Hyperlink: Programming: Java: APIs: Security
Meta-Reference on Information Technology

Java Security

Three sets of packages are part of the fundamental security and cryptopraphy features of the Java platform:

Java Cryptography Extension (JCE)

The Java Cryptography Extension (JCE) is a set of packages that provide a framework and implementations for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms.

Java Secure Socket Extension (JSSE)

The Java Secure Socket Extension (JSSE) is a set of packages that enable secure Internet communications. It implements a Java technology version of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. It includes functionality for data encryption, server authentication, message integrity, and optional client authentication. JSSE has two releases: integrated into the JDK 1.4 and later, JSSE 1.0.3_03 as optional package to the Java 2 SDK versions 1.2.x and 1.3.x.

Java Authentication and Authorization Service (JAAS)

The Java Authentication and Authorization Service (JAAS) is a set of APIs that enable services to authenticate and enforce access controls upon users. It implements a Java technology version of the standard Pluggable Authentication Module (PAM) framework, and supports user-based authorization. Originally introduced as an optional package (JAAS 1.0) to version 1.3 of the Java 2 SDK, JAAS was been integrated into the J2SE since JDK version 1.4.

• Java SE Security
  Java security technology includes a large set of APIs, tools, and implementations of commonly used security algorithms, mechanisms, and protocols. The Java security APIs span a wide range of areas, including cryptography, public key infrastructure, secure communication, authentication, and access control. Java security technology provides the developer with a comprehensive security framework for writing applications, and also provides the user or administrator with a set of tools to securely manage applications.
  Recent security enhancements include integration of the JCE, JSSE, and JAAS features into the JDK rather than them being delivered as optional packages, and addition of new security features.
• Java 6 SE JDK Security-related APIs & Developer Guides
  From Sun Microsystems. Java 6 Security Enhancements. Security Guides: General Security, Certification Path, Java Authentication and Authorization Service (JAAS), Java Generic Security Services (Java GSS-API), Java Cryptography Extension (JCE), Java Secure Socket Extension (JSSE), Simple Authentication and Security Layer (SASL), XML Digital Signature. Security API Specification (javadoc), Security Tools, Security Tutorials.
  Security on JDK 5.0. Security on Java 2 SDK SE v1.4.2.
• Java Security
  Javapedia, java.net TWiki.
• Oracle Phaos Security SDKs
  Oracle Corporation has acquired Phaos Technology Corporation to incorporate Phaos' industry leading security technology into the Oracle Application Server and Oracle Identity Management products.

Cryptography - JCA & JCE

The Java Cryptography Extension (JCE) is a set of packages that provide a framework and implementations for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms. Support for encryption includes symmetric, asymmetric, block and stream ciphers. The software also supports secure streams and sealed objects.

JCE was previously an optional package (extension) to the Java 2 SDK, Standard Edition (J2SE), versions 1.2.x and 1.3.x. JCE has now been integrated into the Java 2 SDK, v 1.4.

JCE 1.2 was created to extend the Java Cryptography Architecture (JCA) APIs available in the Java 2 platform, and was available within the U.S. and Canada only, subjected to U.S. export control regulations. The primary difference between JCE 1.2 and JCE 1.2.2 is that JCE 1.2.x is exportable outside the U.S. and Canada. JCE integrated into the Java 2 SDK v1.4 is exportable. JCE providers may also be exportable.

• Java Cryptography Architecture (JCA) Reference Guide for the Java Platform Standard Edition 6.
  Java Cryptography Extension (JCE) Reference Guide for the JDK 5.0.
  Installing JCE Providers for the Java 2 SDK, v 1.4. How to Implement a Provider for the Java Cryptography Extension in the Java 2 SDK, Standard Edition, v 1.4.
  J2SE 1.4.2 API docs: Package javax.crypto.
• Legion of the Bouncy Castle
  The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms, developed by the Legion of the Bouncy Castle, formerly OpenJCE.org. This software is open-source, distributed under a license based on the MIT X Consortium license.
  The Bouncy Castle Crypto APIs consist of the following: A lightweight cryptography API in Java; A provider for the JCE and JCA; A clean room implementation of the JCE 1.2.1; Generators for Version 1 and Version 3 X.509 certificates and PKCS12 files; Generators for S/MIME and CMS (PKCS7); A signed jar version suitable for JDK 1.4 and the Sun JCE.
• IBM JCE
  By IBM. IBMJCE Provider - Java Cryptography Extension (JCE) 1.2.1. The IBM version of JCE provides more algorithms than the Sun version.
  IBMJCE4758: JCE with Hardware Cryptography support.
• Cryptix
  Cryptix is an international volunteer effort to produce robust, open-source cryptographic software libraries. Cryptix products are free, both for commercial and non-commercial use and are being used by developers all over the world. Development is currently focused on Java.
• ISNetworks S/MIME & JCE Provider
  This is ISNetworks open source cryptographic service provider for Java. It includes implementations of many cryptographic algorithms in the ISNetworks JCE Provider (signed), and works under JDK 1.2.2 or newer.
  By ISNetworks. Although their Java S/MIME library is no longer officially supported, they have released it under the Apache license to make it available to the public. The download includes the full source code, pre-compiled binaries, JavaDoc for the API and examples of how to use the library.
  Pinatubo JCE/JCA Provider: Java library which provides developers with programmatic access to Windows CryptoAPI. Pinatubo contains compliant providers for the Java Cryptography Architecure (JCA) and Java Cryptography Extension (JCE). The library is no longer officially supported, but ISNetworks have released the binaries under the Apache license and a full source release may follow. You can download it and use it free of charge.
• JCE taglib
  Cryptographic tag library & Expression Language functions for JavaServer Pages (JSP).
  By Gert Van Ham, open source LGPL license. SourceForge project: jcetaglib.
• Assembla JCE Provider for Microsoft key store
  By Assembla Trust Technology AB. This software is provided free of charge and is available for use both in educational, personal and commercial use. Take this as a gift to the community who develops Java programs on the Windows platform.
• JHBCI, OpenSource HBCI Toolkit for Java
  By Uwe Günther. JHBCI Provider (JCA/JCE crypto provider).
• Phaos Crypto (Commercial)
  Pure Java cryptographic library with seamless integration with JCE applications. Commercial product, by Phaos Technology Corporation.
• RSA BSAFE (Commercial)
  RSA BSAFE for Java Developers, RSA BSAFE Crypto-J (PDF) - Cryptographic components for Java, by RSA Security. Commercial product. Fast, flexible, hardware enabled, 100% pure Java, fully compliant with the Public-Key Cryptography Standards (PKCS), signed and exportable Java Security Provider. FIPS 140 certified (2002-2007).
• IAIK-JCE (Commercial)
  IAIK Java Cryptography Extension (JCE) Toolkit. Commercial product. By IAIK - Institute for Applied Information Processing and Communication, Graz University of Technology.
• Fast MD5 Implementation in Java
  By Timothy W Macinta.

Public Key Infrastructure (PKI)

• Legion of the Bouncy Castle
  Bouncy Castle Crypto APIs include: A library for reading and writing encoded ASN.1 objects, Generators for Version 1 and Version 3 X.509 certificates and PKCS12 files, Generators/Processors for S/MIME and CMS (PKCS7), Generators/Processors for OCSP (RFC 2560), Generators/Processors for OpenPGP (RFC 2440). Free and open source.
• EJBCA, Java Certificate Authority
  Enterprise Java Beans Certificate Authority (EJBCA) is a fully functional Certificate Authority (CA), written entirely in Java and based on J2EE technology.
• Cycom's Public Key Infrastructure (PKI)
  Cycom's PKI with Java Source is a small subset of PKI just big enough to be useful, that leverages Sun's JCA. In particular it will allow a user application to generate digital certificates and certificate requests and allow the user to act as a CA, if only for other local users.

Authentication - JAAS & Single Sign-On (SSO)

• jGuard
  jGuard is a library that provides easy security (authentication and authorization) for Java web applications. It is built over the stable and mature JAAS framework, which is part of the Java SE APIs. jGuard is very flexible and allows several different ways to configure those mechanisms for authentication and authorization, i.e., in a relational database, XML files, or LDAP service. jGuard is open source project at SourceForge released under LGPL license.
• OAuth
  OAuth is an open protocol to allow secure API authentication in a simple and standard method from desktop and web applications.
  For Consumer developers: If you're building desktop applications, dashboard widgets or gadgets, Javascript or browser-based apps, webpage widgets - OAuth is a simple way to publish and interact with protected data. It's also a safer and more secure way for people to give you access.
  For Service Provider developers: If you're supporting web applications, server-side APIs, mashups - If you're storing protected data on your users' behalf, they shouldn't be spreading their passwords around the web to get access to it. Use OAuth to give your users access to their data while protecting their account credentials.
  OAuth at Hueniverse, by Eran Hammer-Lahav: Explaining OAuth, 2007-09-10; Beginner's Guide to OAuth - Part I, 2007-10-04, and Part II, 2007-10-15.
• Spring Security
  Spring Security provides powerful and flexible security solutions for enterprise applications developed using the Spring Framework. Formerly the Acegi Security System for Spring, Spring Security became an official Spring Portfolio project towards the end of 2007. It is a stable and mature product -- Acegi Security 1.0 was released in May 2006 after more than two and a half years of use in large production software projects. Open source. Spring Security (Acegi) provides Spring applications with instance-level ACL access control, channel security and human user detection capabilities. Acegi Security can authenticate using a variety of pluggable providers, and can authorise both web requests and method invocations.
  What's New in Spring Security 2?, by Ben Alex, Acegi/Spring Security creator, 2007-12-06. Spring Security 2.0 Final Release: No More Dead Fairies, by Rod Johnson, 2008-04-17.
  Pathway from ACEGI to Spring Security 2.0, by Chris Baker, Javalobby, 2008-04-22.
• OAuth for Spring Security
  The purpose of this project is to provide an OAuth implementation for Spring Security. Support is provided for both OAuth provider developers and OAuth consumer developers.
  Tutorial.

JAAS - Java Authentication and Authorization Service

The Java Authentication and Authorization Service (JAAS) is a package that enables services to authenticate and enforce access controls upon users. It implements a Java version of the standard Pluggable Authentication Module (PAM) framework, and supports user-based authorization. JAAS has been integrated into the Java 2 SDK, Standard Edition, v 1.4.

• Introduction to JAAS and Java GSS-API Tutorials
  Java SE 5.0, Java Authentication and Authorization Service (JAAS). The Java GSS-API contains the Java bindings for the Generic Security Services Application Program Interface (GSS-API) defined in RFC 2853.
• Java 6 SE Security: JAAS
  • JAAS Reference Guide
  • JAAS Tutorials: JAAS Authentication, JAAS Authorization.
  • JAAS LoginModule Developer's Guide
  • Java GSS-API and JAAS Tutorials for Use with Kerberos
  JAAS Reference Guide for the J2SE Development Kit 5.0.
  JAAS Reference Guide for the Java 2 SDK, Standard Edition, v 1.4.
• Introduction to JAAS and Using JAAS
  Sun Java Developer Connection (JDC) Tech Tips, July 27, 2001. This issue covers the Java Authentication and Authorization Service (JAAS). It introduces some key concepts in JAAS and shows you how to make use of these concepts.
• Using JAAS for Authorization & Authentication
  TheServerSide.COM, Enterprise Java Community article, August 2002.
  How JAAS enables use of custom security repositories with J2EE applications, contributed by Pramati.
  The Power of JAAS: Security System Alternatives, by Frank Teti, October 2005.
• Java authorization internals
  A guided tour of the Java 2 platform and JAAS authorization architectures. By Abhijit Belapurkar, Senior Technical Architect, Infosys Technologies Limited. IBM developerWorks Java tecnhology, 04 May 2004.
  Extend JAAS for class instance-level authorization, by Carlos Fonseca, Software Engineer, IBM, 01 Apr 2002.
• JAAS Security in Action
  By Kyle Gabhart, November 7, 2002, DevX.com.
• All that JAAS
  By John Musser and Paul Feuer, September 13, 2002, Java World.
• High Level Java: Advanced Authentication in WebSphere Application Server
  Extending JAAS. By Keys Botzum; Bill Hines; Paul Ilechko; Messaoud Benantar. Dec. 28, 2005, Sys-Con Media.
• JAAS Modules
  This is a small collection of plug in modules for the JavaTM Authentication and Authorization Service (JAAS) implementation, source code is released under the GNU LGPL (Lesser General Public License). It includes a version of Tomas Restrepo's WSSPI library that jumps through all the hoops that the must be jumped through to authenticate a user under Win32.

SSO - Single Sign-On

• Open Web SSO - OpenSSO
  The opensso project is based on the code base of Sun Java System Access Manager product, a core identity infrastructure product offered by Sun Microsystems. Licensend under CDDL 1.0.
  First to Open Source Web Single Sign-On, Sun Microsystems, July 13, 2005.
  Best Practices Guide for Enabling Single Sign-On with Sun Java System Access Manager, June 17, 2004.
  Securing Applications With Identity Services, Part 1: Authentication, by Aravindan Ranganathan and Marina Sum, 2007-10-11, Sun Developer Network (SDN).
• Java Open Single SignOn - JOSSO
• Open Source Identity Management Solutions Written in Java
  By Manageability.
• The Host Container - Single Sign On Valve
  Apache Tomcat 5.5 Configuration Reference. The Valve Component - Single Sign On Valve.
• J2EE security: Container versus custom
  Choose the appropriate type of security for your application. By Brian Pontarelli, July 26, 2004, JavaWorld.
• Implementing single sign-on with a Tomcat valve
  Article by Simon Brown, 4 November 2004.
• JBoss.com Wiki - Single Sign On
  Web Tier Single Sign On on JBoss AS: Non-Clustered SSO using Tomcat SSO (beginning with JBoss-3.2.3), Clustered SSO using JBossCache (beginning with JBoss-3.2.4).
• Simplify enterprise Java authentication with single sign-on
  Design secure client/server Java applications that use GSS-API and Kerberos tickets to implement SSO. By Faheem Khan, IBM developerWorks, 09 Sep 2003.
• Implement Single Sign-on with JAAS
  By James Tao, October 21, 2002, DevX.com.
• See: Security: Applications: Single Sign-On (SSO)
• See: PAM - Pluggable Authentication Modules