1.3 Java Technology as Part of Security

Java technology is not an island. It is part of a larger, often heterogenous, computing environment. For example, a stand-alone Java application is not running in isolation. It is running on top of an operating system and functions within an existing enterprise security infrastructure.

Enterprise operating systems offer authentication and authorization services via a directory service, a system used to manage user identities and services within an enterprise. Enterprises invest resources in training their staffs and developing tools to use these directory services. Therefore, it is incumbent on Java technology to integrate with these security services rather than to operate independently, which would make it difficult, if not impossible , to create integrated applications and security. This is why JAAS is designed to interact with existing authentication and authorization services. Examples of this integration can be found in the set of J2SE classes that allow JAAS to use Kerberos for authentication. JAAS also interoperates with existing directory services, including those on such operating systems as UNIX, z/OS, ^[3] Linux, and Windows.

^[3] Previously known as Operating System/390 (OS/390) and Multiple Virtual Storage (MVS).

An enterprise's security infrastructure may include an existing PKI from one or more vendors . This infrastructure includes support for digital certificates used for a variety of cryptographic services, such as authentication. Java components must interface with a PKI and indeed do so via JCA, JCE, and CertPath.

An e-business is more than the Java language and its runtime libraries. A WAS includes an HTTP server, the application containers for servlets and JSP applications and for EJB components, and support for messaging via JMS, database access via JDBC, database-stored procedures via SQLJ, e-mail via JavaMail, and other services. Many of these services are not written in the Java language. These computing elements do not stand alone. Security must be integrated and interoperable. As previously mentioned, J2SE contains an integrated set of security services. In fact, it would have been detrimental to create a new set of Java-specific security services or one for each of the elements of a WAS, as they may not seamlessly integrate, generating opportunities for an adversary to slide in between the cracks. Java technology provides many advantages for component and application developers to create portable applications, particularly in a heterogeneous computing environment. That is why its security must be and is integrated into the enterprise.