Java and Security – Introduction to Java Security Policies for Java Developers

This post provide information on the security enhancement added by the Java on version upgrades. Java developers can get better idea on Java development with keeping application secure at the same time.

Java modes of use

• Applets:              Auto-run when view web page
• Applications:   Traditional program
• Beans:                 Component (like OLE object)
• Servlets:            Server-side applications
• Aglets:               Intelligent Agents
• Doclets:            Configurable doc generator
• Embedded Systems
• Smart Cards (“JavaCard”)

Security Related Capabilities of Java

JDK 1.0 (Fall 1995)
Policy: “Sandbox” for applets; others unlimited
Mechanisms: SecurityManager, Bytecode verifier, Classloader
JDK 1.1 (Spring 1997)
Policy: can also grant total trust to signed applets
Mechanisms: Java Archive (JAR), crypto-related APIs
Inflexible: Too little or too much privilege

Netscape & Microsoft Extensions
Enabled more flexible approaches
Incompatible with each other and with Sun
J2SE (Java 2 Platform Standard Edition) (Fall 1998)
Includes SDK 1.2 and runtime

Policy: can also grant fine-grained privileges to specific applets/classes based on source and/or signatures
Mechanisms: AccessController, ProtectionDomain, CodeSource, Permission, GuardedObject, …
“Java Plug-in” supports both Microsoft & Netscape

Java 1.0 Security Policy

Sandbox Policy (for applets)
Cannot access local filesystem or devices
Network connections only to applet load source
Cannot invoke any local program or library
“Untrusted” indicator on top-level windows
Cannot manipulate basic classes or another ThreadGroup
Appletviewer CL can be initialized to vary these
Applications unlimited in 1.0; can code a policy

Security Manager

Class defines check methods called by system
E.G. “checkRead(String filename)”
Method throws exception if invalid
To create a security policy from scratch:
Create a subclass (code) & instantiate
Install using System.setSecurityManager; this cannot be revoked or replaced
This is used to create the Sandbox
If no SecurityManager installed, all privileges granted

Java developers and thumbs down to JCP

Many proficient Java Developers are seen keep themselves away from JCP (Java Community Process) and use to prefer implement their new ideas being part of smaller communities. A community which used to give quick answer in minutes once upon a time has now become so much complex and difficult to stay for Java developers.

Being specific we can say that JCP has actually lost its focus. They have no more image as a solution oriented community, but it has now become more like rubber stamps which sanction the specification entered by big players.

Has the Java API exploded?
Sue Spielman is president and senior consulting engineer of Switchback Software LLC and an author of several Java-related books. She says that there have been many Java Specification Requests (JSRs) proposed that have “exploded the Java API.”

“While this isn’t necessarily a bad thing, it certainly is a challenge to the Java developer who tries to stay up on the happenings in the JCP,” Spielman said. “This could very well be one of the reasons that in the eyes of the developers, the JCP is bloated and crawling at a snail’s pace. It has become impossible for anyone to keep up on all of the JSRs that are currently in proposal and various review stages.

“One suggestion I have is that JCP restructure so that there is a tiered level to appropriate JSRs. The main tier would be one that affects the most people in the Java community. The expert groups are composed of organizations and individuals that are concerned (or interested) in the JSR. The review process takes into account the public opinions, but that doesn’t necessarily mean that the public opinion will make it into the final JSR.

Some credibility and respect might be regained by using a voting method of the public Java community (not just the expert group), similar to the process used in open source development. The timeframes can be limited, thereby speeding up the process, and the voting Java community will ultimately be deciding what is important for their Java development.

Programming scope for Java Developers

Java developers can create two types of programs applets and application. A Java Application Development is a program that runs on your computer under the operating system of that computer. This application is just like C or C++.

Always remember that when you create application java is not much different from any other computer language. But the main advantage of Java Application is that you can run these programs anywhere. And Java Developers can develop an application from low end to very high end uses. But the ability to create applets makes Java important. And applet is an application designed to be transmitted over the internet and executed by a java compatible web browser. An applet is a tiny Java program dynamically downloaded across the network just like a video-clip, image and sound file.

But the most important difference is that an applet is an intelligent program not just media file or animation. In other words you can say that applet is a program that can react to user input and dynamically change- not just run the same animation or sound over and over. Always remember that Java Developers can implement many ideas with this platform.

Tips for developing secure Java application to the Java Developers

Day by day as Java is becoming more popular and its demand is going to touch the sky. This is good for Java that the people like it that much and they are getting benefits from it. Apart from this there are group of some who always try to break the rules and want to make any nonsense in the application. This is the reason why many of the Java developers are trying to improve their skills and writing secure Java application. To fulfill the same recently a group of private sector has been formed to conduct a standardized exam to test the skills of Java developers against the Java Security standards.

To write a highly secure Java application there are following thing which the java developers must be aware of:

• User authentication rules.
• Access control
• Session management and encryption techniques.
• Data handling techniques.

A java application is said to be the perfect one if it has been handled perfectly in respect of logics and security as well. If an application is well secured it is the real application. Today in this world of vulnerability it is the prior necessity of the Java developers to take very good care of the security in the application. To develop an application secure there are little things which could be remembered which are:

• Proper Validation
• Standard security test
• Well built logical software design
• Well planned application development

Software Development Cycle for Java Application Development

If you are going to do any Java Development or applet there are some basic requirement or you can say the details which is necessary for the developers. Here from this blog you can very well be aware of the software development life cycle. There are 5 phases in the development of any software.

Software requirement analysis: This is the very initial and very vital stage of any application development process. The need of this stage is to gather all the details and requirements which are needed for a proper development of the application. This stage includes interview, meetings and mock discussions which make the development team more clearly about the development process.

System design and analysis: This is the initial phase from where the technical stuffs are going to be implemented. In this phase the overall structure and the nuances of the application is defined.

Code Generation: In this stage all the things are made using the coding. We use different programming languages like C, C++, and Java for coding.

Testing: Once the code is generated, the part of testing begins. We use different testing methodologies which are available for different levels of testing.

Maintenance: After the overall development process it is our duty to give the client a basic support for future. In this phase we trained the client for using our created application and give technical support if needed.

Development Rules Which Java Developers must follow

There are some rules which a Java developers must follow for java application development. In this blog you can find some of those rules.

Add comment to your code

Adding comment to the code is the fundamental rule which a java developer must follow because it is possible that if you visit the code which you have written earlier you are not able to remember its function at that time. Hence you must always add comment to your code.

Do not use hard coding

You must never use hard coding. But generally java developers do not follow this rule and they mess up the things because of hard coding.

Provide requisite code

You must always write the full code in your project because writing less code can hamper the efficiency of the code.

Do not invent your own framework

You must never invent your own framework because thousands of frameworks are already available. And most of them work fine and have been used in many other applications. Hence there is no need of wasting your time and energy in inventing your own framework.

Never complicate things

You must never complicate things. If you are not sure of your step then you may consult an expert programmer.

It is also possible that you code in very rough way, but some logical error happens then you would find the need of following these step back from the begining. If Java Developers ignore any one of these rules then it can result in the failure of the project.

An Introduction to JSP Standard Template Library (JSTL)

Introduction

The JSP Standard Template Library (JSTL) is a very new component released by Sun for JSP programming. JSTL allows you to program your JSP pages using tags, rather than the scriptlet code that most JSP programmers are already accustomed to. JSTL can do nearly everything that regular JSP scriptlet code can do. You may be wondering why we need yet another HTML generation programming language.

JSTL was introduced was to allow JSP programmers/Java Developers to program using tags rather than Java code. To show why this is preferable, a quick example is in order. We will examine a very simple JSP page that counts to ten. We will examine this page both as regular scriptlet-based JSP, and then as JSTL. When the count to ten example is programmed using scriptlet based JSP, the JSP page appears as follows.

<html>
  <head>
    <title>Count to 10 in JSP scriptlet</title>
  </head>
  <body>
<%
  for(int i=1;i<=10;i++)
{%>
<%=i%><br/>
<%
}
%>
  </body>
</html>

As you can see from the preceding example, using scriptlet code produces page source code the contains a mix of HTML tags and Java statements. There are several reasons why this mixing of programming styles is not optimal.

// The primary reason that it is not optimal to mix scriptlet and tag-based code is readability. This readability apples both to humans and computers. JSTL allows the human programmer to look at a program that consists entirely of HTML and HTML-like tags.

The readability of JSP scriptlet code does not just apply to human beings. The mixing of scriptlet and HTML code is also hard for computers to read. This is particularly true of HTML authoring tools such as Someone’s Dreamweaver and Microsoft FrontPage. Currently, most HTML authoring tools will segregate JSP scriptlet code as non-editable blocks. The HTML authoring tools usually do not modify the JSP scriptlet code directly.

The following code shows how the count to ten example would be written using JSTL. As you can see, this code listing is much more constant, as only tags are used. HTML and JSTL tags are mixed to produce the example.

<%@ taglib uri="http://java.sun.com/jstl/core" prefix="c" %>
<html>
  <head>
    <title>Count to 10 Example (using JSTL)</title>
  </head>

  <body>
    <c:forEach var="i" begin="1" end="10" step="1">
      <c:out value="${i}" />

      <br />
    </c:forEach>
  </body>
</html>

When you examine the preceding source code, you can see that the JSP page consists entirely of tags. The above code makes use of HTML tags such <head> and <br>. The use of tags is not confined just to HTML tags. This code also makes use of JSTL tags such as <c:forEach> and <c:out>. In this article you will be introduced to some of the basics of JSTL.

Installing JSTL

To use JSTL, you must have a JSP 1.2 (or higher) container installed. One of the most commonly used JSP containers is the Apache Tomcat Web server. You can obtain a copy of Tomcat from http://jakarta.apache.org/tomcat/. Using Tomcat alone will allow you to use regular JSP scriptlet code. To use JSTL, you must install JSTL into Tomcat. JSTL can be obtained from the same source as Tomcat. The main URL for JSTL is http://java.sun.com/products/jsp/jstl/. To use JSTL, you must unzip the distribution files and install them into the correct locations within Tomcat.

To properly install JSTL for use with Tomcat, follow these three steps:

1. Copy the JSTL JAR files to Tomcat’s lib directory.

   If you are using Windows, the likely location of your lib directory is C:\Program Files\Apache Tomcat 4.0\webapps\ROOT\WEB-INF\lib. There are a number of JAR files included with the JSTL release. You should copy each of these JAR files to the Tomcat JAR directory.

2. Copy the JSTL TLD files to Tomcat’s web-inf directory.

   The web-inf directory is likely at this location: C:\Program Files\Apache Tomcat 4.0\webapps\ROOT\WEB-INF. If you examine the JSTL distribution files, you should notice eight files that end with the TLD extension. All eight files should be copied to your web-inf directory.

3. Modify the web.xml file to include the TLD files.

   Finally, you must modify your web.xml, and add an entry for all eight of the tag libraries that you added. This consists of adding <taglib> directives inside the main <web-app> directive. The entries you should add are listed here.

     <taglib>
       <taglib-uri>http://java.sun.com/jstl/fmt</taglib-uri>
       <taglib-location>/WEB-INF/fmt.tld</taglib-location>
     </taglib>
   
     <taglib>
       <taglib-uri>http://java.sun.com/jstl/fmt-rt</taglib-uri>
       <taglib-location>/WEB-INF/fmt-rt.tld</taglib-location>
     </taglib>
   
     <taglib>
       <taglib-uri>http://java.sun.com/jstl/core</taglib-uri>
       <taglib-location>/WEB-INF/c.tld</taglib-location>
     </taglib>
   
     <taglib>
       <taglib-uri>http://java.sun.com/jstl/core-rt</taglib-uri>
       <taglib-location>/WEB-INF/c-rt.tld</taglib-location>
     </taglib>
   
     <taglib>
       <taglib-uri>http://java.sun.com/jstl/sql</taglib-uri>
       <taglib-location>/WEB-INF/sql.tld</taglib-location>
     </taglib>
   
     <taglib>
       <taglib-uri>http://java.sun.com/jstl/sql-rt</taglib-uri>
       <taglib-location>/WEB-INF/sql-rt.tld</taglib-location>
     </taglib>
   
     <taglib>
       <taglib-uri>http://java.sun.com/jstl/x</taglib-uri>
       <taglib-location>/WEB-INF/x.tld</taglib-location>
     </taglib>
   
     <taglib>
       <taglib-uri>http://java.sun.com/jstl/x-rt</taglib-uri>
       <taglib-location>/WEB-INF/x-rt.tld</taglib-location>
     </taglib>
   

After completing the preceding three steps, you are now ready to test your installation of JSTL. This can be done by creating a JSP page that uses JSTL. A very simple example would be the “count to ten” example shown before. You should place your JSP file inside the Webroot directory (C:\Program Files\Apache Tomcat 4.0\webapps\ROOT). Once the Tomcat server is started, you should now be able to browse to http://127.0.0.1:8080/count.jsp to see your page.

If you do not have JSTL installed correctly, there will likely be no error message. If JSTL is not interpreting your tags, they will be passed through directly to the Web browser. The Web browser will interpret these tags as unknown HTML tags. Most browsers simply ignore the unknown HTML tags.

The JSTL Tag Libraries

JSTL is often spoken of as a single-tag library. JSTL is actually four tag libraries. These tag libraries are summarized as follows.

• Core Tag Library—Contains tags that are essential to nearly any Web application. Examples of core tag libraries include looping, expression evaluation, and basic input and output.
• Formatting/Internationalization Tag Library—Contains tags that are used to and parse data. Some of these tags will parse data, such as dates, differently based on the current locale.
• Database Tag Library—Contains tags that can be used to access SQL databases. These tags are normally used only to create prototype programs. This is because most programs will not handle database access directly from JSP pages. Database access should be embedded in EJBs that are accessed by the JSP pages.
• XML Tag Library—Contains tags that can be used to access XML elements. Because XML is used in many Web applications, XML processing is an important feature of JSTL.

In this article, we will only take a brief look at a few of the core tags. We will examine a simple example that shows how to process data that a user enters into a form. Before we examine this program, we must first see how JSTL handles expressions. Expression handling in JSTL is accomplished by using the EL expression language, just as it is done in JSP 2.0. In the next section, we will examine the EL expression language.

The EL Expression Language

One major component of JSP 2.0 is the new expression language named EL. EL is used extensively in JSTL. However, it is important to remember that EL is a feature of JSP and not of JSTL. JSP scriptlet code used with JSP 2.0 can contain EL expressions. The following lines of code demonstrate using EL inside of JSP scriptlet code.

<p>
  Your total, including shipping is ${total+shipping}
</p>

As you can see form the preceding code, the values “total” and “shipping” are added and displayed as the HTML is generated. These expressions can be used inside of JSTL tags as well. One important requirement of JSTL 1.0 was that JSTL could be used with JSP 1.2. Because JSP 1.2 does not support EL, it is necessary to provide a few additional JSTL tags that facilitate the use of EL. For example, if you wanted to use JSTL to display the above expression, you would use the following code.

<p>
  Your total, including shipping is <c:out var="${total+shipping"/>
</p>

One of the requirements of JSTL was that it not require JSP 2.0 to run. By providing a tag that is capable of displaying EL expressions, this requirement is met.

JSTL Example

We will now examine a simple example that uses JSTL. For this example, we will examine a common procedure that is done by many Web applications. We will see how to POST a form and process the results from that POST. A simple program that is capable of doing this is shown below.

<%@ taglib uri="http://java.sun.com/jstl/core" prefix="c" %>
<html>
  <head>
    <title>If with Body</title>
  </head>

  <body>
    <c:if test="${pageContext.request.method=='POST'}">
      <c:if test="${param.guess=='Java'}">You guessed it!
      <br />

      <br />

      <br />
      </c:if>

      <c:if test="${param.guess!='Java'}">You are wrong
      <br />

      <br />

      <br />
      </c:if>
    </c:if>

    <form method="post">Guess what computer language
                        I am thinking of?
    <input type="text" name="guess" />

    <input type="submit" value="Try!" />

    <br />
    </form>
  </body>
</html>

This simple Web page will display a form and ask the user to guess what computer language the program is thinking of. Of course, the computer is thinking of “Java.” This page begins by checking to see if a POST was done. This allows both the form, and the code that handles the form, to be placed on one single page. This is done with the following JSTL if statement.

    <c:if test="${pageContext.request.method=='POST'}">

Here you can see that the <c:if> tag uses an EL expression to evaluate whether the request method is POST. If data was posted to the page, the value that the user entered for their guess is stored in a parameter named “guess”. This is because “guess” was specified as the name of the form input item. We must now check to see whether this parameter is equal to the word “Java”. This is done with the following <c:if> tag.

      <c:if test="${param.guess=='Java'}">
          You guessed it!
      </c:if>

As you can see, the body of the <c:if> tag is executed if the statement evaluates to true. In this article, we began to examine the basics of how JSTL is installed and how it works. There is much more to JSTL than the small example we examined in this article.

The core tags of JSTL also include tags for looping, iteration, and variable handling. By using these tags, you can iterate through collections, access user session data, and perform other core tasks that all Web applications perform. In addition to the core tag library, the XML, database, and formatting tag libraries are also provided for more advanced uses.

Conclusions

This article showed you some of the differences between the JSTL and standard JSP scriptlet programming. As you can see, JSTL allows a more consistent programming environment by allowing both HTML and procedural code to be expressed as tags. JSTL and tag libraries represent a new method of programming Web pages.

JSTL does not provide everything that a programmer would need to create a full-featured Web application. Further, some procedures that could be programmed in JSTL is often best not programmed in JSTL. One perfect example of this is the database JSTL tags. Except for very small Web applications, it is generally considered bad programming practice to embed actual database commands into a JSP page. The proper location for such program code is in Java beans and EJBs that will be used by your Web application. For such routines, you may consider creating your own tag libraries. This way, your JSP pages can use JSTL to perform basic programming procedures that are not unique to your business. You should implement your own tag libraries to implement components, which are unique to your business, which will be used by your Web application.

JSTL allows you to create a very consistent programming JSP-based application. This is done not just through JSTL, but through a combination of JSTL, your own custom tag libraries, and an underlying database. Understanding each of these components allows you to deploy an effective Web application

Article Reference:

http://www.developer.com/java/ejb/article.php/1447551/An-Introduction-to-JSP-Standard-Template-Library-JSTL.htm

Welcome to Java Software Development WordPress Blog!

Welcome to a Blog dedicated to the information and the updates on different Java technology and the Application Development on it.

Also this blog will provide you the insight scoop of what skills of technology a developer have to build a project on any Java technology.

You can find here useful and only useful links all across the Blog regarding latest news on Java software development and the things a developer should take care about.