Segurança em Java
Três conjuntos de pacotes compõem os recursos fundamentais para segurança e criptografia na plataforma Java:
- Java Cryptography Extension (JCE)
- JCE é um conjunto de pacotes que provê um framework e implementações para criptografia, geração e autenticação de chaves e algoritmos de Código de Autenticação de Mensagem (MAC).
- Java Secure Socket Extension (JSSE)
- A Java Secure Socket Extension (JSSE) é um conjunto de pacotes que possibilita comunicações Internet seguras. Ela implementa a versão em tecnologia Java dos protocolos de Secure Sockets Layer (SSL) e Transport Layer Security (TLS). Ela inclui funcionalidade para cifragem de dados, autenticação de servidor, integridade de mensagem, e autenticação de cliente opcional. JSSE tem duas distribuições: integrada ao JDK 1.4 em diante, JSSE 1.0.3_03 como pacote opcional ao Java 2 SDK versões 1.2.x e 1.3.x.
- Java Authentication and Authorization Service (JAAS)
- The Java Authentication and Authorization Service (JAAS) is a set of APIs that enable services to authenticate and enforce access controls upon users. It implements a Java technology version of the standard Pluggable Authentication Module (PAM) framework, and supports user-based authorization. Originally introduced as an optional package (JAAS 1.0) to version 1.3 of the Java 2 SDK, JAAS was been integrated into the J2SE since JDK version 1.4.
-
Java SE Security
Java security technology includes a large set of APIs, tools, and implementations of commonly used security algorithms, mechanisms, and protocols. The Java security APIs span a wide range of areas, including cryptography, public key infrastructure, secure communication, authentication, and access control. Java security technology provides the developer with a comprehensive security framework for writing applications, and also provides the user or administrator with a set of tools to securely manage applications.
Recent security enhancements include integration of the JCE, JSSE, and JAAS features into the JDK rather than them being delivered as optional packages, and addition of new security features. -
Java 6 SE JDK Security-related APIs & Developer Guides
From Sun Microsystems. Programmer's Guides: General Security, Java Authentication and Authorization Service (JAAS), Java Cryptography Architecture (JCA) and Extension (JCE), Java Generic Security Services (Java GSS-API), Java PKCS#11 Reference Guide, Java Secure Socket Extension (JSSE), Public Key Infrastructure (PKI), Simple Authentication and Security Layer (SASL), XML Digital Signature.
API Specification (javadoc): General Security, Certification Path, JAAS, Java GSS-API, JSSE, Java SASL, SSL/TLS-based RMI Socket Factories, XML Digital Signature, Smart Card I/O.
Java 6 Security Enhancements, Security Tools, Security Tutorials.
Security on JDK 5.0. Security on Java 2 SDK SE v1.4.2. -
Java Security
Javapedia, java.net TWiki. -
Segurança no Java [Em Português]
Uma introdução às APIs de criptografia e assinaturas digitais. Tutorial por Daniel Malaquias de Freitas, no GUJ - Grupo de Usuários Java. -
Oracle Phaos Security SDKs
Oracle Corporation has acquired Phaos Technology Corporation to incorporate Phaos' industry leading security technology into the Oracle Application Server and Oracle Identity Management products.
Criptografia - JCA & JCE
A Java Cryptography Extension (JCE) é um conjunto de pacotes que provêm um framework e implementações para criptografia, geração e autenticação de chaves, bem como algoritmos de Código de Autenticação de Mensagem (MAC). Suporte para criptografia inclui cifras simétricas, assimétricas, de bloco e fluxo (stream). O software também suporta fluxos seguros e objetos selados.
JCE era anteriormente uma pacote opcional (extensão) para o Java 2 SDK, Standard Edition (J2SE), versões 1.2.x e 1.3.x. JCE foi agora integrado no Java 2 SDK, v 1.4.
JCE 1.2 foi criado para estender as APIs Java Cryptography Architecture (JCA) disponíveis na plataforma Java 2, e estava disponível para EUA e Canadá somente, devido à regulamentação de controle de exportação dos EUA. A principal diferença entre JCE 1.2 e JCE 1.2.2 é que JCE 1.2.x é exportável fora dos EUA e Canadá. JCE integrado ao Java SDK v1.4 em diante é exportável. Provedores JCE também podem ser exportáveis.
-
Java Cryptography Architecture (JCA) Reference Guide
for the Java Platform Standard Edition 6.
Java Cryptography Extension (JCE) Reference Guide for the JDK 5.0.
Installing JCE Providers for the Java 2 SDK, v 1.4. How to Implement a Provider for the Java Cryptography Extension in the Java 2 SDK, Standard Edition, v 1.4.
J2SE 1.4.2 API docs: Package javax.crypto. -
Legion of the Bouncy Castle
O pacote de Criptografia Bouncy Castle é uma implementação Java de algoritmos criptográficos, desenvolvido pela "Legião do Castelo Tremulante" (Legion of the Bouncy Castle), anteriormente OpenJCE.org. Este software é open-source, com licença de distribuição baseada na licença do Consórcio X do MIT.
As APIs Bouncy Castle Crypto consistem no seguinte: Uma API simples (lightweight) em Java; Um provedor para JCE e JCA; Uma implementação "clean room" para a JCE 1.2.1; Geradores para certificados X.509 Versão 1 e Versão 3 e arquivos PKCS12; Geradores para S/MIME e CMS (PKCS7); Uma versão jar assinado própria para JDK 1.4 e a Sun JCE. -
IBM JCE
Por IBM. IBMJCE Provider - Java Cryptography Extension (JCE) 1.2.1. A versão de JCE da IBM provê mais algoritmos que a versão da Sun.
IBMJCE4758: JCE with Hardware Cryptography support. -
Cryptix
Cryptix é um esforço internacional voluntário para produzir bibliotecas de software criptográfico robusto, open-source. Os produtos Cryptix são gratuitos, tanto para uso comercial quanto não-comercial e são usados por desenvolvedores em todo o mundo. O desenvolvimento é atualmente focado em Java. -
ISNetworks S/MIME & JCE Provider
Provedor de serviço criptográfico open source para Java da ISNetworks. Ele inclui implementações de muitos algoritmos criptográficos no ISNetworks JCE Provider (assinado), e funciona com JDK 1.2.2 em diante.
Por ISNetworks. Although their Java S/MIME library is no longer officially supported, they have released it under the Apache license to make it available to the public. The download includes the full source code, pre-compiled binaries, JavaDoc for the API and examples of how to use the library.
Pinatubo JCE/JCA Provider: Java library which provides developers with programmatic access to Windows CryptoAPI. Pinatubo contains compliant providers for the Java Cryptography Architecure (JCA) and Java Cryptography Extension (JCE). The library is no longer officially supported, but ISNetworks have released the binaries under the Apache license and a full source release may follow. You can download it and use it free of charge. -
JCE taglib
Cryptographic tag library & Expression Language functions for JavaServer Pages (JSP).
Por Gert Van Ham, open source licença LGPL. SourceForge projeto: jcetaglib. -
Assembla JCE Provider for Microsoft key store
By Assembla Trust Technology AB. Este software é fornecido gratuitamente e está disponível para uso educacional, pessoal e também comercial. Considere este um presente para a comunidade que desenvolve programas Java na plataforma Windows. -
JHBCI, OpenSource HBCI Toolkit for Java
By Uwe Günther. JHBCI Provider (JCA/JCE crypto provider). -
Phaos Crypto (Comercial)
Pure Java cryptographic library with seamless integration with JCE applications. Commercial product, by Phaos Technology Corporation. -
RSA BSAFE (Comercial)
RSA BSAFE for Java Developers, RSA BSAFE Crypto-J (PDF) - Cryptographic components for Java, by RSA Security. Commercial product. Fast, flexible, hardware enabled, 100% pure Java, fully compliant with the Public-Key Cryptography Standards (PKCS), signed and exportable Java Security Provider. FIPS 140 certified (2002-2007). -
IAIK-JCE (Comercial)
IAIK Java Cryptography Extension (JCE) Toolkit. Produto comercial. By IAIK - Institute for Applied Information Processing and Communication, Graz University of Technology. -
JCAPI (Comercial)
The Pheox JCAPI (Java CryptoAPI) is a JCE (Java Cryptography Extension) provider that provides access to key- and certificate stores on Microsoft operating systems. All cryptographic operations are performed by the native MS CAPI (Microsoft CryptoAPI) layer through installed CSPs (Cryptographic Service Provider) that supports cryptographic algorithms and functions. -
Java Applet for Signing with a Smart Card
Por Svetlin Nakov e Nikolay Nedyalkov, 2006-02-24. Background, The Problem of Digital Signing in a Web-Based Environment with a Smart Card, Building a Smart Card Applet, Defining What Is Meant By "Smart Cards", Smart Card Access Standards, Accessing Smart Cards from Java, Using the Sun PKCS#11 Provider, Configuring the Sun PKCS#11 Provider, Static Registration of the Sun PKCS#11 Provider, Dynamic Registration of the Sun PKCS#11 Provider, Configuration File of the Sun PKCS#11 Provider (pkcs11.cfg), Using the Sun PKCS#11 Provider Without a Configuration File, Unregistering the Sun PKCS#11 Provider, Extracting a Keystore from a Smart Card, Obtaining Certificates and Private Keys from a Smart Card, Signing Data with a Smart Card, Java Applet for Signing with a Smart Card, System Requirements for Accessing Smart Cards with Java Applets, Implementation of the Applet for Signing with a Smart Card, How the Applet for Signing with a Smart Card Works, Compiling and Signing the Applet, Testing the Applet with a Sample HTML Form, The Applet for Signing with a Smart Card in Action, The Subsystem for Signature and Certificate Verification, The NakovDocumentSigner System, Download the NakovDocumentSigner System, Summary. Listings. -
PKCS#11 Signer For Java
Open source software project hosted at Sourceforge. -
Fast MD5 Implementation in Java
Por Timothy W Macinta.
Infra-estrutura de Chaves Públicas (ICP/PKI) & Certificados Digitais
-
Legion of the Bouncy Castle
Bouncy Castle Crypto APIs include: A library for reading and writing encoded ASN.1 objects, Generators for Version 1 and Version 3 X.509 certificates and PKCS12 files, Generators/Processors for S/MIME and CMS (PKCS7), Generators/Processors for OCSP (RFC 2560), Generators/Processors for OpenPGP (RFC 2440). Free and open source. -
EJBCA, Java Certificate Authority
Enterprise Java Beans Certificate Authority (EJBCA) is a fully functional Certificate Authority (CA), written entirely in Java and based on J2EE technology. -
Cycom's Public Key Infrastructure (PKI)
Cycom's PKI with Java Source is a small subset of PKI just big enough to be useful, that leverages Sun's JCA. In particular it will allow a user application to generate digital certificates and certificate requests and allow the user to act as a CA, if only for other local users. -
NakovDocumentSigner
NakovDocumentSigner is a framework for digitally signing document for Java-based Web applications. It is freeware open-source project initiated by Svetlin Nakov and provides the Web applications with digital signature functionality based on Public Key Infrastructure (PKI). NakovDocumentSigner consists of a digital signer Java applet and a reference Web application for signature and certificate verification. It supports signing with a PKCS#12 certificate keystore file and with a smart card. -
Java Applet for Signing with a Smart Card
Artigo por Svetlin Nakov, 2006-02-24, em Developer.com.
Autenticação - JAAS & Single Sign-On (SSO)
- jGuard
jGuard é uma biblioteca que provê segurança (autenticação e autorização) fácil para aplicações web Java. Ele é construído sobre o estável e maduro framework JAAS, que é parte das APIs Java SE. jGuard é muito flexível e permite diversas formas diferentes de configurar os mecanismos para autenticação e autorização, i.e., em um banco de dados relacional, arquivos XML, ou serviço LDAP. jGuard é projeto em SourceForge open source distribuído sob licença LGPL.
Lançamento da versão 1.0 do jGuard [Em português]. - OAuth
OAuth is an open protocol to allow secure API authentication in a simple and standard method from desktop and web applications.
For Consumer developers: If you're building desktop applications, dashboard widgets or gadgets, Javascript or browser-based apps, webpage widgets - OAuth is a simple way to publish and interact with protected data. It's also a safer and more secure way for people to give you access.
For Service Provider developers: If you're supporting web applications, server-side APIs, mashups - If you're storing protected data on your users' behalf, they shouldn't be spreading their passwords around the web to get access to it. Use OAuth to give your users access to their data while protecting their account credentials.
OAuth em Hueniverse, por Eran Hammer-Lahav: Explaining OAuth, 2007-09-10; Beginner's Guide to OAuth - Parte I, 2007-10-04, e Parte II, 2007-10-15. -
Spring Security
Spring Security provides powerful and flexible security solutions for enterprise applications developed using the Spring Framework. Formerly the Acegi Security System for Spring, Spring Security became an official Spring Portfolio project towards the end of 2007. It is a stable and mature product -- Acegi Security 1.0 was released in May 2006 after more than two and a half years of use in large production software projects. Open source. Spring Security (Acegi) provides Spring applications with instance-level ACL access control, channel security and human user detection capabilities. Acegi Security can authenticate using a variety of pluggable providers, and can authorise both web requests and method invocations.
What's New in Spring Security 2?, por Ben Alex, criador do Acegi/Spring Security, 2007-12-06. Spring Security 2.0 Final Release: No More Dead Fairies, por Rod Johnson, 2008-04-17.
Pathway from ACEGI to Spring Security 2.0, por Chris Baker, Javalobby, 2008-04-22. -
OAuth for Spring Security
The purpose of this project is to provide an OAuth implementation for Spring Security. Support is provided for both OAuth provider developers and OAuth consumer developers.
Tutorial.
JAAS - Java Authentication and Authorization Service
The Java Authentication and Authorization Service (JAAS) is a package that enables services to authenticate and enforce access controls upon users. It implements a Java version of the standard Pluggable Authentication Module (PAM) framework, and supports user-based authorization. JAAS has been integrated into the Java 2 SDK, Standard Edition, v 1.4.
-
Java 6 SE Security: JAAS
- JAAS Reference Guide
- Tutoriais JAAS: JAAS Authentication, JAAS Authorization.
-
JAAS
LoginModule
Developer's Guide - Java GSS-API and JAAS Tutorials for Use with Kerberos
JAAS Reference Guide for the Java 2 SDK, Standard Edition, v 1.4. -
Tutorial de JAAS [Em Português]
Uma introdução a segurança em Java com JAAS. Por Fábio Viana, GUJ. -
Introduction to JAAS and Using JAAS
Sun Java Developer Connection (JDC) Tech Tips, July 27, 2001. This issue covers the Java Authentication and Authorization Service (JAAS). It introduces some key concepts in JAAS and shows you how to make use of these concepts. -
Using JAAS for Authorization & Authentication
TheServerSide.COM, artigo da Comunidade Java Enterprise, agosto 2002.
How JAAS enables use of custom security repositories with J2EE applications, contribuído por Pramati.
The Power of JAAS: Security System Alternatives, por Frank Teti, outubro 2005. -
Java authorization internals
A guided tour of the Java 2 platform and JAAS authorization architectures. Por Abhijit Belapurkar, Senior Technical Architect, Infosys Technologies Limited. IBM developerWorks tecnologia Java, 4 mai 2004.
Extend JAAS for class instance-level authorization, por Carlos Fonseca, Software Engineer, IBM, 1 abr 2002. -
JAAS Security in Action
Por Kyle Gabhart, 7 novembro 2002, DevX.com. -
All that JAAS
Por John Musser e Paul Feuer, 13 setembro 2002, Java World. -
High Level Java: Advanced Authentication in WebSphere Application Server
Extending JAAS. Por Keys Botzum; Bill Hines; Paul Ilechko; Messaoud Benantar. 28 dez 2005, Sys-Con Brasil. - JAAS Modules
This is a small collection of plug in modules for the JavaTM Authentication and Authorization Service (JAAS) implementation, source code is released under the GNU LGPL (Lesser General Public License). It includes a version of Tomas Restrepo's WSSPI library that jumps through all the hoops that the must be jumped through to authenticate a user under Win32.
SSO - Single Sign-On
-
Open Web SSO - OpenSSO
The opensso project is based on the code base of Sun Java System Access Manager product, a core identity infrastructure product offered by Sun Microsystems. Licensend under CDDL 1.0.
First to Open Source Web Single Sign-On, Sun Microsystems, 13 jul 2005.
Best Practices Guide for Enabling Single Sign-On with Sun Java System Access Manager, 17 jun 2004.
Securing Applications With Identity Services, Part 1: Authentication, by Aravindan Ranganathan and Marina Sum, 2007-10-11, Sun Developer Network (SDN). - Java Open Single SignOn - JOSSO
-
Open Source Identity Management Solutions Written in Java
By Manageability. -
The Host Container - Single Sign On Valve
Apache Tomcat 5.5 Configuration Reference. The Valve Component - Single Sign On Valve. -
Implementing single sign-on with a Tomcat valve
Artigo por Simon Brown, 4 novembro 2004. -
JBoss.com Wiki - Single Sign On
Web Tier Single Sign-On on JBoss AS: Non-Clustered SSO using Tomcat SSO (beginning with JBoss-3.2.3), Clustered SSO using JBossCache (beginning with JBoss-3.2.4). -
J2EE security: Container versus custom
Choose the appropriate type of security for your application. Por Brian Pontarelli, 26 jul 2004, JavaWorld. -
Simplify enterprise Java authentication with single sign-on
Design secure client/server Java applications that use GSS-API and Kerberos tickets to implement SSO. Por Faheem Khan, IBM developerWorks, 09 set 2003. -
Implement Single Sign-on with JAAS
Por James Tao, 21 out 2002, DevX.com. - Veja: Segurança: Aplicações: Single Sign-On (SSO)
- Veja: PAM - Pluggable Authentication Modules