Segurança em Java

Três conjuntos de pacotes compõem os recursos fundamentais para segurança e criptografia na plataforma Java:

Java Cryptography Extension (JCE)
JCE é um conjunto de pacotes que provê um framework e implementações para criptografia, geração e autenticação de chaves e algoritmos de Código de Autenticação de Mensagem (MAC).
Java Secure Socket Extension (JSSE)
A Java Secure Socket Extension (JSSE) é um conjunto de pacotes que possibilita comunicações Internet seguras. Ela implementa a versão em tecnologia Java dos protocolos de Secure Sockets Layer (SSL) e Transport Layer Security (TLS). Ela inclui funcionalidade para cifragem de dados, autenticação de servidor, integridade de mensagem, e autenticação de cliente opcional. JSSE tem duas distribuições: integrada ao JDK 1.4 em diante, JSSE 1.0.3_03 como pacote opcional ao Java 2 SDK versões 1.2.x e 1.3.x.
Java Authentication and Authorization Service (JAAS)
The Java Authentication and Authorization Service (JAAS) is a set of APIs that enable services to authenticate and enforce access controls upon users. It implements a Java technology version of the standard Pluggable Authentication Module (PAM) framework, and supports user-based authorization. Originally introduced as an optional package (JAAS 1.0) to version 1.3 of the Java 2 SDK, JAAS was been integrated into the J2SE since JDK version 1.4.
  • Java SE Security
    Java security technology includes a large set of APIs, tools, and implementations of commonly used security algorithms, mechanisms, and protocols. The Java security APIs span a wide range of areas, including cryptography, public key infrastructure, secure communication, authentication, and access control. Java security technology provides the developer with a comprehensive security framework for writing applications, and also provides the user or administrator with a set of tools to securely manage applications.
    Recent security enhancements include integration of the JCE, JSSE, and JAAS features into the JDK rather than them being delivered as optional packages, and addition of new security features.
  • Java 6 SE JDK Security-related APIs & Developer Guides
    From Sun Microsystems. Programmer's Guides: General Security, Java Authentication and Authorization Service (JAAS), Java Cryptography Architecture (JCA) and Extension (JCE), Java Generic Security Services (Java GSS-API), Java PKCS#11 Reference Guide, Java Secure Socket Extension (JSSE), Public Key Infrastructure (PKI), Simple Authentication and Security Layer (SASL), XML Digital Signature.
    API Specification (javadoc): General Security, Certification Path, JAAS, Java GSS-API, JSSE, Java SASL, SSL/TLS-based RMI Socket Factories, XML Digital Signature, Smart Card I/O.
    Java 6 Security Enhancements, Security Tools, Security Tutorials.
    Security on JDK 5.0. Security on Java 2 SDK SE v1.4.2.
  • Java Security
    Javapedia, java.net TWiki.
  • Segurança no Java [Em Português]
    Uma introdução às APIs de criptografia e assinaturas digitais. Tutorial por Daniel Malaquias de Freitas, no GUJ - Grupo de Usuários Java.
  • Oracle Phaos Security SDKs
    Oracle Corporation has acquired Phaos Technology Corporation to incorporate Phaos' industry leading security technology into the Oracle Application Server and Oracle Identity Management products.

Criptografia - JCA & JCE

A Java Cryptography Extension (JCE) é um conjunto de pacotes que provêm um framework e implementações para criptografia, geração e autenticação de chaves, bem como algoritmos de Código de Autenticação de Mensagem (MAC). Suporte para criptografia inclui cifras simétricas, assimétricas, de bloco e fluxo (stream). O software também suporta fluxos seguros e objetos selados.

JCE era anteriormente uma pacote opcional (extensão) para o Java 2 SDK, Standard Edition (J2SE), versões 1.2.x e 1.3.x. JCE foi agora integrado no Java 2 SDK, v 1.4.

JCE 1.2 foi criado para estender as APIs Java Cryptography Architecture (JCA) disponíveis na plataforma Java 2, e estava disponível para EUA e Canadá somente, devido à regulamentação de controle de exportação dos EUA. A principal diferença entre JCE 1.2 e JCE 1.2.2 é que JCE 1.2.x é exportável fora dos EUA e Canadá. JCE integrado ao Java SDK v1.4 em diante é exportável. Provedores JCE também podem ser exportáveis.

  • Java Cryptography Architecture (JCA) Reference Guide for the Java Platform Standard Edition 6.
    Java Cryptography Extension (JCE) Reference Guide for the JDK 5.0.
    Installing JCE Providers for the Java 2 SDK, v 1.4. How to Implement a Provider for the Java Cryptography Extension in the Java 2 SDK, Standard Edition, v 1.4.
    J2SE 1.4.2 API docs: Package javax.crypto.
  • Legion of the Bouncy Castle
    O pacote de Criptografia Bouncy Castle é uma implementação Java de algoritmos criptográficos, desenvolvido pela "Legião do Castelo Tremulante" (Legion of the Bouncy Castle), anteriormente OpenJCE.org. Este software é open-source, com licença de distribuição baseada na licença do Consórcio X do MIT.
    As APIs Bouncy Castle Crypto consistem no seguinte: Uma API simples (lightweight) em Java; Um provedor para JCE e JCA; Uma implementação "clean room" para a JCE 1.2.1; Geradores para certificados X.509 Versão 1 e Versão 3 e arquivos PKCS12; Geradores para S/MIME e CMS (PKCS7); Uma versão jar assinado própria para JDK 1.4 e a Sun JCE.
  • IBM JCE
    Por IBM. IBMJCE Provider - Java Cryptography Extension (JCE) 1.2.1. A versão de JCE da IBM provê mais algoritmos que a versão da Sun.
    IBMJCE4758: JCE with Hardware Cryptography support.
  • Cryptix
    Cryptix é um esforço internacional voluntário para produzir bibliotecas de software criptográfico robusto, open-source. Os produtos Cryptix são gratuitos, tanto para uso comercial quanto não-comercial e são usados por desenvolvedores em todo o mundo. O desenvolvimento é atualmente focado em Java.
  • ISNetworks S/MIME & JCE Provider
    Provedor de serviço criptográfico open source para Java da ISNetworks. Ele inclui implementações de muitos algoritmos criptográficos no ISNetworks JCE Provider (assinado), e funciona com JDK 1.2.2 em diante.
    Por ISNetworks. Although their Java S/MIME library is no longer officially supported, they have released it under the Apache license to make it available to the public. The download includes the full source code, pre-compiled binaries, JavaDoc for the API and examples of how to use the library.
    Pinatubo JCE/JCA Provider: Java library which provides developers with programmatic access to Windows CryptoAPI. Pinatubo contains compliant providers for the Java Cryptography Architecure (JCA) and Java Cryptography Extension (JCE). The library is no longer officially supported, but ISNetworks have released the binaries under the Apache license and a full source release may follow. You can download it and use it free of charge.
  • JCE taglib
    Cryptographic tag library & Expression Language functions for JavaServer Pages (JSP).
    Por Gert Van Ham, open source licença LGPL. SourceForge projeto: jcetaglib.
  • Assembla JCE Provider for Microsoft key store
    By Assembla Trust Technology AB. Este software é fornecido gratuitamente e está disponível para uso educacional, pessoal e também comercial. Considere este um presente para a comunidade que desenvolve programas Java na plataforma Windows.
  • JHBCI, OpenSource HBCI Toolkit for Java
    By Uwe Günther. JHBCI Provider (JCA/JCE crypto provider).
  • Phaos Crypto (Comercial)
    Pure Java cryptographic library with seamless integration with JCE applications. Commercial product, by Phaos Technology Corporation.
  • RSA BSAFE (Comercial)
    RSA BSAFE for Java Developers, RSA BSAFE Crypto-J (PDF) - Cryptographic components for Java, by RSA Security. Commercial product. Fast, flexible, hardware enabled, 100% pure Java, fully compliant with the Public-Key Cryptography Standards (PKCS), signed and exportable Java Security Provider. FIPS 140 certified (2002-2007).
  • IAIK-JCE (Comercial)
    IAIK Java Cryptography Extension (JCE) Toolkit. Produto comercial. By IAIK - Institute for Applied Information Processing and Communication, Graz University of Technology.
  • JCAPI (Comercial)
    The Pheox JCAPI (Java CryptoAPI) is a JCE (Java Cryptography Extension) provider that provides access to key- and certificate stores on Microsoft operating systems. All cryptographic operations are performed by the native MS CAPI (Microsoft CryptoAPI) layer through installed CSPs (Cryptographic Service Provider) that supports cryptographic algorithms and functions.
  • Java Applet for Signing with a Smart Card
    Por Svetlin Nakov e Nikolay Nedyalkov, 2006-02-24. Background, The Problem of Digital Signing in a Web-Based Environment with a Smart Card, Building a Smart Card Applet, Defining What Is Meant By "Smart Cards", Smart Card Access Standards, Accessing Smart Cards from Java, Using the Sun PKCS#11 Provider, Configuring the Sun PKCS#11 Provider, Static Registration of the Sun PKCS#11 Provider, Dynamic Registration of the Sun PKCS#11 Provider, Configuration File of the Sun PKCS#11 Provider (pkcs11.cfg), Using the Sun PKCS#11 Provider Without a Configuration File, Unregistering the Sun PKCS#11 Provider, Extracting a Keystore from a Smart Card, Obtaining Certificates and Private Keys from a Smart Card, Signing Data with a Smart Card, Java Applet for Signing with a Smart Card, System Requirements for Accessing Smart Cards with Java Applets, Implementation of the Applet for Signing with a Smart Card, How the Applet for Signing with a Smart Card Works, Compiling and Signing the Applet, Testing the Applet with a Sample HTML Form, The Applet for Signing with a Smart Card in Action, The Subsystem for Signature and Certificate Verification, The NakovDocumentSigner System, Download the NakovDocumentSigner System, Summary. Listings.
  • PKCS#11 Signer For Java
    Open source software project hosted at Sourceforge.
  • Fast MD5 Implementation in Java
    Por Timothy W Macinta.

Infra-estrutura de Chaves Públicas (ICP/PKI) & Certificados Digitais

  • Legion of the Bouncy Castle
    Bouncy Castle Crypto APIs include: A library for reading and writing encoded ASN.1 objects, Generators for Version 1 and Version 3 X.509 certificates and PKCS12 files, Generators/Processors for S/MIME and CMS (PKCS7), Generators/Processors for OCSP (RFC 2560), Generators/Processors for OpenPGP (RFC 2440). Free and open source.
  • EJBCA, Java Certificate Authority
    Enterprise Java Beans Certificate Authority (EJBCA) is a fully functional Certificate Authority (CA), written entirely in Java and based on J2EE technology.
  • Cycom's Public Key Infrastructure (PKI)
    Cycom's PKI with Java Source is a small subset of PKI just big enough to be useful, that leverages Sun's JCA. In particular it will allow a user application to generate digital certificates and certificate requests and allow the user to act as a CA, if only for other local users.
  • NakovDocumentSigner
    NakovDocumentSigner is a framework for digitally signing document for Java-based Web applications. It is freeware open-source project initiated by Svetlin Nakov and provides the Web applications with digital signature functionality based on Public Key Infrastructure (PKI). NakovDocumentSigner consists of a digital signer Java applet and a reference Web application for signature and certificate verification. It supports signing with a PKCS#12 certificate keystore file and with a smart card.
  • Java Applet for Signing with a Smart Card
    Artigo por Svetlin Nakov, 2006-02-24, em Developer.com.

Autenticação - JAAS & Single Sign-On (SSO)

  • jGuard
    jGuard é uma biblioteca que provê segurança (autenticação e autorização) fácil para aplicações web Java. Ele é construído sobre o estável e maduro framework JAAS, que é parte das APIs Java SE. jGuard é muito flexível e permite diversas formas diferentes de configurar os mecanismos para autenticação e autorização, i.e., em um banco de dados relacional, arquivos XML, ou serviço LDAP. jGuard é projeto em SourceForge open source distribuído sob licença LGPL.
    Lançamento da versão 1.0 do jGuard [Em português].
  • OAuth
    OAuth is an open protocol to allow secure API authentication in a simple and standard method from desktop and web applications.
    For Consumer developers: If you're building desktop applications, dashboard widgets or gadgets, Javascript or browser-based apps, webpage widgets - OAuth is a simple way to publish and interact with protected data. It's also a safer and more secure way for people to give you access.
    For Service Provider developers: If you're supporting web applications, server-side APIs, mashups - If you're storing protected data on your users' behalf, they shouldn't be spreading their passwords around the web to get access to it. Use OAuth to give your users access to their data while protecting their account credentials.
    OAuth em Hueniverse, por Eran Hammer-Lahav: Explaining OAuth, 2007-09-10; Beginner's Guide to OAuth - Parte I, 2007-10-04, e Parte II, 2007-10-15.
  • Spring Security
    Spring Security provides powerful and flexible security solutions for enterprise applications developed using the Spring Framework. Formerly the Acegi Security System for Spring, Spring Security became an official Spring Portfolio project towards the end of 2007. It is a stable and mature product -- Acegi Security 1.0 was released in May 2006 after more than two and a half years of use in large production software projects. Open source. Spring Security (Acegi) provides Spring applications with instance-level ACL access control, channel security and human user detection capabilities. Acegi Security can authenticate using a variety of pluggable providers, and can authorise both web requests and method invocations.
    What's New in Spring Security 2?, por Ben Alex, criador do Acegi/Spring Security, 2007-12-06. Spring Security 2.0 Final Release: No More Dead Fairies, por Rod Johnson, 2008-04-17.
    Pathway from ACEGI to Spring Security 2.0, por Chris Baker, Javalobby, 2008-04-22.
  • OAuth for Spring Security
    The purpose of this project is to provide an OAuth implementation for Spring Security. Support is provided for both OAuth provider developers and OAuth consumer developers.
    Tutorial.

JAAS - Java Authentication and Authorization Service

The Java Authentication and Authorization Service (JAAS) is a package that enables services to authenticate and enforce access controls upon users. It implements a Java version of the standard Pluggable Authentication Module (PAM) framework, and supports user-based authorization. JAAS has been integrated into the Java 2 SDK, Standard Edition, v 1.4.

SSO - Single Sign-On