Java CAPS applications typically handle the transmission of sensitive or critical data that require a high-level of security. When developing Java CAPS applications, it is important to secure all processes in the application life cycle, including the development, testing, deployment, migration, upgrading, and patching phases.
The following topics provide an overview of security for Java CAPS:
When developing integration applications, security is crucial in not only the applications you develop, but in the environments in which you develop and deploy applications as well. Many of the Java CAPS applications you create will be web services. Due to the nature of web services and the use of open access, this adds a new set of requirements to the security considerations.
Security measures can include, but are not limited to, any of the following:
Authentication and authorization fulfill the very basic security requirements of verifying the identify of each user (authentication) and verifying that each user has the security permissions needed to perform certain tasks and access certain information (authorization). Java CAPS employs user authentication and authorization for installing certain Repository-based projects, deploying projects, monitoring deployed projects, and using Java CAPS applications to access information. In addition to its own security features, Java CAPS uses the authentication and authorization features of GlassFish Server.
Confidentiality means keeping private information private, from the code you develop to the messages processed through the applications you create. It can also mean keeping private the identities of the parties exchanging information. This is accomplished by encrypting data and by hiding the identities of each party involved in a transaction.
When you develop applications whose mission is to exchange data between external systems, it is imperative that the content of the messages does not change and that the integrity of the content is maintained. A digital signature can validate the message, guaranteeing that a message has not been changed since it was signed and providing non-repudiation.
Secure transport means ensuring that messages remain secure while they are in transit. The most widely use transport-level security protocol is Secure Sockets Layer (SSL), also known as Transport Layer Security (TLS). Java CAPS allows you to configure design-time and runtime tools to use SSL, and you can configure many individual components in Java CAPS applications to use SSL.
In addition to securing information and applications, the physical hardware you used should also be secured. In a production environment, make sure that the actual hardware that hosts applications and the code is stored in a secured room with no unauthorized access.
Network security involves preventing unwanted access to your networks, as well as misuse or modification of network resources. Authentication and authorization are the first steps to securing your network, and you can limit traffic between networks by using both hardware and software to create firewalls. In addition, anti-virus software can help keep your network free of malware.
User access to information and applications needs to be managed throughout the development lifecycle. This includes tasks such as adding and removing user accounts, assigning users to roles, removing users from roles, and adding new roles. These activities control user access to tools used in development and testing, and control access to tools, applications, and information in the production environment.
Once a system is in production, an audit record should be maintained of server activity and you should be able to monitor and maintain running applications. Java CAPS provides auditing through its server log, and provides monitoring and management tools with the Enterprise Manager and the JBI Monitoring and Management API.
Java CAPS supports standard security protocols, such as HTTP, Secure Sockets Layer (SSL), HTTP over SSL, Web Services Security (WSIT), X.509 certificates, and so on. Java CAPS can also be configured to use security realms, including the file, certificate, and LDAP realms.
Java CAPS provides user, group, and role management tools for Repository-based applications, such as the Java CAPS Suite Installer and Enterprise Manager. Java CAPS can also take advantage of security features provided by the GlassFish Server and NetBeans for secure coding and secure message transport.
At the transport level, Java CAPS can use the security features of GlassFish and of the Repository. For example, you can configure connections to the GlassFish Server, Enterprise Manager, and Suite Installer to be through SSL. In addition, transport-level security can be defined in Adapter and Binding Component properties. At the message level you can use data encryption, web services security (WS-Security) policies, certificates, and so on. Certain Java CAPS components can be configured for additional security, such as Adapters and Binding Components.
Additional security information for Java CAPS can be found in the following locations. These documents are referenced throughout this book.
Provides information on the security features of the Java CAPS Repository-based products.
Provides information on configuring Repository-based products for SSL communication.
Provides information on using an LDAP server to maintain security information for Repository-based products.
Provides information on using Enterprise Manager to monitor and manage your running Repository-based applications.
Provides general information about using the various tools available in Java CAPS to administer JBI components, including NetBeans, the GlassFish Server Admin Console, and command-line utilities.
Provides information on using the Management and Monitoring API to monitor alerts for JBI applications.
Contains information about the security features available for web services in Java CAPS.
Describes how to configure security using the GlassFish Server Admin Console, including information on using certificates, SSL, realms, and so on.
Describes how to use GlassFish tools to help secure messages processed through your Java CAPS applications that are deployed on the GlassFish Server.
Provides information on working with Oracle Web Services Manager, including the web services security policies supported by Java CAPS.
Note - Security information specific to Java CAPS components, such as Adapters and Binding Components, can be found in the documentation for those products.