needs.

1.2 Software Used in This Book

The information in this book is based on the Java 2 Standard Edition, version 1.3 or 1.3, for short. There are slight differences between how Java security operates in 1.2 that is, the Java 2 Standard Edition, version 1.2 and 1.3. When we refer to a specific release, well use its number; otherwise, well say Java 2 to refer to either platform. In addition, there are great differences in how Java security operates between the Java 1.1 and the Java 2 platform. While we concentrate on Java 1.3, the end of each chapter contains a section that elucidates the differences between Java 1.3 and previous releases of Java. Some of the very different topics of Java 1.1 are presented in the appendices of this book; it is not generally recommended that you use the facilities and APIs discussed there since they are not compatible with the Java 2 platform. We present information in this book from three standard Java extensions: the Java Cryptography Extension JCE version 1.2.1, the Java Secure Sockets Extension JSSE version 1.0.2, and the Java Authentication and Authorization Service JAAS version 1.0. Each of these contributes certain technologies to the Java security story. These extensions require 1.3. Information about the extensions is presented thoughout the book as it makes sense. The JSSE API defines a set of classes that are used to perform SSL operations, and these are discussed in a separate chapter. The JSSE API also defines a set of classes that are used for key management; these are discussed along with the classes in the core API that handle key management. So even though these three packages are standard extensions, we recommend that you install them now along with the SDK so that you can become familiar with their features when they arise. In version 1.4, all these extensions are scheduled to be included in the core SDK, which is another reason why it helps to think of them as an integrated unit. In the next few pages, well discuss how to obtain and install the platform and extensions. Configuring the extensions may require some steps that you dont understand right now because they have various security options that apply to them. However, we recommend that you just follow the instructions for now and install the extensions. The extensions use Javas standard security framework, and as we discuss each aspect of the framework, we detail how the extensions relate to that aspect. Thus, while the core features of each extension is discussed in its own chapter, information about the extensions appears throughout the book.

1.2.1 The Java 2 Platform

The core Java 2 platform supplies the basic facilities of Java security: A configurable security policy that lets you prevent Java programs from reading your files, making network connections to other hosts, accessing your printer without permission, and so on. This policy is based on Javas access controller, which in turn depends upon Javas class loaders, security manager, and language protections. • The ability to generate message digests if you want a simple but not secure way to determine if data your program reads has been altered. • The ability to generate digital signatures if you want to detect if data your program reads has been altered or if you want to send data and enable the recipient of that data to detect if the data was altered in transit. • A key management system to manage the keys necessary for digital signatures. • An extensible infrastructure to support all of this. • Java 2 version 1.3 can be obtained for Solaris, Linux, and Windows systems from http:java.sun.comj2se1.3. If you need Java for other platforms, check with your platform vendor or check http:java.sun.comcgi−binjava−ports.cgi. The Java 2 platform contains two flavors: the Software Development Kit SDK, also known historically as the JDK and the Java Runtime Environment JRE. Administration of the security model applies to both the JRE and SDK, but to use the security APIs that we discuss, youll need the SDK which includes the JRE. Throughout this book, well use the environment variable JDKHOME to refer to the directory in which the Java 2 SDK was installed and the JREHOME variable to refer to the directory in which the Java 2 JRE was installed. If you installed the SDK into C:\files\jdk1.3 then JDKHOME would be C:\files\jdk1.3 and JREHOME would be C:\files\jdk1.3\jre. Installed or Bundled Extensions? When you work with the extensions that we use in this book, you have the option of treating them as installed or bundled extensions. Installed extensions are much easier to work with: they require no special configuration once they are installed. However, they must be installed into special directories within JREHOME, and they may require files in JREHOME to be modified. Depending on your setup, this may require special operating system privileges. A bundled extension requires no special installation privileges, but it does require you to set up things within your environment: you must modify your classpath, and you must set up special policy files. In addition, some of this configuration must be done programatically, so this option will not work for third−party applications. We assume in our examples that youve set up the extensions as installed extensions.

1.2.2 The Java Cryptography Extension