Advanced Java security
Kursavgift: kr 17 900 | Varighet: 3 dager
Java and JEE developers, software architects and testers
Preparedness: Advanced Java
- Java security technologies and services:
Java language security solutions, Java Virtual Machine (JVM) and Java Runtime Environment (JRE); ByteCode Verifier and Classloader; Security Manager and Access Controller, managing permissions with the PolicyTool; Java Cryptography Architecture (JCA) and Java Cryptographic Extension (JCE), Java Secure Socket Extension (JSSE), Java Authentication and Authorization Service (JAAS), Java Keystore (JKS) and the KeyTool
- Java Enterprise Edition (JEE) topics:
security solutions; declarative and programmatic security; annotations and deployment descriptors; Web/Presentation Tier, Enterprise Java Beans (EJB)/Business Tier, Enterprise Information System (EIS)/Integration Tier; Java Message Service (JMS), Java Database Connectivity (JDBC)
- Web services:
SOAP and REST; Transport-layer security, application- and container-managed authentication, authorization; End-to-end security; Web Services Security (WSS), username/password authentication, signing (XML Signature) and encryption (XML Encryption)
- Java specific vulnerabilities:
integer overflows in Java (e.g. in java.util.zip.CRC32); Calendar/ZoneInfo deserialization bug (CVE 2008-5353); unsafe reflection; Web-related vulnerabilities like SQL Injection, Command Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), HTTP Injection, Insecure Direct Object Reference; unsafe Java Native Interface (JNI); improper error and exception handling; insecure randomness of java.util.Random; object hijacking; serialization of sensitive information; dangers of mobile code; Denial-of-Service (DoS) in Java (the “2.2250738585072012e-308 bug”), problem with inner classes, and many more...
setting and using permissions; authentication and authorization through JAAS; using JCA/JCE providers for digital signing and encryption; permission for signed code; using JSSE – switching from HTTP to HTTPS; working with file and JDBC realms, setting the deployment descriptors accordingly; authentication, specifying roles and method permissions by annotation and deployment descriptors; using wsimport to generate client artifacts – plain and SSL communication with the container; application and container managed authentication; WS Security with username and password; XMLS Signature; XML Encryption; exploiting SQL injection step-by-step; crafting Cross-Site Scripting attacks; uploading and running executable code; crashing through JNI; proof-of-concept exploit of Calendar/ZoneInfo deserialization bug; using reflection to break accessibility modifiers; object hijacking; preventing serialization; exploiting mobile code vulnerabilities; crashing Java with magic double values; exploiting inner classes.