Home    |    Instructor-led Training    |    Online Training     
         
 
Courses
ADA
Adobe
Agile
AJAX
Android
Apache
AutoCAD
Big Data
BlockChain
Business Analysis
Business Intelligence
Business Objects
Business Skills
C/C++/Go programming
Cisco
Citrix
Cloud Computing
COBOL
Cognos
ColdFusion
COM/COM+
CompTIA
CORBA
CRM
Crystal Reports
Data Science
Datawarehousing
DB2
Desktop Application Software
DevOps
DNS
Embedded Systems
Google Web Toolkit (GWT)
IPhone
ITIL
Java
JBoss
LDAP
Leadership Development
Lotus
Machine learning/AI
Macintosh
Mainframe programming
Mobile
MultiMedia and design
.NET
NetApp
Networking
New Manager Development
Object oriented analysis and design
OpenVMS
Oracle
Oracle VM
Perl
PHP
PostgreSQL
PowerBuilder
Professional Soft Skills Workshops
Project Management
Rational
Ruby
Sales Performance
SAP
SAS
Security
SharePoint
SOA
Software quality and tools
SQL Server
Sybase
Symantec
Telecommunications
Teradata
Tivoli
Tomcat
Unix/Linux/Solaris/AIX/
HP-UX
Unisys Mainframe
Visual Basic
Visual Foxpro
VMware
Web Development
WebLogic
WebSphere
Websphere MQ (MQSeries)
Windows programming
XML
XML Web Services
Other
Introduction to Essential Java EE Security
Overview

Our Essential Java Security class will teach you how to ensure your Java applications are developed with the most advanced security measures available in Java today. The class begins by discussing threats and mitigation techniques, including conventional and public key cryptography, and the most popular authentication protocols, including SSL. Fundamental Java security concepts are covered, including principals, authorities, access control, and more.

You will learn the basis of Java security, class loaders, the Security Manager and the Access Controller. Security features of HTTP and Servlets are covered, as well as techniques for securing Web services. Full coverage of JAAS is provided, including using JAAS to provide authentication, illustrate authentication modules, and interacting with JAAS to provide single sign-on of users. The course also covers JAAS authorization and examines how it extends the original policy file based authorization mechanism. Secure coding techniques to avoid common security bugs such as buffer overflows.


Prerequisites

Each student should have a basic understanding of the Java programming language.

Class Format

Lecture and Lab

Audience

This course is designed for Java programmers who need to build secure applications. It has also proved helpful for system administrators and security officers who need a clear understanding of how security works within Java.

Learning Objectives

After completing this course, the student should be able to:

  • Learn the role of Java Authentication Authorization Services (JAAS)
  • Depict the usage of JAAS Authentication
  • Depict the role of JAAS Authorization
  • Illustrate the use of Policy Files
  • Discuss the functions of the J2EE Security Manager
  • Demonstrate the capabilities of the Access Controller
  • JCA: Public Key Cryptography, Hashing and Signatures
  • JCE: Symmetric Encryption
  • Discuss Threats and Mitigation Techniques
  • Illustrate Digital Certificates and their use with security
  • Demonstrate the techniques for securing Web Services
  • SSL integration between Web and application servers
  • Illustrate the role of LDAP directories
  • Discuss the role of SSL and its configuration
  • HTTP Authentication and Authorization
  • Servlets and Role Based Security
Course Duration

4 Days

Course outline

IT Security Status
  • Security myths
  • Application and Network flaws
  • Impact of Web 2.0
  • Security wheel
  • Security patterns
    • Template
    • Categorizations
    • Relationships
  • Known risks
  • Interceptor Gateway
  • Message Interceptor
  • Assertion Builder
  • Audit Interceptor
  • Best practices

Java Security Basics
  • Core Java technology
  • JVM Security
  • Java language security
  • Platform security
  • Security models
    • JDK
    • J2SE
    • J2EE
    • EE
  • Permissions
  • Java Policy files
  • Security Manager
    • Codebase
    • Bytecode Verifier
    • Class Loaders
  • Java Web Start
  • J2ME Security
  • Key and Certificate Management
    • Keystores
    • Policy Tool
    • JarSigner
    • Keytool
  • Public and Private Keys
  • Exporting and Importing Certificates
  • Signing Requests
  • Securing Java source code

Java Security Manager
  • Security Goals
  • Solution concepts
  • Using UIDs
  • Access Control Lists
  • Language security
  • Java Security mechanism
    • Sandbox
    • Trusted code
    • Fine grained control
  • Create Security policy
  • Installation
  • Stack inspection
  • Beyond JVM Security

Using Secure Socket Layers
  • SSL Overview
  • SSL Architecture
  • Components
  • Sessions and Connections
  • State changes
  • SSL Records
    • Protocol processing
    • Header
    • MAC address
    • Encryption
    • Alert protocol
    • Handshakes
  • Key exchange methods
  • Server certificate and key exchange
  • Client authentication
  • Cryptographic computations
  • Analyzing SSL records
    • Traffic analysis
    • Confidentiality
    • Authentication
  • Cipher attacks
  • Key exchange algorithm
Digital Certificates
  • Introduction
  • Certificate Authorities
  • X.509 Certificates
    • Architecture
    • Types
    • Retrieval
    • Distribution
  • X.509 Certificate format
  • Revocation
    • Revocation lists
    • Distribution
  • Pre-existing Certificates
  • Use with SSLs
Java EE Security
  • Relevant standards
  • Role and use of annotations
  • Defining JAAS
  • Authentication vs. Authorization
  • Role of Subject
  • Defining Principal
  • Pluggable Authentication modules
  • Creating LoginContext
  • LoginModule chaining
  • Principal-based authorization
  • Codesource vs. ProtectionDomain
  • Using AccessController
  • Security Policies and Infrastructure
  • EJB Security
    • Security context
    • Use of role names
    • Annotations
    • Deployment descriptor elements
    • Method permissions
    • Propogation
  • Programmatic vs. Declarative
  • Web tier security

Encryption using javax.crypto
  • Cryptography Concepts
  • Encryption Keys
  • Cipher Algorithms
  • Modes and Padding Schemes
  • The Cipher Class
  • Encrypting and Decrypting Data
  • Cipher Output Stream
  • Cipher Input Stream
  • Encryption using Password Ciphers
  • Exchanging Encrypted Keys
  • Sealed Objects

Encryption Methods
  • Cryptography techniques
    • Symmetric
    • Asymmetric
    • Combinations
  • Standards
    • DES
    • AES
    • Diffie-Hellman
    • RSA
  • Public vs. Private Keys
  • Signing and Padding
  • Hashing
  • Digital signatures
    • Usage
    • Role of key
    • Methodology
  • Use of JCE
  • Encryption Keys
  • Performance considerations
Java Authentication and Authorization services
  • Authentication and Authorization
  • JAAS Overview
  • LoginContext
  • Subjects, Principals, and PrivilegedActions
  • Authentication with the NTLoginModule
  • Defining Permissions in Policy Files
  • KeyStoreLoginModule
  • Callbacks
  • NameCallback and PasswordCallback
  • The Policy Class
Using Java EE Security
  • Authentication
  • Authorization
  • Security Layers
    • Features
    • Topology
    • Protocols
    • SSL
  • Application Server Management
  • LTPA
  • SSO
  • Identity Assertion
  • Declarative Security
    • Security Roles
    • Run-As Delegation
    • Securing resources
    • Creating Constraints
  • Authentication types
    • Form
    • Digital
    • Basic
    • Certificate
  • Trust Association
  • Custom Trust Assocation Interceptors

Please contact your training representative for more details on having this course delivered onsite or online

Training Outlines - the one stop shopping center for IT training.
© Training Outlines All rights reserved