The JavaTM Cryptography Extension (JCE), JavaTM Secure Socket Extension (JSSE), and JavaTM Authentication and Authorization Service (JAAS) security features have now been integrated into J2SE v 1.4 rather than being optional packages.
There are two new security features:
The JavaTM GSS-API can be used for securely exchanging messages between communicating applications using the Kerberos V5 mechanism. For more information, see http://java.sun.com/j2se/1.4/docs/guide/security/jgss/tutorials/index.html.
The JavaTM Certification Path API includes new classes and methods in the java.security.cert package that allow you to build and validate certification paths (also known as "certificate chains"). For more information, see http://java.sun.com/j2se/1.4/docs/guide/security/certpath/CertPathProgGuide.html.
Due to import control restrictions, the JCE jurisdiction policy files shipped with the J2SE, v 1.4 allow "strong" but limited cryptography to be used. An "unlimited" version of these files indicating no restrictions on cryptographic strengths is available.
The JSSE implementation provided in this release includes the strong cipher suites. However, due to U.S. export control restrictions, it does not allow the default SSLSocketFactory and SSLServerSocketFactory to be replaced. For more information, please see the JSSE Reference Guide at http://java.sun.com/j2se/1.4/docs/guide/security/jsse/JSSERefGuide.html.
With the integration of JAAS into the J2SE, the java.security.Policy API handles Principal-based queries, and the default policy implementation supports Principal-based grant entries. Thus, access control can now be based not just on what code is running, but also on who is running it.
Support for dynamic policies has been added. In J2SE releases prior to version 1.4, classes were statically bound with permissions by querying security policy during class loading. The lifetime of this binding was scoped by the lifetime of the class loader. In version 1.4 this binding is now deferred until needed by a security check. The lifetime of the binding is now scoped by the lifetime of the security policy.
For more information on security in J2SE 1.4, see http://java.sun.com/j2se/1.4/docs/guide/security/index.html.