security.provider.3=com.sun.crypto.provider.SunJCE This line should immediately follow the line that reads: security.provider.2=com.sun.rsajca.Provider To use JCE as an unbundled extension, you must: Add the four jar files to your classpath. • Add some configuration information to HOME.java.policy. The information to be added depends on where you have placed the jar files; if youve put JCE into filesjce1.2.1 then the appropriate lines are: grant codebase file:filesjce1.2.1libUS_export_policy.jar { permission java.security.AllPermission; }; grant codebase file:filesjce1.2.1libjce1_2_1.jar { permission java.security.AllPermission; }; grant codebase file:filesjce1.2.1liblocal_policy.jar { permission java.security.AllPermission; }; grant codebase file:filesjce1.2.1libsunjce_provider.jar { permission java.security.AllPermission; }; You must substitute the appropriate path for filesjce1.2.1. Note that this is a URL; you use forward slashes no matter what your platform. On Microsoft Windows, the beginning of the appropriate URL is file:C:filesjce1.2.1. • In every program that you run, you must insert the following line: Security.addProvidernew com.sun.crypto.provider.SunJCE ; • More details about how this works can be found in later chapters. Chapter 8, discusses the addition to the java.security file and its programmatic alternative, and the .java.policy file is discussed in Chapter 2.

1.2.3 The Java Secure Sockets Extension

JSSE provides Secure Sockets Layer SSL encryption facilities. If you need to communicate with an SSL server or SSL client, you can use the APIs in this extension. If you are writing both a client and server and want to do encryption, you can use this extension or you can use the cipher facilities of JCE. JSSE can be downloaded from http:java.sun.comproductsjsse. Version 1.0.2 takes advantage of the relaxed export restrictions of the U.S. and is exportable. Unlike JCE, however, there are still two different versions of JSSE: one for domestic use use within the United States and Canada and one for global use. The difference between these two versions is that the domestic version allows you to substitute new implementations of the SSL algorithms. Such substitution is still prohibited by export rules, so the global version does not allow it. However, both versions provide exactly the same API and the same key strength for their encryption. JSSE consists of documentation and a lib directory containing three jar files: jcert.jar, jnet.jar, and jsse.jar. To use JSSE as an installed extension, you must: Copy the three jar files to JREHOMElibext. • Add the following line to JREHOMElibsecurityjava.security: security.provider.4=com.sun.net.ssl.internal.ssl.Provider • Chapter 1. Java Application Security This line should immediately follow the line you inserted for JCE. To use JSSE as an unbundled extension, you must: Add the three jar files to your classpath. • In every program that you run, you must insert the following line: Security.addProvidernew com.sun.net.ssl.internal.ssl.Provider ; •

1.2.4 The Java Authentication and Authorization Service

JAAS provides for user authentication within the Java platform. It performs a unique function in the Java platform. All of the core facilities of Javas security design are intended to protect end users from the influences of developers: end users give permissions to developers to access resources on the end users machine. JAAS, on the other hand, allows developers to grant or deny access to their programs based on the authentication credentials provided by the user. JAAS can be downloaded from http:java.sun.comproductsjaas. It comes in two parts: a Java library which defines the interface to the service the JAAS proper, and platform−specific modules to perform the authorization the JAAS modules. Sample modules are available to perform authentication based on JNDI directory services, Windows NT login services, and Solaris login services. JAAS itself contains documentation and a lib directory with a single jar file jaas.jar. The jar file should either be installed into JREHOMElibext, or the user must add it to her classpath. The lib directory of the JAAS modules contains an additional jar file jaasmod.jar that must be handled similarly. It also contains platform−specific shared libraries. On Solaris systems, these libraries must be installed into JREHOMElibsparc. If that is not possible, the libraries can be placed into any directory e.g., filesjaasmod1_0lib and that directory can be added to the users LD_LIBRARY_PATH. On Microsoft Windows systems, these libraries are named nt.dll, nt.lib, and nt.exp and they must be installed into JREHOME\bin. If that is not possible, then you must set the java.library.path property on the command line. For instance, if the libraries are in \files\jaasmod1_0\lib, you would specify the following property on the command line: −Djava.library.path=\files\jaasmod1_0\lib No modification to the java.security file is required for JAAS.

1.2.5 More About Export Controls