Chapter 1. An Overview of Java Technology and Security

As e-business matures, companies require enterprise-scalable functionality for their corporate Internet and intranet environments. To support the expansion of their computing boundaries, businesses have embraced Web application servers (WASs). These servers provide simplified development and deployment of Web-based applications. Web applications contain the presentation layer and encapsulate business logic connecting to back-end data stores and legacy applications. However, securing this malleable model presents a challenge. Savvy companies recognize that their security infrastructures need to address the e-business challenge. These companies are aware of the types of attacks that malevolent entities can launch against their servers, and can plan appropriate defenses.

Java technology has established itself as important in the enterprise, both for the ease with which developers can create component software and for the platform independence of the language. Java-based enterprise application servers support Java Servlet, JavaServer Pages (JSP), and Enterprise JavaBeans (EJB) technologies, providing simplified development and flexible deployment of Web-based applications.

To provide security for e-business, the Java 2 Platform, Enterprise Edition (J2EE), builds on the Java 2 Platform, Standard Edition (J2SE), core technologies. J2SE introduced a fine-grained, policy-based security model that is customizable and configurable into numerous security protection domains. This approach is a useful addition to security for component-based software. J2SE security also builds on an additional set of relatively new core technologies: Java Authentication and Authorization Service (JAAS), Java Cryptography Architecture (JCA), Java Cryptography Extension (JCE), Java Secure Socket Extension (JSSE), Public-Key Cryptography Standards (PKCS), and support for the Public Key Infrastructure (PKI).