Java Security Frameworks

Java Authentication and Authorization Service (JAAS)

Is a set of APIs that enable services to authenticate and enforce access controls upon users. It implements a Java technology version of the standard Pluggable Authentication Module (PAM) framework, and supports user-based authorization. Allows access decisions to be made external to the applications. I.e. security inside of the app server container. introduces a 15-20% performance hit.

JAAS provides the mechanisms to verify the identity of a user or a device to determine its accuracy and trustworthiness and then provide access rights and privileges depending on the requesting identity. It facilitates to adopt pluggable authentication mechanisms and user based authorization. JAAS provides Java API mechanisms and services for enabling authentication and authorization in Java-based application solutions. JAAS is the Java implementation of the Pluggable Authentication Module (PAM) framework originally developed for Sun’s Solaris operating system. PAM enables the plugging in of authentication mechanisms, which allows applications to remain independent of the underlying authentication technologies. Using a PAM-based approach, JAAS Authentication modules allow integrating authentication technologies such as Kerberos, RSA, smart cards and biometric authentication systems.

Java Authorization Contract for Containers (JACC)

Allows external handling of roles and mapping users to roles and checking against roles allowed on applications (and application methods) installed on an application server. Thus externalizing J2EE security previously held inside of deployment descriptors for applications. comes with Java 1.4 and WAS 6.0. Allows access decisions to be made external to the application server

Java Cryptography Extension (JCE)

Is a set of packages that provides a framework and implementations for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms. Support for encryption includes symmetric, asymmetric, block, and stream ciphers. The software also supports secure streams and sealed objects.

The JCE augments the JCA functionalities with added cryptographic services that were subjected to U.S. export control regulations and includes support for encryption and decryption algorithms. JCE facilitates the Java platform with cryptographic services and algorithms by providing implementations and interfaces support for cryptographic ciphers used for encryption and decryption, Password-based encryption, secret key generation used for symmetric algorithms, key agreement for encrypted communication among multiple parties, MAC algorithms to validate information transmitted between parties and support for PKCS#11 (Cryptographic Token Interface Standard), which allows devices to store cryptographic information and perform cryptographic services.

Java Certification Path API (Java CertPath)

The Java CertPath lets you check, verify and validate the authenticity of certificate chains. The Java CertPath APIs offers API-based mechanisms for parsing and managing certificates, certificate revocation lists (CRLs) and certification paths (also referred to as certificate chains). The API implementations can be plugged into any J2SE environment because the same JCA provider interfaces are used. The API includes algorithm-specific classes for building and validating X.509 certification paths according to IETF-defined PKIX standards.

Java Cryptography Architecture (JCA)

The JCA provides basic cryptographic services and algorithms, which include support for digital signatures and message digests. The JCA facilitates support for various cryptographic algorithms by defining the types and functionalities of cryptographic services. The cryptographic services include support for message digests and digital signatures. The JCA also ensures interoperability among the provider implementations using a standardized set of APIs, which implements those required cryptographic algorithms and services. For example, using the same algorithms, a key generated by one provider can be used by another provider; likewise, a digital signature generated by one provider can be verified using another provider.

Java Generic Secure Services (JGSS)

JGSS provide the Java bindings for the GSS-API, which helps developing applications using Java-based GSS APIs to support a variety of authentication mechanisms, such as Kerberos-based authentication, and it facilitates single signon.

Java Secure Socket Extension (JSSE)

Provides SSL. The JSSE facilitates secure communication by protecting the integrity and confidentiality of data exchanged using SSL/TLS protocols. JSSE enables end-to-end communication security for Java applications by providing a standardized API framework and mechanisms for client/server communications. JSSE provides support for SSL and TLS protocols and includes functionalities related to data encryption, message integrity and peer authentication. With JSSE, it is possible to develop client and server applications that use secure transport protocols, which include support for Secure HTTP (HTTP over SSL), Secure Shell (Telnet over SSL), Secure SMTP (SMTP over SSL), IPSEC (Secure IP), Secure RMI or RMI/IIOP and other standards-based security protocols.

Java Security Standards (J2Security)

Applet/java application security rules based on policy files. Java 1.0 - no access, Java 1.1 - signed applet by a certificate. It is for not trusting the developers! Avoid if you can. May come into the picture with SOX. 25-35% performance hit.

Java Simple Authentication and Security Layer (Java SASL)

SASL is an API that provides an abstraction layer for authentication protocols. It is designed to create a separation of concerns between application protocols and security protocols. Different authentication protocols can be plugged into SASL challenge-response mechanisms. Defined in JSR 028. Included in JDK 5.0. Bundled with WAS 6.1.

The Java SASL defines Java API mechanisms for authentication and optional establishment of a security layer between client and server applications. SASL is used by protocols such as the Lightweight Directory Access Protocol, version 3 (LDAP v3) and the Internet Message Access Protocol, version 4 (IMAP v4) to enable pluggable authentication. Java SASL provides an authentication mechanism-neutral solution so the application that uses the API need not be hardwired to use any particular SASL mechanism. The API facilitates both client and server applications. It allows applications to select the mechanism based on desired security features such as whether they are susceptible to passive dictionary attacks or whether they accept anonymous authentication. The Java SASL API supports developers creating their own custom SASL mechanisms. SASL mechanisms are installed by using the JCA.

Pluggable Authentication Module (PAM)

Java PAM - Java Pluggable Authentication Module framework leveraged by JAAS

Tags: AppSec