Introduction to Essential Java EE Security

Audience	This course is designed for Java programmers who need to build secure applications. It has also proved helpful for system administrators and security officers who need a clear understanding of how security works within Java.
Duration	4 Days
Course Abstract	Our Essential Java Security class will teach you how to ensure your Java applications are developed with the most advanced security measures available in Java today. The class begins by discussing threats and mitigation techniques, including conventional and public key cryptography, and the most popular authentication protocols, including SSL. Fundamental Java security concepts are covered, including principals, authorities, access control, and more. You will learn the basis of Java security, class loaders, the Security Manager and the Access Controller. Security features of HTTP and Servlets are covered, as well as techniques for securing Web services. Full coverage of JAAS is provided, including using JAAS to provide authentication, illustrate authentication modules, and interacting with JAAS to provide single sign-on of users. The course also covers JAAS authorization and examines how it extends the original policy file based authorization mechanism. Secure coding techniques to avoid common security bugs such as buffer overflows.
Price	Call for pricing
Objectives	Upon conclusion participants will have acquired these skills: Learn the role of Java Authentication Authorization Services (JAAS) Depict the usage of JAAS Authentication Depict the role of JAAS Authorization Illustrate the use of Policy Files Discuss the functions of the J2EE Security Manager Demonstrate the capabilities of the Access Controller JCA: Public Key Cryptography, Hashing and Signatures JCE: Symmetric Encryption Discuss Threats and Mitigation Techniques Illustrate Digital Certificates and their use with security Demonstrate the techniques for securing Web Services SSL integration between Web and application servers Illustrate the role of LDAP directories Discuss the role of SSL and its configuration HTTP Authentication and Authorization Servlets and Role Based Security
Class Format	Lecture and Lab
Prerequisites	Each student should have a basic understanding of the Java programming language.
Course Topics	The following list represents the sections and topics discussed in this onsite instructor-led course offering.
	IT Security Status Security myths Application and Network flaws Impact of Web 2.0 Security wheel Security patterns Template Categorizations Relationships Known risks Interceptor Gateway Message Interceptor Assertion Builder Audit Interceptor Best practices Java Security Basics Core Java technology JVM Security Java language security Platform security Security models JDK J2SE J2EE EE Permissions Java Policy files Security Manager Codebase Bytecode Verifier Class Loaders Java Web Start J2ME Security Key and Certificate Management Keystores Policy Tool JarSigner Keytool Public and Private Keys Exporting and Importing Certificates Signing Requests Securing Java source code Java Security Manager Security Goals Solution concepts Using UIDs Access Control Lists Language security Java Security mechanism Sandbox Trusted code Fine grained control Create Security policy Installation Stack inspection Beyond JVM Security Using Secure Socket Layers SSL Overview SSL Architecture Components Sessions and Connections State changes SSL Records Protocol processing Header MAC address Encryption Alert protocol Handshakes Key exchange methods Server certificate and key exchange Client authentication Cryptographic computations Analyzing SSL records Traffic analysis Confidentiality Authentication Cipher attacks Key exchange algorithm Digital Certificates Introduction Certificate Authorities X.509 Certificates Architecture Types Retrieval Distribution X.509 Certificate format Revocation Revocation lists Distribution Pre-existing Certificates Use with SSLs Java EE Security Relevant standards Role and use of annotations Defining JAAS Authentication vs. Authorization Role of Subject Defining Principal Pluggable Authentication modules Creating LoginContext LoginModule chaining Principal-based authorization Codesource vs. ProtectionDomain Using AccessController Security Policies and Infrastructure EJB Security Security context Use of role names Annotations Deployment descriptor elements Method permissions Propogation Programmatic vs. Declarative Web tier security Encryption using javax.crypto Cryptography Concepts Encryption Keys Cipher Algorithms Modes and Padding Schemes The Cipher Class Encrypting and Decrypting Data Cipher Output Stream Cipher Input Stream Encryption using Password Ciphers Exchanging Encrypted Keys Sealed Objects Encryption Methods Cryptography techniques Symmetric Asymmetric Combinations Standards DES AES Diffie-Hellman RSA Public vs. Private Keys Signing and Padding Hashing Digital signatures Usage Role of key Methodology Use of JCE Encryption Keys Performance considerations Java Authentication and Authorization services Authentication and Authorization JAAS Overview LoginContext Subjects, Principals, and PrivilegedActions Authentication with the NTLoginModule Defining Permissions in Policy Files KeyStoreLoginModule Callbacks NameCallback and PasswordCallback The Policy Class Using Java EE Security Authentication Authorization Security Layers Features Topology Protocols SSL Application Server Management LTPA SSO Identity Assertion Declarative Security Security Roles Run-As Delegation Securing resources Creating Constraints Authentication types Form Digital Basic Certificate Trust Association Custom Trust Assocation Interceptors