How Do the Components Fit Together?

How Do the Components Fit Together?

As previously mentioned, several Java components support the different security elements and security components. Several Java components require very little effort to write into a Java application, such as JAAS, JSSE, and Java GSS-API. Other Java components are handled individually and require more work and requirements to use in a Java application such as the MessageDigest class. Several decisions have to be made when using the MessageDigest class. Some of the decisions include:

• The algorithm used to compare the digest with a trusted digest - for instance MD5 or SHA-1.

• The storage and the location of the trusted digest.

• The type of encryption algorithms - if any - to be used.

The organization should have a set of requirements specifically for handling decisions to ensure that the MessageDigest class is being used correctly and, if a message fails validation, that the organization has a method for not using the message. If a message fails validation, an attack could be in progress. If an attack is in progress, the organization should monitor the attack, usually in the form of an audit trail. The organization should have a plan of attack when an attack occurs and be prepared to dedicate tools, time, and resources to the attack to protect the organization.

There are many organizations that might not consider an attack important, but later find that their Web sites are down and that confidential information has been made public. An attack through an organization's systems should be seen as just that: an attack that could be an enemy trying to bring down the organization. The attacker should be seen as the enemy of the organization. There have been many instances where hackers have been prosecuted and the only evidence was an organization's audit files that logged the attack. If the organization fails to provide information such as this, then my question would be: How does the organization plan to stop an attacker?

Another security concept, besides auditing, that needs to be introduced is the concept of isolation . In several organizations that I have known, the only way to prevent hackers was to isolate their networks from the Internet or through firewalls. Java sockets and support in networks are still evolving.

Many applications exist in hardware and software packages and languages to support network security and firewalls. What Java does provide is authorization through the java.net.SocketPermission class to deny users rights to sockets through a Java application.

Figure 3-10 provides an overview of some of the Java components discussed in this chapter. This is merely a starting point in the discussion of Java components and many more will be discussed throughout the book. Organizations and individuals alike could greatly evolve and enhance the Java components because they are written to add protocols and algorithms in the SPI layer without changing the Java API.

Figure 3-10: An overview of the Java components