Advanced Security Programming in Java SE Authentication, Secure Communication and Single Sign-On
Java SE offers a rich set of APIs and features for developing secure Java applications and services. The exercise sessions listed here can help you to use the Java SE GSS APIs to build applications that authenticate their users, to communicate securely with other applications and services, and help you to configure your applications in a Kerberos environment to achieve Single Sign-On. In addition, you will also learn how to use stronger encryption algorithms in a Kerberos environment, and how to use Java GSS mechanisms such as SPNEGO to secure the association.
Setting up your Development Environment
Please download, install and configure the software listed below:
- Download and unzip the exercises in jgss-sample.zip.
- Install and set up a Solaris 10 machine (required for exercise 7)
- Configure a Kerberos server on a Solaris 10 machine with accounts used by the exercises. See Appendix A.
- Set the
%JAVA_HOME%
environment variable to point to the installation directory of the JDK.
Exercises
This session includes six lessons. Each part contains one or more coding exercises:
- Secure authentication using the Java Authentication and Authorization Service (JAAS)
- Secure communication using three different secure communication technologies in Java SE
- Deployment of secure applications for Single Sign-On in a Kerberos environment
- Secure Communication using stronger encryption algorithms
- Secure Authentication using SPNEGO Java GSS mechanism
- HTTP/SPNEGO Authentication
Things to check
Make sure you have verified the following configuration settings before proceding to the first Exercise:
- Set up the Key Distribution Center (KDC) on your Solaris 10 machine and start the Kerberos server.
- Set up the Kerberos configuration on your client machine.
- Set ip the JDK environment:
- Set up the
JAVA_HOME
environment variable to point to the JDK installation directory - Place
%JAVA_HOME%\bin
(Windows) or$JAVA_HOME/bin
(Solaris/Linux) in thePATH
environment variable.
- Set up the
Resources
Please work through these exercises in sequence:
Part I: Secure Authentication using the Java Authentication and Authorization Service (JAAS):
Part II: Secure Communications using Java SE Security APIs
- Using the Java Generic Security Services (GSS) API
- Using the Java Simple Authentication and Security Layer (SASL) API
- Using the Java Secure Socket Extension (JSSE) with Kerberos
Part III: Deploying for Single Sign-On in a Kerberos Environment
Part IV: Secure Communications using stronger encryption algorithms
Part V: Secure Authentication using SPNEGO Java GSS mechanism
Part VI: HTTP/SPNEGO authentication
Appendix A: Setting up Kerberos Accounts
Kerberos accounts are set up on the Key Distribution Center (KDC). Each entry in the Kerberos database contains a Kerberos principal. You should create a host-based principal for the machine that you will be running the servers (e.g., "host/j1hol-001
") and a client principal (e.g., "test
") for accessing the servers.
For Solaris, please refer to following documentation on how to setup Kerberos principals.
For Windows, please refer to Microsoft documentation. Here are some pointers.
- How To Create an Active Directory Server in Windows Server 2003
- Microsoft Kerberos
- Interoperability with Microsoft Windows 2000 Active Directory and Kerberos Services
The exercises assume that the operating system has been configured to use the correct Kerberos server. This configuration typically requires administration privileges. If you cannot configure the operating system, then you can use a Kerberos configuration file with your java
command by using the -Djava.security.krb5.conf
option. Here is an example of how to invoke one of the commands from the exercises to use the krb5.conf
configuration file.
% java -Djava.security.auth.login.config=jaas-krb5.conf\ -Djava.security.krb5.conf=krb5.conf Jaas client