Date: Tue, 31 Mar 1998 08:47:10 -0800
From: David.Brownell@Eng (David Brownell)
Message-Id: <199803311647.IAA24360@argon.eng.sun.com>
To: java-security@web1.javasoft.com, tope@kbss.bt.co.uk
Subject: Re: java [network] security features
> 2. What features can one use, in JAVA, for the 2 main security issues in
> distributed systems, viz Authorisation & Authentication? ;
I'll assume you're talking about the "JDK" and "JRE" Java products from
JavaSoft. Think of "JRE" as the runtime version of the JDK:
- JDK 1.1 has only interfaces (no implementations) for such features:
java.security.Principal identifies authenticated entities, and the
java.security.acl package has some ACL based authorisation tools. The
Certificate interface can be used for some public key systems. And
there are MessageDigest and Signature APIs which can be used in
constructing authentication protocols.
- JDK 1.2 there are authorisation tools based on signed code modules,
which are authenticated according to X509 certificates. There's also
an X509v3 package (with an implementation behind it this time), better
key management support, and more that I've surely forgotten about!
Otherwise, at this time you'll need to either buy a third party product or
"roll your own" solution. I don't know of a good reference page for
those third party solutions, or I'd include its URL.
JavaSoft will sell the "JavaServer Engine" product, a binary package, this
summer; I believe that will include the authorisation and authentication
tools used in the JavaServer product family. That includes SSL, with
client authentication integrated into the java.security.ACL authorisation
framework, as well as support for challenge/response and passphrase based
authentication also integrated into that ACL framework.
> 3. Can one implement something similar to Kerberos with the current JAVA?
Yes. It's a Turing-complete language, after all! There's some interest
in Java bindings to Kerberos (via the IETF's GSS-API).
You might be interested in products from Dascom (www.dascom.com) who
have begun DCE integration with Java, and of course have some Kerberos
support along with their other authentication and authorisation support.
I also seem to recall some German companies with Java network security
products, but don't recall their names. A web search should turn up
some options pretty quickly!
- Dave