`
`Page 1 of 275
`
`GOOGLE EXHIBIT 1016
`
`Page 1 of 275
`
`GOOGLE EXHIBIT 1016
`
`

`

`
`
`Page 2 of 275
`
`

`

`301773199 .
`
`NORTH CAROLINA STATE UNIVERSITY UBIIARIES
`II IIIIIII |III
`I
`IIIIIII
`I
`III
`
`‘
`I
`
`'
`L
`
`
`
`Page 3 of 275
`
`

`

`Inside JavaTM 2
`
`Platform Security
`
`EXCEPTION: Date due will be
`earlier if this item is RECALLED.
`
`This book is due on the date indicated
`below and is subject to an overdue
`fine as posted at the circulation desk.
`
`
`
`SEP 2 5 2002
`
`200M/OS-99-991212
`
`Page 4 of 275
`
`

`

`The Java‘” Series
`
`Ken Arnold and James Gosling, The Javam
`Programming Language, Second Edition
`ISBN 0401610066
`
`Mary Campione and Kathy Walrath, The JavaTM
`Tutorial, Second Edition: Object-Oriented
`Programming for the Internet (Book/CD)
`ISBN 0—201-31007—4
`
`Mary Campione, Kathy Walrath, Alison Huml, and
`the Tutorial Team, The Java” Tutorial Continued:
`The Rest of the JDK'“ (Book/CD)
`ISBN 0-201-48558-3
`
`Patrick Chan, The Java“ Developers Almanac I 999
`ISBN 0—201-43298-6
`
`Patrick Chan and Rosanna Lee, The Java‘” Class
`Libraries, Second Edition, Volume 2: java.applet,
`javaawt, java. beans
`ISBN 0—201—31003—1
`
`Patrick Chan, Rosanna Lee, and Doug Kramer,
`The Java’” Class Libraries, Second Edition,
`Volume 1: java. i0, java. lang, java.math,
`javanet, javatext, javaulil
`ISBN 0—201—31002-3
`
`Patrick Chan, Rosanna Lee, and Doug Kramer,
`The Java“ Class Libraries, Second Edition,
`Volume I : Supplementfor the Java“ 2 Platform,
`Standard Edition, v1.2
`ISBN 0—201-48552-4
`
`Li Gong, Inside the Java“ 2 Platform Security
`Architecture: Cryptography, APIs, and
`Implementation
`ISBN 0-201—31000-7
`
`James Gosling, Bill Joy, and Guy Steele,
`The Java“ Language Specification
`ISBN 0-201-63451-1
`
`James Gosling, Frank Yellin, and The Java Team,
`The Java‘“ Application Programming Interface,
`Volume I: Care Packages
`ISBN 0-201-63453-8
`
`James Gosling, Frank Yellin, and The Java Team,
`The Java” Application Programming Interface,
`Volume 2: Window Toolkit and Applets
`ISBN 0-201—63459—7
`
`Jonni Kanerva, The Java“ FAQ
`ISBN 0—201-63456-2
`
`Doug Lea, Concurrent Programming in Java”:
`Design Principles and Patterns
`ISBN 0-201—69581-2
`
`Sheng Liang, The Java” Native Interface:
`Programmer’s Guide and Specification
`ISBN 0-201-32577-2
`
`Tim Lindholm and Frank Yellin, The Java'“ Virtual
`Machine Specification, Second Edition
`ISBN 0—201-43294—3
`
`Henry Sowizral, Kevin Rushforth, and Michael
`Deering, The Java“ 3D API Specification
`ISBN 0—201—32576—4
`
`Kathy Walrath and Mary Campione, The JFC Swing
`Tutorial: A Guide to Constructing GUIs
`ISBN 0-201-43321-4
`
`Seth White, Maydene Fisher, Rick Cattell, Graham
`Hamilton, and Mark Hapner, JDBC“ API Tutorial
`and Reference, Second Edition: Universal Data
`Access for the Java” 2 Platform
`
`Lisa Friendly, Series Editor
`Tim Lindholm, Technical Editor
`Please see our web site (http://www.awl.com /cseng/javaseries) for more information on these titles.
`
`ISBN 0—201—43328-1
`
`Page 5 of 275
`
`

`

`Inside Javam 2
`Platform Security
`
`Bonn - Amsterdam 0 Tokyo 0 Mexico City
`
`
`
`
`
`Architecture, API Design,
`and Implementation
`
`A
`VV
`
`ADDISON-WESLEY
`
`An imprint of Addison Wesley Longman, Inc.
`Reading, Massachusetts 0 Harlow, England - Menlo Park, California
`Berkeley, California - Don Mills, Ontario 0 Sydney
`
`Page 6 of 275
`
`

`

`THIS PUBLICATION IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER
`EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
`OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGE-
`MENT.
`
`THIS PUBLICATION COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHI-
`CAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN;
`THESE CHANGES WILL BE INCORPORATED IN NEW EDITIONS OF THE PUBLICATION.
`SUN MICROSYSTEMS, INC., MAY MAKE IMPROVEMENTS AND/OR CHANGES IN ANY
`TECHNOLOGY, PRODUCT, OR PROGRAM DESCRIBED IN THIS PUBLICATION AT ANY
`TIlVIE.
`
`The publisher offers discounts on this book when ordered in quantity for special sales. For more information, please
`contact: Corporate, Government and Special Sales; Addison Wesley Longman, 1118.; One Jacob Way; Reading, Massa-
`chusetts 01867.
`
`ISBN: 0-201-31000—7
`1 2 3 4 5 6 7 8 9-CRS-0302010099
`
`Copyright © 1999 Sun Microsystems, Inc., 901 San Antonio Road, Palo Alto, CA, 94303, USA.
`All rights reserved.
`
`DukeTM designed by Joe Palrang.
`
`
`
`Sun Microsystems, Inc. has intellectual property rights relating to implementations of the technology
`described in this publication. In particular, and without limitation, these intellectual property rights
`may include one or more US. patents,
`foreign patents, or pending applications. Sun, Sun
`Microsystems, the Sun logo, and all Sun, Java, Jim, and Solaris based trademarks and logos are
`trademarks or registered trademarks of Sun Microsystems, Inc.,
`in the United States and other
`countries. UNIX is a registered trademark in the United States and other countries, exclusively licensed
`through X/Open Company, Ltd.
`
`First Printing, June 1999
`
`Page 7 of 275
`
`

`

`
`
`
`.
`Preface.......... . .
`How This Book Is Organized .
`Acknowledgments .
`.
`.
`.
`.
`.
`.
`.
`.
`
`. . .
`.
`.
`.
`.
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`. xii
`.
`.
`.
`. .. xiii
`
`Computer and Network Security Fundamentals. . . . . . . . . .
`1.1 Cryptography versus Computer Security .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`1.2 Threats and Protection.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`1.3 Perimeter Defense .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`1.3.1 Firewalls .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`1.3.2 Inadequacies of Perimeter Defense Alone .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`1.4 Access Control and Security Models .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`1.4.1 MAC and DAC Models .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`1.4.2 Access to Data and Information .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`1.4.3 Static versus Dynamic Models .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.. .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`1.4.4 Considerations Concerning the Use of Security Models .
`.
`.
`.
`.
`.
`.
`.
`1.5 Using Cryptography .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`1.5.1 One—Way Hash Functions .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`1.5.2 Symmetric Ciphers .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`1.5.3 Asymmetric Ciphers .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`1.6 Authentication .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`1.7 Mobile Code .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`1.8 Where Does Java Security Fit In .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`
`
`.
`
`. 1
`. .
`. 2
`.
`.
`.
`. 3
`.
`.
`.
`. 4
`.
`.
`.
`. 6
`.
`.
`.
`. 6
`.
`.
`.
`. 7
`.
`.
`.
`. 7
`.
`.
`.
`. 8
`.
`.
`.
`. 9
`.
`.
`.
`.
`. 10
`.
`. .. 11
`.
`.
`. 12
`.
`.
`. 13
`.
`.
`. 14
`.
`.
`. 15
`.
`.
`. 17
`.
`.
`. 18
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`Basic Security for the Java Language. . . . . . . . . . . .
`2.1 The Java Language and Platform .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`2.2 Basic Security Architecture .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`2.3 Bytecodc Verification and Type Safety .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`2.4 Signed Applets .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`2.5 A Brief History of Security Bugs and Fixes .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`
`. . .
`.
`.
`. 22
`.
`.
`. 23
`.
`.
`. 25
`.
`.
`. 27
`.
`.
`. 28
`
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`
`Page 8 of 275
`
`

`

`CONTENTS
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`. 43
`.
`.
`. 45
`.
`.
`. .. 46
`.
`.
`. 48
`
`. .. 50
`. .. 52
`. .. 55
`. .. 59
`.
`.
`. 59
`. .. 61
`.
`.
`. 62
`. .. 63
`. .. 63
`. .. 64
`. .. 64
`. .. 65
`.
`.
`. 66
`.
`.
`. 66
`.
`.
`. 68
`.
`.
`. 69
`
`. 71
`.
`.
`. 72
`.
`.
`. 74
`.
`.
`. .. 79
`. .. 80
`.
`.
`. 81
`. .. 83
`.
`.
`. 83
`.
`.
`. 84
`.
`.
`. 85
`
`3 JDK 1.2 Security Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
`3.1 From the Beginning .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`. 33
`3.2 Why a New Security Architecture .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`. 34
`. 3.2.1 Sandbox Restrictions on Applets Too Limiting .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`. 34
`3.2.2 Insufficient Separation Between Policy and Enforcement .
`.
`.
`.
`.
`.
`.
`.
`.
`. 35
`3.2.3 Security Checks Not Easily Extensible .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`. 35
`3.2.4 Locally Installed Applets Too Easily Trusted .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`. 36
`3.2.5 Internal Security Mechanisms Fragile .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`. 36
`3.2.6 Summary .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`. 37
`java.secur‘i ty.General SecurityExcept'ion .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`. .. 37
`Security Policy .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`. 38
`CodeSour‘ce .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`. .. 41
`
`
`
`3.5.1 Testing for Equality and Using Implication .
`Permission Hierarchy .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`3.6.1 java. security.Perm1'ss1'on .
`.
`.
`.
`.
`.
`.
`.
`.
`3.6.2 Permission Sets .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`3.6.3 java.security.UnresolvedPermi ssion .
`.
`.
`.
`3.6.4 java.'io.F1'1ePer'mission .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`3.6.5 java.net.SocketPer‘m1’ ssion .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`3.6.6 java.security.BasicPermi ssion .
`.
`.
`.
`.
`.
`.
`.
`.
`3.6.7 java. util .Pr'opertyPer'm'issi on .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`3.6.8 java.1ang.Runt'i mePermission .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`3.6.9 java.awt.AWTPermission .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`3.6.10 java.net.NetPerm-ission .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`3.6.11 java. lang. ref'l ect . Refl ectPer'mi 551' on .
`3.6.12 java.io.Seria'lizablePerm-ission .
`.
`.
`.
`.
`.
`.
`3.6.13 java. security.Securi tyPermission .
`.
`.
`.
`.
`3.6.14 java.security.AllPer‘mission .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`3.6.15 Implications of Permission Implications .
`.
`.
`.
`.
`.
`.
`Assigning Pennissions .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`3.7.1 Positive versus Negative Permissions .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`ProtectionDomai n .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`Securely Loading Classes .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`3.9.1 Class Loader Hierarchy .
`3.9.2 java. 1 ang . C1 assLoader and Delegation .
`3.9.3 java. security.SecureC1assLoader .
`.
`.
`3.9.4 java.net.URLC'| assLoader .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`3.9.5 Classpaths .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`java.1ang .Secur‘ityManager .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`3.10.1 Example Use of the Security Manager .
`.
`.
`.
`.
`3.10.2 Unchanged APIs in JDK 1.2 .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`3.10.3 Deprecated Methods in JDK 1.2 .
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`Page 9 of 275
`
`

`

`CONTENTS
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`3.11 java.security.AccessController .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`3.11.1 Interface Design ofAccessContr'oller .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`3.11.2 The Basic Access Control Algorithm .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`3.11.3 Method Inheritance .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`3.11.4 Extending the Basic Algorithm with Privileged Operations .
`3.11.5 Three Types of Privileged Actions .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`3.11.6 The Context of Access Control .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`3.11.7 The Full Access Control Algorithm .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`3.11.8 Securi tyManager versus AccessControl ler .
`.
`.
`.
`.
`.
`.
`.
`3.11.9 A Mini—History of Privileged Operations .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`3.12 Summary and Lessons Learned.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`. .. 90
`.
`. .. 91
`.
`.
`.
`. 92
`.
`.
`.
`. 94
`.
`.
`.
`. 95
`.
`.
`.
`. 98
`.
`.
`. 101
`.
`.
`. 102
`.
`. .. 104
`.
`.
`. 105
`.
`.
`. 106
`
`. . . .
`. . . .
`4 Deploying the Security Architecture. . . .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`4.1 Installing JDK 1.2 .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`4.2 Policy Configuration .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`4.2.1 Configuring System-Wide and User-Specific Policies .
`.
`.
`.
`.
`4.2.2 Configuring Application-Specific Policies .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`4.2.3 Configuring an Alternative Policy Class Implementation .
`4.2.4 Default Policy File Format .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`4.2.5 Policy File Examples .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`4.2.6 Property Expansion in Policy Files .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`Digital Certificates .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`Helpful Security Tools .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`4.4.1 Keystore Databases .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`4.4.2 Keytool
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`4.4.3 Policy Tool
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`4.4.4 Jarsigner .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`4.4.5 Code Signing Example .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`4.5 Managing Security Policies for Nonexperts .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`
`. 113
`.
`. 115
`.
`.
`. 115
`.
`.
`. 116
`.
`.
`. 117
`.
`.
`. 118
`.
`.
`. 122
`.
`.
`. 123
`.
`.
`. 125
`.
`.
`. 130
`.
`.
`. .. 130
`. .. 133
`.
`.
`. 139
`. .. 143
`.
`.
`. 148
`.
`.
`. 150
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`. . . . . . . . . . 153
`. . . .
`Customizing the Security Architecture. . . . . .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`. 153
`.
`.
`.
`.
`.
`5.1 Creating New Permission Types .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`. .. 155
`.
`.
`.
`.
`.
`5.2 Composite Permissions .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`. 156
`.
`.
`.
`.
`.
`5.3 Customizing Security Policy .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`. 158
`.
`.
`.
`.
`.
`5.4 Migrating JDK 1.1-Based Security Managers .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`. 158
`.
`.
`.
`.
`.
`5.4.1 JDK 1.1 Security Manager Classes .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`5.4.2 Accommodating JDK 1.1 Security Managers on JDK 1.2 .
`.
`.
`.
`.
`.
`.
`.
`. 160
`5.4.3 Modifying JDK 1.1 Security Managers for JDK 1.2 .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`. 163
`
`ObjectSecurity...............
`6.1 Security Exceptions .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`6.2 Fields and Methods .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`.
`.
`
`. .. 173
`.
`.
`. 174
`
`Page 10 of 275
`
`

`

`CONTENTS
`
`Static Fields .
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`Private Object State and Object Immutability .
`Privileged Code .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`Serialization .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`Inner Classes .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`Native Methods .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`
`.
`.
`.
`.
`.
`
`.
`
`.
`.
`.
`.
`.
`
`.
`
`.
`.
`.
`.
`.
`
`.
`
`.
`.
`.
`.
`.
`
`.
`
`.
`
`.
`.
`.
`.
`
`.
`
`.
`.
`.
`.
`.
`
`.
`
`.
`.
`.
`.
`.
`
`.
`
`.
`.
`.
`.
`.
`
`.
`
`.
`.
`.
`.
`.
`
`.
`
`.
`
`.
`.
`.
`.
`
`.
`
`.
`.
`.
`.
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`
`.
`
`.
`.
`.
`.
`
`.
`
`.
`.
`.
`.
`.
`
`.
`
`.
`.
`.
`.
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`
`.
`.
`.
`.
`.
`
`.
`
`.
`
`. 176
`
`.
`
`. 176
`.
`. 178
`.
`.
`. 179
`.
`.
`. .. 181
`.
`.
`. 182
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`. 182
`. 185
`. 186
`. 188
`
`6.3
`6.4
`6.5
`6.6
`
`6.7
`6.8
`6.9
`6.10
`6.11
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`Signing Objects .
`.
`. .-.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`Sealing Objects .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`Guarding Objects .
`6.11.1 Examples of Using GuardedObject .
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`.
`.
`.
`.
`
`7 Programming Cryptography . . . . . . . . . . . .
`7.1
`7.2
`
`7.3
`
`.
`
`.
`.
`
`. 192
`.
`. 193
`.
`. 197
`.
`. 199
`.
`.
`. .. 199
`. .. 200
`. .. 200
`. .. 201
`.
`.
`. 204
`. .. 207
`
`.
`.
`.
`
`.
`.
`.
`
`.
`.
`.
`
`.
`.
`.
`
`.
`.
`.
`
`.
`.
`.
`
`.
`.
`.
`
`.
`.
`.
`
`.
`.
`.
`
`.
`.
`.
`
`.
`.
`.
`
`.
`.
`.
`
`.
`.
`.
`
`
`
`
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.. .
`.
`.
`.
`Design Principles .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`Cryptographic Services and Service Providers .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`7.2.1 Installing and Adding a Provider .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`Cryptography Classes .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`7.3.1 java.secur1'ty.Security .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`7.3.2 java.security.Prov1'der .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`7.3.3 java.secur‘ity.MessageDj gest .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`7.3.4 java.security.S1'gnatur‘e .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`7.3.5 Algorithm Parameters .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`7.3.6 java. security. Key and java. security.spec . KeySpec .
`7.3.7 java. security. KeyFactor‘y and java. security. cert.
`Ce rti fj care Facto ry
`7.3.8 KeyPai r and KeyPai rGenerator .
`7.3.9 java.security.KeyStore .
`.
`.
`.
`.
`.
`Randomness and Seed Generators .
`.
`.
`.
`.
`.
`.
`
`. 225
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`7.4.1 java.security.SecureRandom .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`Code Examples .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`7.5.1 Example 1: Computing a Message Digest .
`.
`.
`.
`7.5.2 Example 2: Generating a Public/Private Key Pair .
`.
`.
`.
`7.5.3 Example 3: Generating and Verifying Signatures .
`7.5.4 Example 4: Reading a File That Contains Certificates .
`Standard Names .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`7.6.1 Message Digest Algorithms .
`.
`.
`.
`.
`.
`.
`.
`.
`7.6.2 Key and Parameter Algorithms .
`.
`.
`.
`.
`.
`.
`.
`.
`7.6.3 Digital Signature Algorithms .
`.
`7.6.4 Random Number Generation Algorithms .
`7.6.5 Certificate Types .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`7.6.6 Keystore Types .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`Algorithm Specifications .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`7.7.1 SHA-l Message Digest Algorithm .
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`
`210
`. 212
`.
`.
`. .. 214
`.
`.
`. 215
`
`. .. 216
`.
`.
`. 217
`.
`.
`. 217
`.
`.
`. 218
`.
`.
`. 219
`.
`.
`. 221
`.
`.
`. 222
`
`. 222
`. 222
`. 223
`. 223
`. 223
`. 224
`. 224
`
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`
`Page 11 of 275
`
`

`

`CONTENTS
`
`.
`.
`.
`.
`.
`7.7.2 MD2 Message Digest Algorithm .
`.
`.
`.
`.
`.
`7.7.3 MDS Message Digest Algorithm .
`.
`.
`.
`.
`.
`7.7.4 Digital Signature Algorithm .
`.
`.
`.
`.
`.
`.
`.
`7.7.5 RSA—Based Signature Algorithms .
`.
`.
`7.7.6 DSA KeyPair Generation Algorithm .
`.
`.
`7.7.7 RSA KeyPair Generation Algorithm .
`7.7.8 DSA Parameter Generation Algorithm .
`
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`
`. 225
`. 225
`. 225
`. 225
`. 226
`. 227
`. 227
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`. .. 229
`.
`.
`. 230
`.
`.
`. 232
`.
`.
`. 234
`.
`.
`. 234
`.
`.
`. 235
`.
`.
`. 239
`.
`.
`. 239
`.
`.
`. 241
`.
`.
`. 242
`
`..
`
`........245
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`Bibliography...........................
`
`Index . . . .
`
`. . . .
`
`. . . . ...251
`
`8 FutureDirections........
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`8.1 Security Management .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`8.2 JDK Feature Enhancement .
`.
`.
`8.3 Java Authentication and Authorization Service .
`8.3.1 Subjects and Principals .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`8.3.2 Credentials .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`8.3.3 Pluggable and Stacked Authentication .
`.
`.
`8.3.4 Callbacks .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`8.3.5 Access Control .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`8.3.6 JAAS Implementation .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`8.4 Conclusion .
`.
`.
`.
`.
`.. .
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`.
`
`
`
`Page 12 of 275
`
`

`

`Preface
`
`Give me a lever and a fulcrum, and I can move the globe.
`—Archirnedes
`
`
`
`Since Java technology’s inception, and especially its public debut in the spring
`of 1995, strong and growing interest has developed regarding the security of the
`Java. platform, as well as new security issues raised by the deployment of Java
`technology. This level of attention to security is a fairly new phenomenon in com-
`puting history. Most new computing technologies tend to ignore security consider-
`ations when they emerge initially, and most are never made more secure
`thereafter. Attempts made to do so typically are not very successful, as it is now
`well known that retrofitting security is usually very difficult, if not impossible, and
`often causes backward compatibility problems.
`'
`Thus it is extremely fortunate that when Java technology burst on the Internet
`scene, security was one of its primary design goals. Its initial security model,
`although very simplistic, served as a great starting place, an Archimedean ful-
`crum. The engineering talents and strong management team at JavaSoft are the
`lever; together they made Java’s extensive security architecture a reality.
`From a technology provider’s point of view, security on the Java platform
`focuses on two aspects. The first is to provide the Java platform, primarily through
`the Java Development Kit, as a secure, platform on which to run Java—enabled
`applications in a secure fashion. The second is to provide security tools and ser-
`vices implemented in the Java programming language that enable a wider range of
`security-sensitive applications, for example, in the enterprise world.
`I wrote this book with many purposes in mind. First, I wanted to equip the
`reader with a brief but clear understanding of the overall picture of systems and
`network security, especially in the context of the Internet environment within
`which Java technology plays a central role, and how various security technologies
`relate to each other.
`
`Page 13 of 275
`
`

`

`PREFA CE
`
`How This Book Is Organized
`
`This book is organized as follows.
`
`Chapter 1. A general background on computer, network, and information
`security
`
`Chapter 2. A review of the original Java security model, the sandbox
`
`Second, I wanted to provide a comprehensive description of the current secu-
`rity architecture on the Java platform. This includes language features, platform
`APIs, security policies, and their enforcement mechanisms. Whenever appropri-
`ate, I discuss not only how a feature functions, but also why it is designed in such
`a way and the alternative approaches that we—the Java security development
`team at Sun Microsystems—examined and rejected. When demonstrating the use
`of a class or its methods, I use real—world code examples whenever appropriate.
`Some of these examples are synthesized from the JDK 1.2 code source tree.
`Third, I sought to tell the reader about security deployment issues, both how
`an individual or an enterprise manages security and how to customize, extend, and
`enrich the existing security architecture.
`Finally, I wanted to help developers avoid programming errors by discussing a
`number of common mistakes and by providing tips for safe programming that can
`be immediately applied to ongoing projects.
`
`Chapter 8. A look ahead to future directions for Java security
`
`Chapter 3. An in-depth look at the new security architecture in JDK 1.2, which
`is policy—driven and capable of enforcing fine-grained access controls
`
`Chapter 4. An explanation of how to deploy and utilize the new security fea-
`tures in JDK 1.2, including security policy management, digital certificates,
`and various security tools
`
`Chapter 5. A demonstration of how to customize various aspects of the secu-
`rity architecture, including how to move legacy security code onto the JDK 1.
`2 platform
`
`Chapter 6. A review of techniques to make objects secure and tips for safe
`programming
`
`Chapter 7. An outline of the Java cryptography architecture along with usage
`examples
`
`Page 14 of 275
`
`

`

`PREFACE
`
`This book is primarily for serious Java programmers and for security profes-
`sionals who want to understand Java security issues both from a macro (architec-
`tural) point of View as well as from a micro (design and implementation)
`perspective. It is also suitable for nonexperts who are concerned about Internet
`security as a whole, as this book clears up a number of misconceptions around
`Java security.
`Throughout this book, I assume that the reader is familiar with the fundamen-
`tals of the Java language. For those who want to learn more about that language,
`the book by Arnold and Gosling [2] is a good source.
`This book is not a complete API specification. For such details, please refer to
`JDK 1.2 documentation.
`
`Acknowledgments
`
`
`
`It is a cliche to say that writing a book is not possible without the help of many
`others, but it is true. I am very grateful to Dick Neiss, my manager at JavaSoft,
`who encouraged me to write the book and regularly checked on my progress. Lisa
`Friendly, the Addison-Wesley Java series editor, helped by guiding me through the
`writing process while maintaining a constant but “friendly” pressure. The team at
`Addison—Wesley was tremendously helpful. I’d like particularly to thank Mike
`Hendrickson, Katherine Kwack, Marina Lang, Laura Michaels, Marty Rabinow-
`itz, and Tracy Russ. They are always encouraging, kept faith in me, and rescued
`me whenever I encountered obstacles.
`'
`This book is centered around JDK 1.2 security development, a project that
`lasted fully two years, during which many people inside and outside of Sun
`Microsystems contributed in one way or another to the design, implementation,
`testing, and documentation of the final product. I would like to acknowledge Dirk
`Balfanz, Bob Blakley, Josh Bloch, David Bowen, Gilad Bracha, David Brownell,
`Eric Chu, David Connelly, Mary Dageforde, Drew Dean, Satya Dodda, Michal
`Geva, Gadi Guy, Graham Hamilton, Mimi Hills, Larry Koved, Charlie Lai, Sheng
`Liang, Tim Lindholrn, Jan Luehe, Gary McGraw, Marianne Mueller, Tony Nadalin,
`Don Neal, Jeff Nisewanger, Yu—Ching Peng, Hemma Prafullchandra, Benjamin
`Renaud, Roger Riggs, Jim Roskind, Nakul Saraiya, Roland Schemers, Bill
`Shannon, Tom van Vleck, Dan Wallach, and Frank Yellin. I also appreciate the
`technical guidance from James Gosling and Jim Mitchell, as well as management
`support from Dick Neiss, Jon Kannegaard, and Alan Baratz. I have had the pleasure
`of chairing the Java Security Advisory Council, and I thank the external members,
`Ed Felten, Peter Neumann, Jerome Saltzer, Fred Schneider, and Michael
`Schroeder for their participation and superb insights into all matters that relate to
`computer security.
`
`Page 15 of 275
`
`

`

`PREFACE
`
`Lz' Gong
`Los Altos, California
`
`
`
`Isabel Cho, Lisa Friendly, Charlie Lai, Jan Luehe, Teresa Lunt, Laura
`Michaels, Stephen Northcutt, Peter Neumann, and a number of anonymous
`reviewers provided valuable comments on draft versions of this book.
`G. H. Hardy once said that young men should prove theorems, while old men
`should write books. It is now time to prove some more theorems.
`
`June 1 999
`
`Page 16 of 275
`
`

`

`
`
`Computer and Network
`Security Fundamentals
`
`
`
`Security is all about ensuring that bad things do not happen. This brief statement
`is deceptively simple. It can in fact have very complicated interpretations. Explor-
`ing these can help in understanding What security really means.
`Certain “rule-of-thumb” principles apply to the concept of security in general.
`First, security is always related to utility. To ensure that bad things do not happen,
`you can simply do nothing. For example, a car stored in a garage cannot cause a
`traffic accident. But doing nothing with the car is clearly not what is intended. The
`real goal is to ensure that bad things do not happen while good things do get done.
`Second, security is relative to the threat that one considers. For example, the
`effectiveness of your house’s securely locked front door to prevent theft depends
`heavily on the types of thieves against which you are guarding. While the lock
`might deter a small-time thief, it might not pose a problem for a sophisticated one
`equipped with the right tools.
`Third, security must be considered from an overall systems point of view. It is
`only as secure as the system’s weakest point. That is, it is not enough to just secure
`the front door. A smart thief will try to enter the house from all potentially weak
`spots, and in particular those furthest away from where you have installed strong
`locks.
`
`The three golden rules to ensure computer security are: do not own
`a computer; do not power it on; and do not use it.
`—Robert (Bob) T. Morris
`
`Fourth, security must be easy to accomplish. If it takes 30 minutes and great
`effort every time to unlock a complicated lock, you will tend to ignore the lock
`m and leave the door open.
`
`Page 17 of 275
`
`

`

`CRYPTOGRAPHY VERSUS COMPUTER SECURITY
`
`Fifth, security must be affordable and cost effective. For example, it clearly
`does not make sense to install a lock that is worth more than the contents it is
`
`guarding. This is made more complex by the fact that different people tend to
`value things differently.
`Last but not least, security must be as simple as possible because, as experi-
`ence indicates, the more complex a system is, the more error—prone it tends to be.
`It is better to have something that is simpler but more dependable.
`Throughout this book, you will see that these “rule—of—thumb” principles
`apply equally well to computer security.
`
`Before moving on to specific topics, I want to clarify that cryptography and com-
`puter security are two distinct subjects. Cryptography is the art of encoding
`information in a secret format such that only the intended recipient can access the
`encoded information. The use of cryptography has progressed extensively over a
`long period of time, ranging from the ancient Caesar cipher, to cipher machines
`widely used in World War I], to modern cryptosystems implemented with com-
`puter hardware and software.
`Computer security first became an issue only in the 19603, when timesharing,
`multiuser computer (operating) systems were first built, such as Cambridge’s
`early computing system [80] and MIT’s Multics [69, newref 1]. After that, the
`field of computer security remained relatively obscure for years, apart from a brief
`active period in the mid—1970s [3, 32, 36, 75, newref 2, newref 3]. Security con—
`cerns then were based mostly on military requirements. Commercial security did
`not become fully mainstream until
`the Internet and electronic commerce
`(e—commerce), and Java technology in particular, took center stage in the 19905.
`Security mechanisms often can benefit from the use of cryptography, such as
`when running a network-based user login p