应用Java技术开发安全的应用程序
摘要
在Java短短几年的发展历程中,它从一个被硬件公司感兴趣的项目,成长为面向服务器端、中间件编程的流行语言。它是平台独立、类型安全和紧凑的语言,有一个丰富的开发库,Java开发工具箱(JDK)和开放源码项目里提供了这些资源。但是,随着Java应用程序的广泛应用,Java安全问题日益错综复杂。本文通过暴露黑客攻击Java应用程序的方法和手段,提出了一些防御措施与方案。
本文面向熟悉Java语言及其主要概念的Java开发人员,主要从以下几个方面对Java安全技术进行了论述:
1) Java安全基础,J2EE的体系结构与安全;
2) Java应用以及网络安全,内容包括黑客常用攻击、防范对策以及RMI安全应用;
3) Web层和业务层的J2EE安全性,涉及Java Web应用、服务和EJB的安全。
本文研究的目的就是为了帮助应用程序开发者选择恰当的安全工具,并正确地使用它们,以保护自己的应用程序。
In its short lifetime, Java has grown from an interesting side project started at a hardware company to the predominant language for server-side, middle-tier programming. It is a platform-independent, type-safe, and compact language. It has a rich set of development libraries, provided in the Java Development Kit (JDK) itself and courtesy of open-source powerhouses. But, now the Java applications are abroad, Java's Security become more and more complicated. The text will exposed hacker's means or methods when they attack the Java applications, give some protective measures and plans.
The text faces the Java developers, who are familiar with Java language and its primary conception. It discusses the problem of Java secure technology as follows:
1) Java secure foundation, the architecture and security of J2EE.
2) Java application and network's security include the attacking methods by hacker, defending measures and the security of RMI.
3) The security of Web and J2EE's enterprise Java beans, involved the application, service of Java Web and the security of EJB.
The text aim to help application developers choose appropriate secure tools, and use them rightly, so protect themselves applications.
本文面向熟悉Java语言及其主要概念的Java开发人员,主要从以下几个方面对Java安全技术进行了论述:
1) Java安全基础,J2EE的体系结构与安全;
2) Java应用以及网络安全,内容包括黑客常用攻击、防范对策以及RMI安全应用;
3) Web层和业务层的J2EE安全性,涉及Java Web应用、服务和EJB的安全。
本文研究的目的就是为了帮助应用程序开发者选择恰当的安全工具,并正确地使用它们,以保护自己的应用程序。
In its short lifetime, Java has grown from an interesting side project started at a hardware company to the predominant language for server-side, middle-tier programming. It is a platform-independent, type-safe, and compact language. It has a rich set of development libraries, provided in the Java Development Kit (JDK) itself and courtesy of open-source powerhouses. But, now the Java applications are abroad, Java's Security become more and more complicated. The text will exposed hacker's means or methods when they attack the Java applications, give some protective measures and plans.
The text faces the Java developers, who are familiar with Java language and its primary conception. It discusses the problem of Java secure technology as follows:
1) Java secure foundation, the architecture and security of J2EE.
2) Java application and network's security include the attacking methods by hacker, defending measures and the security of RMI.
3) The security of Web and J2EE's enterprise Java beans, involved the application, service of Java Web and the security of EJB.
The text aim to help application developers choose appropriate secure tools, and use them rightly, so protect themselves applications.
引文
[1] Sun Microsystems, "Core Java Security and the Java Platform", http://www.sun.com/security/, 2004
[2] Scott oaks, 译:林琪,"Java Security, Second Edition", 中国电力出版社,2002
[3] Li Gong, 译:石磊等,"Inside Java 2 Platform Security", 机械工业出版社,2002
[4] Rich Helton; Johennie Helton, 译:袁泉;吴静,"Java Security Solutions", 清华大学出版社,2003
[5] Jamie Jaworski等,译:邱仲潘等,"Java Security Handbook", 电子工业出版社,2002
[6] Bruce Eckel, 译:侯捷,"Thinking in Java, Second Edition", 机械工业出版社,2002
[7] Cay S.Horstmann Gary Cornell, 译:李如豹;刚冬梅等,"Core Java 2, Volume Ⅰ:Fundamentals", 机械工业出版社,2002
[8] Cay S.Horstmann Gary Cornell, 译:王建华;董志敏;杨保明等,"Core Java 2, Volume Ⅱ:Advanced Features", 机械工业出版社,2003
[9] 作者不祥,“给信息加上把安全锁”,http://www.infosec.com.cn/,2004
[10] 作者不祥,“Java RMI入门实战”,http://ybwen.home.chinaren.com/,2004
[11] 冯睿,“用JSSE定制SSL连接”,http://developer.ccidnet.com/,2002
[12]John Musser/Paul Feuer, 译:冯睿,“JAAS:灵活的Java安全机制”,http://www.yesky.com/,2003
[13] Kyle Gabhart, “用JAAS和JSSE实现Java安全性”,http://www-900.ibm.com/,2003
[14] 宋震,“密码学”,中国水利水电出版社,2002
[15] Carlisle Adams Steve, “公开密钥基础设施—概念、标准和实施”,人民邮电出版社,2001
[16] 连一峰;王航,“网络攻击原理与技术”,科学出版社,2004
[17] 崔凯,“SSL与TLS”,中国电力出版社,2002
[18] 吴自容;武新华;孙献璞,“黑客入门全程图解”,山东电子音像出版社,2004
[19] Subrahmanyam Allamaraju; Cedric Buest; John Davies, 译:马树奇,"Professional Java Server Programming J2EE 1.3 Edition", 电子工业出版社,2002
[20] Ed Roman, 译:刘晓华,"Mastering Enterprise JavaBeans, Second Edition", 电子工业出版社,2002
[21] 孙卫琴;李洪成,“Tomcat与Java WEB开发技术详解”,电子工业出版社,2004
[2] Scott oaks, 译:林琪,"Java Security, Second Edition", 中国电力出版社,2002
[3] Li Gong, 译:石磊等,"Inside Java 2 Platform Security", 机械工业出版社,2002
[4] Rich Helton; Johennie Helton, 译:袁泉;吴静,"Java Security Solutions", 清华大学出版社,2003
[5] Jamie Jaworski等,译:邱仲潘等,"Java Security Handbook", 电子工业出版社,2002
[6] Bruce Eckel, 译:侯捷,"Thinking in Java, Second Edition", 机械工业出版社,2002
[7] Cay S.Horstmann Gary Cornell, 译:李如豹;刚冬梅等,"Core Java 2, Volume Ⅰ:Fundamentals", 机械工业出版社,2002
[8] Cay S.Horstmann Gary Cornell, 译:王建华;董志敏;杨保明等,"Core Java 2, Volume Ⅱ:Advanced Features", 机械工业出版社,2003
[9] 作者不祥,“给信息加上把安全锁”,http://www.infosec.com.cn/,2004
[10] 作者不祥,“Java RMI入门实战”,http://ybwen.home.chinaren.com/,2004
[11] 冯睿,“用JSSE定制SSL连接”,http://developer.ccidnet.com/,2002
[12]John Musser/Paul Feuer, 译:冯睿,“JAAS:灵活的Java安全机制”,http://www.yesky.com/,2003
[13] Kyle Gabhart, “用JAAS和JSSE实现Java安全性”,http://www-900.ibm.com/,2003
[14] 宋震,“密码学”,中国水利水电出版社,2002
[15] Carlisle Adams Steve, “公开密钥基础设施—概念、标准和实施”,人民邮电出版社,2001
[16] 连一峰;王航,“网络攻击原理与技术”,科学出版社,2004
[17] 崔凯,“SSL与TLS”,中国电力出版社,2002
[18] 吴自容;武新华;孙献璞,“黑客入门全程图解”,山东电子音像出版社,2004
[19] Subrahmanyam Allamaraju; Cedric Buest; John Davies, 译:马树奇,"Professional Java Server Programming J2EE 1.3 Edition", 电子工业出版社,2002
[20] Ed Roman, 译:刘晓华,"Mastering Enterprise JavaBeans, Second Edition", 电子工业出版社,2002
[21] 孙卫琴;李洪成,“Tomcat与Java WEB开发技术详解”,电子工业出版社,2004