Advanced Security Programming in Java SE Authentication, Secure Communication and Single Sign-On

Java SE offers a rich set of APIs and features for developing secure Java applications and services. The exercise sessions listed here can help you to use the Java SE GSS APIs to build applications that authenticate their users, to communicate securely with other applications and services, and help you to configure your applications in a Kerberos environment to achieve Single Sign-On. In addition, you will also learn how to use stronger encryption algorithms in a Kerberos environment, and how to use Java GSS mechanisms such as SPNEGO to secure the association.

Setting up your Development Environment

Note:

The lessons in this section use the Subject::doAs method, which has been deprecated for removal because it has dependencies on Security Manager APIs, which are also deprecated for removal. See JEP 411: Deprecate the Security Manager for Removal for discussion and alternatives.

Also note that the Subject::doAs method behaves differently depending on whether a Security Manager is allowed or disallowed. See Deprecated Methods and Replacements in the Subject JavaDoc API documentation.

The Subject::callAs method replaces the Subject::doAs method. See The doAs Methods for Performing an Action as a Particular Subject for more information.

Set up your development environment as follows before proceeding to the first exercise:

1. Configure a Kerberos server with accounts used by the exercises. See Appendix A: Setting up Kerberos Accounts.
2. Set up the Key Distribution Center (KDC) and start the Kerberos server.
3. Set up the Kerberos configuration on your client computer.
4. Set up the JDK environment:

   • Set up the JAVA_HOME environment variable to point to the JDK installation directory

   • Place %JAVA_HOME%\bin (Windows) or $JAVA_HOME/bin (Linux or macOS) in the PATH environment variable.

Exercises

This session includes six lessons. Each part contains one or more coding exercises. Work through the exercises in sequence:

• Part I : Secure Authentication using the Java Authentication and Authorization Service (JAAS)
  • Exercise 1: Using the JAAS API
  • Exercise 2: Configuring JAAS for Kerberos Authentication
• Part II : Secure Communications using the Java SE Security API
  • Exercise 3: Using the Java Generic Security Service (GSS) API
  • Exercise 4: Using the Java SASL API
  • Exercise 5: Using the Java Secure Socket Extension with Kerberos
• Part III : Deploying for Single Sign-On in a Kerberos Environment
  • Exercise 6: Deploying for Single Sign-On
• Part IV : Secure Communications Using Stronger Encryption Algorithms
  • Exercise 7: Configuring to Use Stronger Encryption Algorithms in a Kerberos Environment, to Secure the Communication
• Part V : Secure Authentication Using SPNEGO Java GSS Mechanism
  • Exercise 8: Using the Java Generic Security Services (GSS) API with SPNEGO
• Part VI: HTTP/SPNEGO Authentication
  • Exercise 9: Using HTTP/SPNEGO Authentication