Java Security

Three sets of packages are part of the fundamental security and cryptopraphy features of the Java platform:

Java Cryptography Extension (JCE)
The Java Cryptography Extension (JCE) is a set of packages that provide a framework and implementations for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms.
Java Secure Socket Extension (JSSE)
The Java Secure Socket Extension (JSSE) is a set of packages that enable secure Internet communications. It implements a Java technology version of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. It includes functionality for data encryption, server authentication, message integrity, and optional client authentication. JSSE has two releases: integrated into the JDK 1.4 and later, JSSE 1.0.3_03 as optional package to the Java 2 SDK versions 1.2.x and 1.3.x.
Java Authentication and Authorization Service (JAAS)
The Java Authentication and Authorization Service (JAAS) is a set of APIs that enable services to authenticate and enforce access controls upon users. It implements a Java technology version of the standard Pluggable Authentication Module (PAM) framework, and supports user-based authorization. Originally introduced as an optional package (JAAS 1.0) to version 1.3 of the Java 2 SDK, JAAS was been integrated into the J2SE since JDK version 1.4.
  • Java SE Security
    Java security technology includes a large set of APIs, tools, and implementations of commonly used security algorithms, mechanisms, and protocols. The Java security APIs span a wide range of areas, including cryptography, public key infrastructure, secure communication, authentication, and access control. Java security technology provides the developer with a comprehensive security framework for writing applications, and also provides the user or administrator with a set of tools to securely manage applications.
    Recent security enhancements include integration of the JCE, JSSE, and JAAS features into the JDK rather than them being delivered as optional packages, and addition of new security features.
  • Java 6 SE JDK Security-related APIs & Developer Guides
    From Sun Microsystems. Programmer's Guides: General Security, Java Authentication and Authorization Service (JAAS), Java Cryptography Architecture (JCA) and Extension (JCE), Java Generic Security Services (Java GSS-API), Java PKCS#11 Reference Guide, Java Secure Socket Extension (JSSE), Public Key Infrastructure (PKI), Simple Authentication and Security Layer (SASL), XML Digital Signature.
    API Specification (javadoc): General Security, Certification Path, JAAS, Java GSS-API, JSSE, Java SASL, SSL/TLS-based RMI Socket Factories, XML Digital Signature, Smart Card I/O.
    Java 6 Security Enhancements, Security Tools, Security Tutorials.
    Security on JDK 5.0. Security on Java 2 SDK SE v1.4.2.
  • Java Security
    Javapedia, TWiki.
  • Oracle Phaos Security SDKs
    Oracle Corporation has acquired Phaos Technology Corporation to incorporate Phaos' industry leading security technology into the Oracle Application Server and Oracle Identity Management products.

Cryptography - JCA & JCE

The Java Cryptography Extension (JCE) is a set of packages that provide a framework and implementations for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms. Support for encryption includes symmetric, asymmetric, block and stream ciphers. The software also supports secure streams and sealed objects.

JCE was previously an optional package (extension) to the Java 2 SDK, Standard Edition (J2SE), versions 1.2.x and 1.3.x. JCE has now been integrated into the Java SDK, v1.4 and further.

JCE 1.2 was created to extend the Java Cryptography Architecture (JCA) APIs available in the Java 2 platform, and was available within the U.S. and Canada only, subjected to U.S. export control regulations. The primary difference between JCE 1.2 and JCE 1.2.2 is that JCE 1.2.x is exportable outside the U.S. and Canada. JCE integrated into the Java 2 SDK v1.4 is exportable. JCE providers may also be exportable.

  • Java Cryptography Architecture (JCA) Reference Guide for the Java Platform Standard Edition 6.
    Java Cryptography Extension (JCE) Reference Guide for the JDK 5.0.
    Installing JCE Providers for the Java 2 SDK, v 1.4. How to Implement a Provider for the Java Cryptography Extension in the Java 2 SDK, Standard Edition, v 1.4.
    J2SE 1.4.2 API docs: Package javax.crypto.
  • Legion of the Bouncy Castle
    The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms, developed by the Legion of the Bouncy Castle, formerly This software is open-source, distributed under a license based on the MIT X Consortium license.
    The Bouncy Castle Crypto APIs consist of the following: A lightweight cryptography API in Java; A provider for the JCE and JCA; A clean room implementation of the JCE 1.2.1; Generators for Version 1 and Version 3 X.509 certificates and PKCS12 files; Generators for S/MIME and CMS (PKCS7); A signed jar version suitable for JDK 1.4 and the Sun JCE.
    By IBM. IBMJCE Provider - Java Cryptography Extension (JCE) 1.2.1. The IBM version of JCE provides more algorithms than the Sun version.
    IBMJCE4758: JCE with Hardware Cryptography support.
  • Cryptix
    Cryptix is an international volunteer effort to produce robust, open-source cryptographic software libraries. Cryptix products are free, both for commercial and non-commercial use and are being used by developers all over the world. Development is currently focused on Java.
  • ISNetworks S/MIME & JCE Provider
    This is ISNetworks open source cryptographic service provider for Java. It includes implementations of many cryptographic algorithms in the ISNetworks JCE Provider (signed), and works under JDK 1.2.2 or newer.
    By ISNetworks. Although their Java S/MIME library is no longer officially supported, they have released it under the Apache license to make it available to the public. The download includes the full source code, pre-compiled binaries, JavaDoc for the API and examples of how to use the library.
    Pinatubo JCE/JCA Provider: Java library which provides developers with programmatic access to Windows CryptoAPI. Pinatubo contains compliant providers for the Java Cryptography Architecure (JCA) and Java Cryptography Extension (JCE). The library is no longer officially supported, but ISNetworks have released the binaries under the Apache license and a full source release may follow. You can download it and use it free of charge.
  • JCE taglib
    Cryptographic tag library & Expression Language functions for JavaServer Pages (JSP).
    By Gert Van Ham, open source LGPL license. SourceForge project: jcetaglib.
  • Assembla JCE Provider for Microsoft key store
    By Assembla Trust Technology AB. This software is provided free of charge and is available for use both in educational, personal and commercial use. Take this as a gift to the community who develops Java programs on the Windows platform.
  • JHBCI, OpenSource HBCI Toolkit for Java
    By Uwe Günther. JHBCI Provider (JCA/JCE crypto provider).
  • Phaos Crypto (Commercial)
    Pure Java cryptographic library with seamless integration with JCE applications. Commercial product, by Phaos Technology Corporation.
  • RSA BSAFE (Commercial)
    RSA BSAFE for Java Developers, RSA BSAFE Crypto-J (PDF) - Cryptographic components for Java, by RSA Security. Commercial product. Fast, flexible, hardware enabled, 100% pure Java, fully compliant with the Public-Key Cryptography Standards (PKCS), signed and exportable Java Security Provider. FIPS 140 certified (2002-2007).
  • IAIK-JCE (Commercial)
    IAIK Java Cryptography Extension (JCE) Toolkit. Commercial product. By IAIK - Institute for Applied Information Processing and Communication, Graz University of Technology.
  • JCAPI (Commercial)
    The Pheox JCAPI (Java CryptoAPI) is a JCE (Java Cryptography Extension) provider that provides access to key- and certificate stores on Microsoft operating systems. All cryptographic operations are performed by the native MS CAPI (Microsoft CryptoAPI) layer through installed CSPs (Cryptographic Service Provider) that supports cryptographic algorithms and functions.
  • Java Applet for Signing with a Smart Card
    By Svetlin Nakov and Nikolay Nedyalkov, 2006-02-24. Background, The Problem of Digital Signing in a Web-Based Environment with a Smart Card, Building a Smart Card Applet, Defining What Is Meant By "Smart Cards", Smart Card Access Standards, Accessing Smart Cards from Java, Using the Sun PKCS#11 Provider, Configuring the Sun PKCS#11 Provider, Static Registration of the Sun PKCS#11 Provider, Dynamic Registration of the Sun PKCS#11 Provider, Configuration File of the Sun PKCS#11 Provider (pkcs11.cfg), Using the Sun PKCS#11 Provider Without a Configuration File, Unregistering the Sun PKCS#11 Provider, Extracting a Keystore from a Smart Card, Obtaining Certificates and Private Keys from a Smart Card, Signing Data with a Smart Card, Java Applet for Signing with a Smart Card, System Requirements for Accessing Smart Cards with Java Applets, Implementation of the Applet for Signing with a Smart Card, How the Applet for Signing with a Smart Card Works, Compiling and Signing the Applet, Testing the Applet with a Sample HTML Form, The Applet for Signing with a Smart Card in Action, The Subsystem for Signature and Certificate Verification, The NakovDocumentSigner System, Download the NakovDocumentSigner System, Summary. Listings.
  • PKCS#11 Signer For Java
    Open source software project hosted at Sourceforge.
  • Fast MD5 Implementation in Java
    By Timothy W Macinta.

Public Key Infrastructure (PKI) & Digital Certificates

  • Legion of the Bouncy Castle
    Bouncy Castle Crypto APIs include: A library for reading and writing encoded ASN.1 objects, Generators for Version 1 and Version 3 X.509 certificates and PKCS12 files, Generators/Processors for S/MIME and CMS (PKCS7), Generators/Processors for OCSP (RFC 2560), Generators/Processors for OpenPGP (RFC 2440). Free and open source.
  • EJBCA, Java Certificate Authority
    Enterprise Java Beans Certificate Authority (EJBCA) is a fully functional Certificate Authority (CA), written entirely in Java and based on J2EE technology.
  • Cycom's Public Key Infrastructure (PKI)
    Cycom's PKI with Java Source is a small subset of PKI just big enough to be useful, that leverages Sun's JCA. In particular it will allow a user application to generate digital certificates and certificate requests and allow the user to act as a CA, if only for other local users.
  • NakovDocumentSigner
    NakovDocumentSigner is a framework for digitally signing document for Java-based Web applications. It is freeware open-source project initiated by Svetlin Nakov and provides the Web applications with digital signature functionality based on Public Key Infrastructure (PKI). NakovDocumentSigner consists of a digital signer Java applet and a reference Web application for signature and certificate verification. It supports signing with a PKCS#12 certificate keystore file and with a smart card.
  • Java Applet for Signing with a Smart Card
    Article by Svetlin Nakov, 2006-02-24, on

Authentication - JAAS & Single Sign-On (SSO)

  • jGuard
    jGuard is a library that provides easy security (authentication and authorization) for Java web applications. It is built over the stable and mature JAAS framework, which is part of the Java SE APIs. jGuard is very flexible and allows several different ways to configure those mechanisms for authentication and authorization, i.e., in a relational database, XML files, or LDAP service. jGuard is open source project at SourceForge released under LGPL license.
  • OAuth
    OAuth is an open protocol to allow secure API authentication in a simple and standard method from desktop and web applications.
    For Consumer developers: If you're building desktop applications, dashboard widgets or gadgets, Javascript or browser-based apps, webpage widgets - OAuth is a simple way to publish and interact with protected data. It's also a safer and more secure way for people to give you access.
    For Service Provider developers: If you're supporting web applications, server-side APIs, mashups - If you're storing protected data on your users' behalf, they shouldn't be spreading their passwords around the web to get access to it. Use OAuth to give your users access to their data while protecting their account credentials.
    OAuth at Hueniverse, by Eran Hammer-Lahav: Explaining OAuth, 2007-09-10; Beginner's Guide to OAuth - Part I, 2007-10-04, and Part II, 2007-10-15.
  • Spring Security
    Spring Security provides powerful and flexible security solutions for enterprise applications developed using the Spring Framework. Formerly the Acegi Security System for Spring, Spring Security became an official Spring Portfolio project towards the end of 2007. It is a stable and mature product -- Acegi Security 1.0 was released in May 2006 after more than two and a half years of use in large production software projects. Open source. Spring Security (Acegi) provides Spring applications with instance-level ACL access control, channel security and human user detection capabilities. Acegi Security can authenticate using a variety of pluggable providers, and can authorise both web requests and method invocations.
    What's New in Spring Security 2?, by Ben Alex, Acegi/Spring Security creator, 2007-12-06. Spring Security 2.0 Final Release: No More Dead Fairies, by Rod Johnson, 2008-04-17.
    Pathway from ACEGI to Spring Security 2.0, by Chris Baker, Javalobby, 2008-04-22.
  • OAuth for Spring Security
    The purpose of this project is to provide an OAuth implementation for Spring Security. Support is provided for both OAuth provider developers and OAuth consumer developers.

JAAS - Java Authentication and Authorization Service

The Java Authentication and Authorization Service (JAAS) is a package that enables services to authenticate and enforce access controls upon users. It implements a Java version of the standard Pluggable Authentication Module (PAM) framework, and supports user-based authorization. JAAS has been integrated into the Java 2 SDK, Standard Edition, v 1.4.

SSO - Single Sign-On