182 lines
12 KiB
HTML
182 lines
12 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="Java Internet security" />
|
|
<meta name="abstract" content="Java programming is becoming increasingly widespread in today's computing environments." />
|
|
<meta name="description" content="Java programming is becoming increasingly widespread in today's computing environments." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzaj45zrscenario1risks.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzaj45bchttpsec.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahurzahu401usingdcm.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="../rzahh/secauth.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="../rzaha/jaasbase.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="../rzahh/sslinfo.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="../rzaha/usessl.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1999, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1999, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="rzaj45bejavasecurity" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Java Internet security</title>
|
|
</head>
|
|
<body id="rzaj45bejavasecurity"><a name="rzaj45bejavasecurity"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Java Internet security</h1>
|
|
<div><p>Java™ programming is becoming increasingly widespread
|
|
in today's computing environments.</p>
|
|
<p>For example, you might be using the IBM<sup>®</sup> Toolbox for Java or the IBM Development Kit for Java on
|
|
your system to develop new applications. Consequently, you must prepare to
|
|
deal with the security issues that are associated with Java. Although
|
|
a firewall is a good defense against most general Internet security risks,
|
|
it does not provide protection for many risks that using Java presents.
|
|
Your security policy should include details for protecting your system against
|
|
three areas of concern for Java: applications, applets, and servlets.
|
|
Also, you should understand how Java and resource security interact in terms
|
|
of authentication and authorization for Java programs.</p>
|
|
<div class="section"><h4 class="sectiontitle">Java applications</h4><p>As a language, Java has some characteristics that protect Java programmers
|
|
from unintentional errors that can cause integrity problems. (Other languages
|
|
that are commonly used for PC applications, such as C or C++ do not protect
|
|
the programmers from unintentional errors as strongly as Java does.)
|
|
For example, Java uses strong typing which protects the programmer
|
|
from using objects in unintended ways. Java does not allow pointer manipulation,
|
|
which protects the programmer from accidentally going outside the memory boundaries
|
|
of the program. From an application development perspective, you can view Java as
|
|
you do other high-level languages. You should apply the same security rules
|
|
for application design that you apply with other languages on your iSeries
|
|
server.</p>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">Java applets</h4><p>Java applets are small Java programs
|
|
that you can include in your HTML pages. Because applets run on the client,
|
|
what they do is a concern to the client. However, a Java applet has the potential to
|
|
access your iSeries server. (An ODBC program or an advanced program-to-program
|
|
communications (APPC) program that operates on a PC in your network can also
|
|
access your iSeries.) In general, Java applets can establish a session only
|
|
with the server from which the applet originated. Therefore, a Java applet
|
|
can access your iSeries from a connected PC only when the applet came from
|
|
your iSeries server (such as from your web server). </p>
|
|
<p><img src="./delta.gif" alt="Start of change" />An applet
|
|
can attempt to connect to any TCP/IP port on a server. It does
|
|
not need to talk to a software server that is written in Java. But,
|
|
for servers that are written with the IBM Toolbox for Java, the applet must provide a user ID
|
|
and password when it establishes connections back to the server. In this material,
|
|
the servers described are all iSeries servers. (A server written in Java does
|
|
not need to use the IBM Toolbox for Java). Typically, the IBM Toolbox for Java class
|
|
prompts the user for a user ID and password for the first connection.<img src="./deltaend.gif" alt="End of change" /></p>
|
|
<p>The
|
|
applet can perform functions on the iSeries server only if the user profile
|
|
has authorization to those functions. Therefore, a good resource security
|
|
scheme is essential when you begin to use Java applets to provide new application
|
|
function. When the system processes the requests from applets, it does not
|
|
use the limited capability value in the profile of the user.</p>
|
|
<div class="p">The applet
|
|
viewer allows you to test an applet on the server system; however, it is not
|
|
subject to browser security restrictions. Therefore, you should use the applet
|
|
viewer to test your own applets only, never to run applets from outside sources. Java applets
|
|
often write to the PC drive of the user, which may allow the applet the opportunity
|
|
to perform a destructive action. However, you can use a digital certificate
|
|
to sign a Java applet to establish its authenticity. The signed
|
|
applet can write to the PC's local drives, even though the default setting
|
|
for the browser prevents it. The signed applet can also write to mapped drives
|
|
on your iSeries server because they appear to the PC to be local drives. <div class="note"><span class="notetitle">Note:</span> The
|
|
behavior described above is generally true for Netscape Navigator and MS Internet
|
|
Explorer. What actually happens depends on how you configure and manage the
|
|
browsers that you use.</div>
|
|
</div>
|
|
<p>For Java applets that originate from your iSeries
|
|
server, you might need to use signed applets. However, you should instruct
|
|
your users in general not to accept signed applets from unknown sources.</p>
|
|
<p>Beginning
|
|
with V4R4, you can use the IBM Toolbox for Java to set up a Secure Sockets Layer (SSL)
|
|
environment . You can also use the IBM Developer Toolkit for Java to
|
|
make a Java application secure with SSL. Using SSL with your Java applications
|
|
ensures encryption of the data, including the user IDs and passwords that
|
|
pass between the client and server. You can use Digital Certificate Manager
|
|
to configure registered Java programs to use SSL.</p>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">Java servlets</h4><p>Servlets
|
|
are server-side components that are written in Java, which dynamically extend the functionality
|
|
of a web server without changing web server code. The IBM WebSphere<sup>®</sup> Application Server that
|
|
ships with IBM HTTP
|
|
Server for iSeries provides support for using servlets on iSeries systems.</p>
|
|
<p>You must use
|
|
resource security on servlet objects that the server uses. However, applying
|
|
resource security to a servlet does not sufficiently secure it. Once a web
|
|
server loads a servlet, resource security does not prevent others from running
|
|
it too. Consequently, you should use resource security in addition to using
|
|
HTTP Server security controls and directives. For example, do not allow servlets
|
|
to run under the profile of the web server only. In addition, you should
|
|
control who can run the servlet (mask keywords in the protection directive)
|
|
through the use of HTTP server groups and access control lists (ACL). Also,
|
|
you should use the security features provided by your servlet development
|
|
tools, such as those found in the WebSphere Application Server for iSeries™.</p>
|
|
<div class="p">Review these resources to learn more about general
|
|
security measures for Java:<ul><li>IBM Developer
|
|
Kit for Java <a href="../rzaha/security.htm">Java Security</a>.</li>
|
|
<li>IBM Toolbox
|
|
for Java <a href="../rzahh/security.htm">security classes</a>.</li>
|
|
<li><img src="./delta.gif" alt="Start of change" /><a href="../rzamv/rzamvsecurityinternet.htm">Security considerations for Internet browsers</a>.<img src="./deltaend.gif" alt="End of change" /></li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">Java authentication and authorization to resources</h4><p>IBM Toolbox
|
|
for Java contains
|
|
security classes to provide verification of the identity of the user and optionally
|
|
assign that identity to the operating system thread for an application or
|
|
servlet that is running on an iSeries system. Subsequent checks for resource
|
|
security occur under the assigned identity. <span>For
|
|
more detailed information about these security classes, see IBM Toolbox for Java <a href="../rzahh/secauth.htm">Authentication Services</a>.</span></p>
|
|
<p>The IBM Developer
|
|
Kit for Java provides support for the Java Authentication
|
|
and Authorization Service (JAAS), which is a standard extension to the Java 2
|
|
Software Development Kit (J2SDK), Standard Edition. Currently, J2SDK provides
|
|
access controls that are based on where the code originated and who signed
|
|
the code (code source-based access controls). <span>To
|
|
learn more about using the J2SDK, see <a href="../rzaha/jaasbase.htm">Java Authentication and Authorization Service</a>.</span> </p>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">Securing your Java applications with SSL</h4><p>You
|
|
can use Secure Sockets Layer (SSL) to secure communications for iSeries applications
|
|
that you develop with IBM Developer Kit for Java. Client applications that use IBM Toolbox for Java can
|
|
also take advantage of SSL. The process for enabling SSL for your own Java applications
|
|
is somewhat different than enabling it for the other applications. </p>
|
|
<p>For
|
|
more information about Secure Sockets Layer administration for Java applications,
|
|
see these <span class="keyword"><img src="./delta.gif" alt="Start of change" />IBM Systems Software Information Center<img src="./deltaend.gif" alt="End of change" /></span> topics:</p>
|
|
<ul><li>IBM Toolbox
|
|
for Java Secure
|
|
Sockets Layer (SSL) environment.</li>
|
|
<li>IBM Developer
|
|
Toolkit for Java to make a Java application secure with SSL.</li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaj45zrscenario1risks.htm" title="Use this information to learn about common Internet security risks for a number of popular Internet applications and services and measures that you can take to manage these risks.">Application security options</a></div>
|
|
</div>
|
|
<div class="relconcepts"><strong>Related concepts</strong><br />
|
|
<div><a href="rzaj45bchttpsec.htm" title="When you provide access for visitors to your web site, you do not want to expose your viewers to information about how the site is set up and the coding that is used to generate the page.">Web serving security</a></div>
|
|
<div><a href="../rzahu/rzahurzahu401usingdcm.htm">Digital Certificate Manager</a></div>
|
|
<div><a href="../rzahh/secauth.htm">Authentication Services</a></div>
|
|
</div>
|
|
<div class="reltasks"><strong>Related tasks</strong><br />
|
|
<div><a href="../rzaha/usessl.htm">Make a Java application secure with SSL</a></div>
|
|
</div>
|
|
<div class="relinfo"><strong>Related information</strong><br />
|
|
<div><a href="../rzaha/jaasbase.htm">Java Authentication and Authorization Service</a></div>
|
|
<div><a href="../rzahh/sslinfo.htm">Secure Sockets Layer (SSL) environment</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |