Other items in the list have been introduced in later versions of Java: authentication was added in 1.1, encryption is available as an extension to the Java 2 platform, and auditing can be added to any Java program by providing an auditing security manager. Still others of these items will be added in the future. But the basic premise remains that Java security was originally and fundamentally designed to protect the information on a computer from being accessed or modified (including a modification that would introduce a virus) while still allowing the Java program to run on that computer.

The point driving this notion of security is the new distribution model for Java programs. One of the driving forces behind Java, of course, is its ability to download programs over a network and run those programs on another machine. This is something most computer users do today within the context of a Java-enabled browser, although the idea behind portable code like this is beginning to seep into other applications, such as those based on Jini technology. Coupled with the widespread growth of Internet use--and the public-access nature of the Internet--Java's ability to bring programs to a user on an as-needed, just-in-time basis has been a strong reason for its rapid deployment and acceptance.

The nature of the Internet created a new and largely unprecedented requirement for programs to be free of viruses and Trojan horses. Computer users had always been used to purchasing shrink-wrapped software. Many soon began downloading software via ftp or other means and then running that software on their machines. But widespread downloading also led to a pervasive problem of malevolent attributes both in free and (ironically) in commercial software, a problem which continues unabated. The introduction of Java into this equation had the potential to multiply this problem by orders of magnitude, as computer users now download programs automatically and frequently.

For Java to succeed, it needed to circumvent the virus/trojan horse problems that plagued other models of software distribution. Hence, the early work on Java focused on just that issue: Java programs are considered safe because they cannot install, run, or propagate viruses and because the program itself cannot perform any action that is harmful to the user's computing environment. And in this context, safety means security. This is not to say that the other issues in the above list are not important--each has its place and its importance (in fact, we'll spend a great deal of time in this book on the third and fourth topics in that list). But the issues of protecting information and preventing viruses were considered most important; hence, features to provide that level of security were the first to be adopted. Like all parts of Java, its security model is evolving (and has evolved through its various releases); many of the notions about security in our list will eventually make their way into Java.

One of the primary goals of this book, then, is to explain Java's security model and its evolution with each subsequent release. In the final analysis, whether or not Java is secure is a subjective judgment that individual users will have to make based on their own requirements. If all you want from Java is freedom from viruses, any release of Java should meet your needs. If you need to introduce authentication or encryption into your program, you'll need to use a 1.1 or later release of Java. If you have a requirement that all operations be audited, you'll need to build that auditing into your applications. If you really need conformance with a U.S. government-approved definition of security, Java is not the platform for you. We take a very pragmatic view of security in this book: the issue is not whether a system that lacks a particular feature qualifies as "secure" according to someone's definition of security. The issue is whether Java possesses the features that meet your needs....

Read More Show Less

Table of Contents

Preface; Who Should Read This Book?; Versions Used in This Book; Conventions Used in This Book; Organization of This Book; How to Contact Us; Acknowledgments; Feedback for the Author; Chapter 1: Java Application Security; 1.1 What Is Security?; 1.2 The Java Sandbox; 1.3 Applications, Applets, and Programs; 1.4 Running a Java Application; 1.5 Summary; Chapter 2: Java Language Security; 2.1 Java Language Security Constructs; 2.2 Enforcement of the Java Language Rules; 2.3 Summary; Chapter 3: Java Class Loaders; 3.1 Security and the Class Loader; 3.2 Anatomy of a Class Loader; 3.3 Loading Classes; 3.4 Implementing a Class Loader; 3.5 Extensions to the Class Loader; 3.6 Miscellaneous Class Loading Topics; 3.7 Summary; Chapter 4: The Security Manager Class; 4.1 Overview of the Security Manager; 4.2 Trusted and Untrusted Classes; 4.3 Using the Security Manager; 4.4 Summary; Chapter 5: The Access Controller; 5.1 The CodeSource Class; 5.2 Permissions; 5.3 The Policy Class; 5.4 Protection Domains; 5.5 The AccessController Class; 5.6 Guarded Objects; 5.7 Summary; Chapter 6: Implementing Security Policies; 6.1 Protected Methods of the Security Manager; 6.2 Security Managers and the Class Loader; 6.3 Implementation Techniques; 6.4 Running Secure Applications; 6.5 Summary; Chapter 7: Introduction to Cryptography; 7.1 The Need for Authentication; 7.2 The Role of Authentication; 7.3 Cryptographic Engines; 7.4 Summary; Chapter 8: Security Providers; 8.1 The Architecture of Security Providers; 8.2 The Provider Class; 8.3 The Security Class; 8.4 The Architecture of Engine Classes; 8.5 Summary; Chapter 9: Message Digests; 9.1 Using the Message Digest Class; 9.2 Message Digest Streams; 9.3 Implementing a MessageDigest Class; 9.4 Summary; Chapter 10: Keys and Certificates; 10.1 Keys; 10.2 The KeyPairGenerator Class; 10.3 The KeyFactory Class; 10.4 Certificates; 10.5 Keys, Certificates, and Object Serialization; 10.6 Summary; Chapter 11: Key Management; 11.1 Overview of Key Management; 11.2 The KeyStore Class; 11.3 A Key Management Example; 11.4 Summary; Chapter 12: Digital Signatures; 12.1 The Signature Class; 12.2 Signed Classes; 12.3 Implementing a Signature Class; 12.4 Summary; Chapter 13: Encryption; 13.1 Export Restrictions; 13.2 The Sun Security Provider in the JCE; 13.3 Key Types in the JCE; 13.4 Secret Key Engines; 13.5 Encrypting Data; 13.6 Cipher Streams; 13.7 Symmetric Key Agreement; 13.8 Sealed Objects; 13.9 Summary; Security Tools; The keytool; The jarsigner Tool; The policytool; Files to Administer by Hand; Identity-Based Key Management; Identities; Identity Scopes; Key Management in an Identity Scope; Summary; Security Resources; Security Bugs; Third-Party Security Providers; Security References; Quick Reference; Package; Package; Package; Package; Package javax.crypto; Package javax.crypto.interfaces; Package javax.crypto.spec; Miscellaneous Packages; Colophon;

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)