SlideShare a Scribd company logo

Javantura v4 - Security architecture of the Java platform - Martin Toshev

HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

Javantura v4 - Security architecture of the Java platform - Martin Toshev

Technology
1 of 50
Download to read offline
Security architecture of the Java platform Martin Toshev @martin_fmi
Who am I Software consultant (CoffeeCupConsulting) BG JUG board member (http://jug.bg) OpenJDK and Oracle RBDMS enthusiast Twitter: @martin_fmi
Agenda • Evolution of the Java security model • Outside the sandbox: APIs for secure coding • Designing and coding with security in mind
Evolution of the Java security model
Evolution of the Java security model • Traditionally - companies protect they assets using strict physical and network access policies • Tools such as anti-virus software, firewalls, IPS/IDS systems facilitate this approach
Evolution of the Java security model • With the introduction of various technologies for loading and executing code on the client machine from the browser (such as Applets) - a new range of concerns emerge related to client security – this is when the Java security sandbox starts to evolve …
Evolution of the Java security model • The goal of the Java security sandbox is to allow untrusted code from applets to be executed in a trusted environment such as the user's browser
Evolution of the Java security model • JDK 1.0 (when it all started …) – the original sandbox model was introduced Applet (untrusted) System code (trusted) JVM Browser http://javantura.com/demoapplet
Evolution of the Java security model • Code executed by the JVM is divided in two domains – trusted and untrusted • Strict restriction are applied by default on the security model of applets such as denial to read/write data from disk, connect to the network and so on
Evolution of the Java security model • JDK 1.1 (gaining trust …) – applet signing introduced Applet (untrusted) System code (trusted) JVM Browser Signed Applet (trusted) http://javantura.com/demoapplet http://javantura.com/trustedapplet
Evolution of the Java security model • Local code (as in JDK 1.0) and signed applet code (as of JDK 1.1) are trusted • Unsigned remote code (as in JDK 1.0) is not trusted
Evolution of the Java security model • Steps needed to sign and run an applet: • Compile the applet • Create a JAR file for the applet • Generate a pair of public/private keys • Sign the applet JAR with the private key • Export a certificate for the public key • Import the Certificate as a Trusted Certificate • Create the policy file • Load and run the applet
Evolution of the Java security model • JDK 1.2 (gaining more trust …) – fine-grained access control Applet System code JVM Browser grant codeBase http://javantura.com/demoapplet { permission java.io.FilePermisions “C:Windows” “delete” } security.policy SecurityManager.checkPermission(…) AccessController.checkPermission(…) http://javantura.com/demoapplet
Evolution of the Java security model • The security model becomes code-centric • Additional access control decisions are specified in a security policy • No more notion of trusted and untrusted code
Evolution of the Java security model • The notion of protection domain introduced – determined by the security policy • Two types of protection domains – system and application
Evolution of the Java security model • The protection domain is set during classloading and contains the code source and the list of permissions for the class applet.getClass().getProtectionDomain();
Evolution of the Java security model • One permission can imply another permission java.io.FilePermissions “C:Windows” “delete” implies java.io.FilePermissions “C:Windowssystem32” “delete”
Evolution of the Java security model • One code source can imply another code source codeBase http://javantura.com/ implies codeBase http://javantura.com/demoapplet
Evolution of the Java security model • Since an execution thread may pass through classes loaded by different classloaders (and hence – have different protection domains) the following rule of thumb applies: The permission set of an execution thread is considered to be the intersection of the permissions of all protection domains traversed by the execution thread
Evolution of the Java security model • JDK 1.3, 1,4 (what about entities running the code … ?) – JAAS Applet System code JVM Browser http://javantura.com/demoapplet grant principal javax.security.auth.x500.X500Principal "cn=Tom" { permission java.io.FilePermissions “C:Windows” “delete” } security.policy
Evolution of the Java security model • JAAS (Java Authentication and Authorization Service) extends the security model with role-based permissions • The protection domain of a class now may contain not only the code source and the permissions but a list of principals
Evolution of the Java security model • The authentication component of JAAS is independent of the security sandbox in Java and hence is typically used in more wider context (such as JavaEE application servers) • The authorization component is the one that extends the Java security policy
Evolution of the Java security model • Core classes of JAAS: • javax.security.auth.Subject - an authenticated subject • java.security.Principal - identifying characteristic of a subject • javax.security.auth.spi.LoginModule - interface for implementors of login (PAM) modules • javax.security.auth.login.LoginContext - creates objects used for authentication
Evolution of the Java security model • Up to JDK 1.4 the following is a typical flow for permission checking: 1) upon system startup a security policy is set and a security manager is installed Policy.setPolicy(…) System.setSecurityManager(…)
Evolution of the Java security model • Up to JDK 1.4 the following is a typical flow for permission checking: 2) during classloading (e.g. of a remote applet) bytecode verification is done and the protection domain is set for the current classloader (along with the code source, the set of permissions and the set of JAAS principals)
Evolution of the Java security model • Up to JDK 1.4 the following is a typical flow for permission checking: 3) when system code is invoked from the remote code the SecurityManager is used to check against the intersection of protection domains based on the chain of threads and their call stacks
Evolution of the Java security model • Up to JDK 1.4 the following is a typical flow for permission checking: SocketPermission permission = new SocketPermission(“javantura.com:8000-9000","connect,accept"); SecurityManager sm = System.getSecurityManager(); if (sm != null) sm.checkPermission(permission);
Evolution of the Java security model • Up to JDK 1.4 the following is a typical flow for permission checking: 4) application code can also do permission checking against remote code using a SecurityManager or an AccessController
Evolution of the Java security model • Up to JDK 1.4 the following is a typical flow for permission checking: SocketPermission permission = new SocketPermission(“javantura.com:8000-9000", "connect,accept"); AccessController.checkPermission(permission)
Evolution of the Java security model • Up to JDK 1.4 the following is a typical flow for permission checking: 5) application code can also do permission checking with all permissions of the calling domain or a particular JAAS subject AccessController.doPrivileged(…) Subject.doAs(…) Subject.doAsPrivileged(…)
Evolution of the Java security model • The security model defined by java.lang.SecurityManager is customizable • For example: Oracle JVM uses a custom SecurityManager with additional permission classes where the code source is a database schema (containing e.g. Java stored procedures)
Evolution of the Java security model • JDK 1.5, 1.6 (enhancing the model …) – new additions to the sandbox model (e.g. LDAP support for JAAS)
Evolution of the Java security model • JDK 1.7, 1.8 (further enhancing the model …) – enhancements to the sandbox model (e.g. AccessController.doPrivileged() for checking against a subset of permissions)
Evolution of the Java security model • JDK 1.9 and beyond … (applying the model to modules …) application module system module 1 JVM Browser http://javantura.com/appmodule security.policy system module 2
Evolution of the Java security model • By modules we understand modules in JDK as defined by project Jigsaw • Modules must conform to the same security model as applets – each module is loaded by a particular classloader (bootstrap, extension or system)
Evolution of the Java security model • Modularization of the JDK system classes allows further to define fine-grained access control permissions for classes in the system domain • This is not currently allowed due to the monolithic nature of the JDK
Outside the sandbox: APIs for secure coding
Outside the sandbox: APIs for secure coding • The security sandbox defines a strict model for execution of remote code in the JVM • The other side of the coin are the security APIs that provide utilities for implementing the different aspects of application security …
Outside the sandbox: APIs for secure coding • The additional set of APIs includes: • JCA (Java Cryptography Architecture) • PKI (Public Key Infrastructure) utilities • JSSE (Java Secure Socket Extension) • Java GSS API (Java Generic Security Services) • Java SASL API (Java Simple Authentication and Security Layer)
Designing and coding with security in mind
Designing and coding with security in mind • First of all - follow programing guidelines and best practices - most are not bound to the Java programming language (input validation, error handling, type safety, access modifiers, resource cleanup, prepared SQL queries and whatever you can think of …)
Designing and coding with security in mind • Respect the SecurityManager - design libraries so that they work in environments with installed SecurityManager • Example: GSON library does not respect the SecurityManager and cannot be used without additional reflective permissions in some scenarios
Designing and coding with security in mind • Grant minimal permissions to code that requires them - the principle of "least privilege" • Copy-pasting, of course, increases the risk of security flows (if the copied code is flawed)
Designing and coding with security in mind • Sanitize exception messages from sensitive information - often this results in an unintended exposal of exploitable information • Let alone exception stacktraces … in many cases they convey a wealth of information about the system
Thank you
References • Java Security Overview (white paper) http://www.oracle.com/technetwork/java/js-white-paper-149932.pdf • Java SE Platform Security Architecture Spec http://docs.oracle.com/javase/7/docs/technotes/guides/security/spec/s ecurity-spec.doc.html • Inside Java 2 Platform Security, 2nd edition http://www.amazon.com/Inside-Java%C2%BF-Platform-Security- Implementation/dp/0201787911
References • Java Security, 2nd edition, Scott Oaks http://shop.oreilly.com/product/9780596001575.do • Securing Java, Gary McGraw, Ed Felden http://www.securingjava.com • Secure Coding Guidelines for Java SE http://www.oracle.com/technetwork/java/seccodeguide-139067.html#0
References • Java 2 Network Security http://www.amazon.com/JAVA-Network-Security-2nd- Edition/dp/0130155926 • Java Security Documentation http://docs.oracle.com/javase/8/docs/technotes/guides/security/index. html
References • Core Java Security: Class Loaders, Security Managers and Encryption http://www.informit.com/articles/article.aspx?p=1187967 • Overview of Java Security Models http://docs.oracle.com/cd/E12839_01/core.1111/e10043/introjps.htm# CHDCEJGH

Recommended

Javantura v4 - Spring Boot and JavaFX - can they play together - Josip Kovaček
Javantura v4 - Spring Boot and JavaFX - can they play together - Josip KovačekJavantura v4 - Spring Boot and JavaFX - can they play together - Josip Kovaček
Javantura v4 - Spring Boot and JavaFX - can they play together - Josip KovačekHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v4 - What’s NOT new in modular Java - Milen Dyankov
Javantura v4 - What’s NOT new in modular Java - Milen DyankovJavantura v4 - What’s NOT new in modular Java - Milen Dyankov
Javantura v4 - What’s NOT new in modular Java - Milen DyankovHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Micronaut Deep Dive - Devoxx Belgium 2019
Micronaut Deep Dive - Devoxx Belgium 2019Micronaut Deep Dive - Devoxx Belgium 2019
Micronaut Deep Dive - Devoxx Belgium 2019graemerocher
 
Micronaut Deep Dive - Codeone 2019
Micronaut Deep Dive - Codeone 2019Micronaut Deep Dive - Codeone 2019
Micronaut Deep Dive - Codeone 2019graemerocher
 
Micronaut: Evolving Java for the Microservices and Serverless Era
Micronaut: Evolving Java for the Microservices and Serverless EraMicronaut: Evolving Java for the Microservices and Serverless Era
Micronaut: Evolving Java for the Microservices and Serverless Eragraemerocher
 
How and why to upgrade to java 16 or 17
How and why to upgrade to java 16 or 17How and why to upgrade to java 16 or 17
How and why to upgrade to java 16 or 17Johan Janssen
 
Java 8 in Anger, Devoxx France
Java 8 in Anger, Devoxx FranceJava 8 in Anger, Devoxx France
Java 8 in Anger, Devoxx FranceTrisha Gee
 
Developing Java EE applications with NetBeans and Payara
Developing Java EE applications with NetBeans and PayaraDeveloping Java EE applications with NetBeans and Payara
Developing Java EE applications with NetBeans and PayaraPayara
 

Recommended

Javantura v4 - Spring Boot and JavaFX - can they play together - Josip Kovaček
Javantura v4 - Spring Boot and JavaFX - can they play together - Josip KovačekJavantura v4 - Spring Boot and JavaFX - can they play together - Josip Kovaček
Javantura v4 - Spring Boot and JavaFX - can they play together - Josip KovačekHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v4 - What’s NOT new in modular Java - Milen Dyankov
Javantura v4 - What’s NOT new in modular Java - Milen DyankovJavantura v4 - What’s NOT new in modular Java - Milen Dyankov
Javantura v4 - What’s NOT new in modular Java - Milen DyankovHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Micronaut Deep Dive - Devoxx Belgium 2019
Micronaut Deep Dive - Devoxx Belgium 2019Micronaut Deep Dive - Devoxx Belgium 2019
Micronaut Deep Dive - Devoxx Belgium 2019graemerocher
 
Micronaut Deep Dive - Codeone 2019
Micronaut Deep Dive - Codeone 2019Micronaut Deep Dive - Codeone 2019
Micronaut Deep Dive - Codeone 2019graemerocher
 
Micronaut: Evolving Java for the Microservices and Serverless Era
Micronaut: Evolving Java for the Microservices and Serverless EraMicronaut: Evolving Java for the Microservices and Serverless Era
Micronaut: Evolving Java for the Microservices and Serverless Eragraemerocher
 
How and why to upgrade to java 16 or 17
How and why to upgrade to java 16 or 17How and why to upgrade to java 16 or 17
How and why to upgrade to java 16 or 17Johan Janssen
 
Java 8 in Anger, Devoxx France
Java 8 in Anger, Devoxx FranceJava 8 in Anger, Devoxx France
Java 8 in Anger, Devoxx FranceTrisha Gee
 
Developing Java EE applications with NetBeans and Payara
Developing Java EE applications with NetBeans and PayaraDeveloping Java EE applications with NetBeans and Payara
Developing Java EE applications with NetBeans and PayaraPayara
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Christian Schneider
 
JPA 2.1 on Payara Server
JPA 2.1 on Payara ServerJPA 2.1 on Payara Server
JPA 2.1 on Payara ServerPayara
 
2015 Java update and roadmap, JUG sevilla
2015 Java update and roadmap, JUG sevilla2015 Java update and roadmap, JUG sevilla
2015 Java update and roadmap, JUG sevillaTrisha Gee
 
Javantura v4 - Test-driven documentation with Spring REST Docs - Danijel Mitar
Javantura v4 - Test-driven documentation with Spring REST Docs - Danijel MitarJavantura v4 - Test-driven documentation with Spring REST Docs - Danijel Mitar
Javantura v4 - Test-driven documentation with Spring REST Docs - Danijel MitarHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Java on Azure
Java on AzureJava on Azure
Java on AzurePhilly JUG
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RSPayara
 
Java EE Microservices
Java EE MicroservicesJava EE Microservices
Java EE Microservicesjclingan
 
Introduction to Lagom Framework
Introduction to Lagom FrameworkIntroduction to Lagom Framework
Introduction to Lagom FrameworkKnoldus Inc.
 
JEE 8, A Big Overview
JEE 8, A Big OverviewJEE 8, A Big Overview
JEE 8, A Big OverviewJasmine Conseil
 
Spring IO 2016 - Spring Cloud Microservices, a journey inside a financial entity
Spring IO 2016 - Spring Cloud Microservices, a journey inside a financial entitySpring IO 2016 - Spring Cloud Microservices, a journey inside a financial entity
Spring IO 2016 - Spring Cloud Microservices, a journey inside a financial entityToni Jara
 
Unit Testing in Swift
Unit Testing in SwiftUnit Testing in Swift
Unit Testing in SwiftGlobalLogic Ukraine
 
Continuous integration and delivery for java based web applications
Continuous integration and delivery for java based web applicationsContinuous integration and delivery for java based web applications
Continuous integration and delivery for java based web applicationsSunil Dalal
 
Introduction to Micronaut at Oracle CodeOne 2018
Introduction to Micronaut at Oracle CodeOne 2018Introduction to Micronaut at Oracle CodeOne 2018
Introduction to Micronaut at Oracle CodeOne 2018graemerocher
 
Spring cloud for microservices architecture
Spring cloud for microservices architectureSpring cloud for microservices architecture
Spring cloud for microservices architectureIgor Khotin
 
Javantura v4 - True RESTful Java Web Services with JSON API and Katharsis - M...
Javantura v4 - True RESTful Java Web Services with JSON API and Katharsis - M...Javantura v4 - True RESTful Java Web Services with JSON API and Katharsis - M...
Javantura v4 - True RESTful Java Web Services with JSON API and Katharsis - M...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0Dinis Cruz
 
Refactoring to Java 8 (QCon New York)
Refactoring to Java 8 (QCon New York)Refactoring to Java 8 (QCon New York)
Refactoring to Java 8 (QCon New York)Trisha Gee
 
Modular Java
Modular JavaModular Java
Modular JavaMartin Toshev
 
#JavaOne What's in an object?
#JavaOne What's in an object?#JavaOne What's in an object?
#JavaOne What's in an object?Charlie Gracie
 
JavaOne 2015: 12 Factor App
JavaOne 2015: 12 Factor AppJavaOne 2015: 12 Factor App
JavaOne 2015: 12 Factor AppJoe Kutner
 
Javantura v4 - CroDuke Indy and the Kingdom of Java Skills - Branko Mihaljevi...
Javantura v4 - CroDuke Indy and the Kingdom of Java Skills - Branko Mihaljevi...Javantura v4 - CroDuke Indy and the Kingdom of Java Skills - Branko Mihaljevi...
Javantura v4 - CroDuke Indy and the Kingdom of Java Skills - Branko Mihaljevi...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v4 - DMN – supplement your BPMN - Željko Šmaguc
Javantura v4 - DMN – supplement your BPMN - Željko ŠmagucJavantura v4 - DMN – supplement your BPMN - Željko Šmaguc
Javantura v4 - DMN – supplement your BPMN - Željko ŠmagucHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 

More Related Content

What's hot

Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Christian Schneider
 
JPA 2.1 on Payara Server
JPA 2.1 on Payara ServerJPA 2.1 on Payara Server
JPA 2.1 on Payara ServerPayara
 
2015 Java update and roadmap, JUG sevilla
2015 Java update and roadmap, JUG sevilla2015 Java update and roadmap, JUG sevilla
2015 Java update and roadmap, JUG sevillaTrisha Gee
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RSPayara
 
Java EE Microservices
Java EE MicroservicesJava EE Microservices
Java EE Microservicesjclingan
 
Introduction to Lagom Framework
Introduction to Lagom FrameworkIntroduction to Lagom Framework
Introduction to Lagom FrameworkKnoldus Inc.
 
Spring IO 2016 - Spring Cloud Microservices, a journey inside a financial entity
Spring IO 2016 - Spring Cloud Microservices, a journey inside a financial entitySpring IO 2016 - Spring Cloud Microservices, a journey inside a financial entity
Spring IO 2016 - Spring Cloud Microservices, a journey inside a financial entityToni Jara
 
Continuous integration and delivery for java based web applications
Continuous integration and delivery for java based web applicationsContinuous integration and delivery for java based web applications
Continuous integration and delivery for java based web applicationsSunil Dalal
 
Introduction to Micronaut at Oracle CodeOne 2018
Introduction to Micronaut at Oracle CodeOne 2018Introduction to Micronaut at Oracle CodeOne 2018
Introduction to Micronaut at Oracle CodeOne 2018graemerocher
 
Spring cloud for microservices architecture
Spring cloud for microservices architectureSpring cloud for microservices architecture
Spring cloud for microservices architectureIgor Khotin
 
NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0Dinis Cruz
 
Refactoring to Java 8 (QCon New York)
Refactoring to Java 8 (QCon New York)Refactoring to Java 8 (QCon New York)
Refactoring to Java 8 (QCon New York)Trisha Gee
 
#JavaOne What's in an object?
#JavaOne What's in an object?#JavaOne What's in an object?
#JavaOne What's in an object?Charlie Gracie
 
JavaOne 2015: 12 Factor App
JavaOne 2015: 12 Factor AppJavaOne 2015: 12 Factor App
JavaOne 2015: 12 Factor AppJoe Kutner
 

What's hot (20)

Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
 
JPA 2.1 on Payara Server
JPA 2.1 on Payara ServerJPA 2.1 on Payara Server
JPA 2.1 on Payara Server
 
2015 Java update and roadmap, JUG sevilla
2015 Java update and roadmap, JUG sevilla2015 Java update and roadmap, JUG sevilla
2015 Java update and roadmap, JUG sevilla
 
Javantura v4 - Test-driven documentation with Spring REST Docs - Danijel Mitar
Javantura v4 - Test-driven documentation with Spring REST Docs - Danijel MitarJavantura v4 - Test-driven documentation with Spring REST Docs - Danijel Mitar
Javantura v4 - Test-driven documentation with Spring REST Docs - Danijel Mitar
 
Java on Azure
Java on AzureJava on Azure
Java on Azure
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RS
 
Java EE Microservices
Java EE MicroservicesJava EE Microservices
Java EE Microservices
 
Introduction to Lagom Framework
Introduction to Lagom FrameworkIntroduction to Lagom Framework
Introduction to Lagom Framework
 
JEE 8, A Big Overview
JEE 8, A Big OverviewJEE 8, A Big Overview
JEE 8, A Big Overview
 
Spring IO 2016 - Spring Cloud Microservices, a journey inside a financial entity
Spring IO 2016 - Spring Cloud Microservices, a journey inside a financial entitySpring IO 2016 - Spring Cloud Microservices, a journey inside a financial entity
Spring IO 2016 - Spring Cloud Microservices, a journey inside a financial entity
 
Unit Testing in Swift
Unit Testing in SwiftUnit Testing in Swift
Unit Testing in Swift
 
Continuous integration and delivery for java based web applications
Continuous integration and delivery for java based web applicationsContinuous integration and delivery for java based web applications
Continuous integration and delivery for java based web applications
 
Introduction to Micronaut at Oracle CodeOne 2018
Introduction to Micronaut at Oracle CodeOne 2018Introduction to Micronaut at Oracle CodeOne 2018
Introduction to Micronaut at Oracle CodeOne 2018
 
Spring cloud for microservices architecture
Spring cloud for microservices architectureSpring cloud for microservices architecture
Spring cloud for microservices architecture
 
Javantura v4 - True RESTful Java Web Services with JSON API and Katharsis - M...
Javantura v4 - True RESTful Java Web Services with JSON API and Katharsis - M...Javantura v4 - True RESTful Java Web Services with JSON API and Katharsis - M...
Javantura v4 - True RESTful Java Web Services with JSON API and Katharsis - M...
 
NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0
 
Refactoring to Java 8 (QCon New York)
Refactoring to Java 8 (QCon New York)Refactoring to Java 8 (QCon New York)
Refactoring to Java 8 (QCon New York)
 
Modular Java
Modular JavaModular Java
Modular Java
 
#JavaOne What's in an object?
#JavaOne What's in an object?#JavaOne What's in an object?
#JavaOne What's in an object?
 
JavaOne 2015: 12 Factor App
JavaOne 2015: 12 Factor AppJavaOne 2015: 12 Factor App
JavaOne 2015: 12 Factor App
 

Viewers also liked

Viewers also liked (20)

Javantura v4 - CroDuke Indy and the Kingdom of Java Skills - Branko Mihaljevi...
Javantura v4 - CroDuke Indy and the Kingdom of Java Skills - Branko Mihaljevi...Javantura v4 - CroDuke Indy and the Kingdom of Java Skills - Branko Mihaljevi...
Javantura v4 - CroDuke Indy and the Kingdom of Java Skills - Branko Mihaljevi...
 
Javantura v4 - DMN – supplement your BPMN - Željko Šmaguc
Javantura v4 - DMN – supplement your BPMN - Željko ŠmagucJavantura v4 - DMN – supplement your BPMN - Željko Šmaguc
Javantura v4 - DMN – supplement your BPMN - Željko Šmaguc
 
Javantura v4 - FreeMarker in Spring web - Marin Kalapać
Javantura v4 - FreeMarker in Spring web - Marin KalapaćJavantura v4 - FreeMarker in Spring web - Marin Kalapać
Javantura v4 - FreeMarker in Spring web - Marin Kalapać
 
Javantura v4 - JVM++ The GraalVM - Martin Toshev
Javantura v4 - JVM++ The GraalVM - Martin ToshevJavantura v4 - JVM++ The GraalVM - Martin Toshev
Javantura v4 - JVM++ The GraalVM - Martin Toshev
 
Javantura v4 - Let me tell you a story why Scrum is not for you - Roko Roić
Javantura v4 - Let me tell you a story why Scrum is not for you - Roko RoićJavantura v4 - Let me tell you a story why Scrum is not for you - Roko Roić
Javantura v4 - Let me tell you a story why Scrum is not for you - Roko Roić
 
Javantura v4 - The power of cloud in professional services company - Ivan Krn...
Javantura v4 - The power of cloud in professional services company - Ivan Krn...Javantura v4 - The power of cloud in professional services company - Ivan Krn...
Javantura v4 - The power of cloud in professional services company - Ivan Krn...
 
Javantura v4 - Java and lambdas and streams - are they better than for loops ...
Javantura v4 - Java and lambdas and streams - are they better than for loops ...Javantura v4 - Java and lambdas and streams - are they better than for loops ...
Javantura v4 - Java and lambdas and streams - are they better than for loops ...
 
Javantura v4 - Support SpringBoot application development lifecycle using Ora...
Javantura v4 - Support SpringBoot application development lifecycle using Ora...Javantura v4 - Support SpringBoot application development lifecycle using Ora...
Javantura v4 - Support SpringBoot application development lifecycle using Ora...
 
Javantura v4 - Cloud-native Architectures and Java - Matjaž B. Jurič
Javantura v4 - Cloud-native Architectures and Java - Matjaž B. JuričJavantura v4 - Cloud-native Architectures and Java - Matjaž B. Jurič
Javantura v4 - Cloud-native Architectures and Java - Matjaž B. Jurič
 
Javantura v4 - Angular2 - Ionic2 - from birth to stable versions - Hrvoje Pek...
Javantura v4 - Angular2 - Ionic2 - from birth to stable versions - Hrvoje Pek...Javantura v4 - Angular2 - Ionic2 - from birth to stable versions - Hrvoje Pek...
Javantura v4 - Angular2 - Ionic2 - from birth to stable versions - Hrvoje Pek...
 
Javantura v4 - Java or Scala – Web development with Playframework 2.5.x - Kre...
Javantura v4 - Java or Scala – Web development with Playframework 2.5.x - Kre...Javantura v4 - Java or Scala – Web development with Playframework 2.5.x - Kre...
Javantura v4 - Java or Scala – Web development with Playframework 2.5.x - Kre...
 
Javantura v4 - (Spring)Boot your application on Red Hat middleware stack - Al...
Javantura v4 - (Spring)Boot your application on Red Hat middleware stack - Al...Javantura v4 - (Spring)Boot your application on Red Hat middleware stack - Al...
Javantura v4 - (Spring)Boot your application on Red Hat middleware stack - Al...
 
Javantura v4 - Keycloak – instant login for your app - Marko Štrukelj
Javantura v4 - Keycloak – instant login for your app - Marko ŠtrukeljJavantura v4 - Keycloak – instant login for your app - Marko Štrukelj
Javantura v4 - Keycloak – instant login for your app - Marko Štrukelj
 
Javantura v4 - Getting started with Apache Spark - Dinko Srkoč
Javantura v4 - Getting started with Apache Spark - Dinko SrkočJavantura v4 - Getting started with Apache Spark - Dinko Srkoč
Javantura v4 - Getting started with Apache Spark - Dinko Srkoč
 
Javantura v4 - KumuluzEE – Microservices with Java - Matjaž B. Jurič & Tilen ...
Javantura v4 - KumuluzEE – Microservices with Java - Matjaž B. Jurič & Tilen ...Javantura v4 - KumuluzEE – Microservices with Java - Matjaž B. Jurič & Tilen ...
Javantura v4 - KumuluzEE – Microservices with Java - Matjaž B. Jurič & Tilen ...
 
Javantura v4 - Android App Development in 2017 - Matej Vidaković
Javantura v4 - Android App Development in 2017 - Matej VidakovićJavantura v4 - Android App Development in 2017 - Matej Vidaković
Javantura v4 - Android App Development in 2017 - Matej Vidaković
 
Javantura v4 - Self-service app deployment with Kubernetes and OpenShift - Ma...
Javantura v4 - Self-service app deployment with Kubernetes and OpenShift - Ma...Javantura v4 - Self-service app deployment with Kubernetes and OpenShift - Ma...
Javantura v4 - Self-service app deployment with Kubernetes and OpenShift - Ma...
 
Javantura v3 - Real-time BigData ingestion and querying of aggregated data – ...
Javantura v3 - Real-time BigData ingestion and querying of aggregated data – ...Javantura v3 - Real-time BigData ingestion and querying of aggregated data – ...
Javantura v3 - Real-time BigData ingestion and querying of aggregated data – ...
 
Javantura v3 - Just say it – using language to communicate with the computer ...
Javantura v3 - Just say it – using language to communicate with the computer ...Javantura v3 - Just say it – using language to communicate with the computer ...
Javantura v3 - Just say it – using language to communicate with the computer ...
 
Javantura v3 - ES6 – Future Is Now – Nenad Pečanac
Javantura v3 - ES6 – Future Is Now – Nenad PečanacJavantura v3 - ES6 – Future Is Now – Nenad Pečanac
Javantura v3 - ES6 – Future Is Now – Nenad Pečanac
 

Similar to Javantura v4 - Security architecture of the Java platform - Martin Toshev

Security Аrchitecture of Тhe Java Platform
Security Аrchitecture of Тhe Java PlatformSecurity Аrchitecture of Тhe Java Platform
Security Аrchitecture of Тhe Java PlatformMartin Toshev
 
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Martin Toshev
 
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....Martin Toshev
 
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019Codemotion
 
Security Architecture of the Java platform
Security Architecture of the Java platformSecurity Architecture of the Java platform
Security Architecture of the Java platformMartin Toshev
 
Java Platform Security Architecture
Java Platform Security ArchitectureJava Platform Security Architecture
Java Platform Security ArchitectureRamesh Nagappan
 
java2days 2014: Attacking JavaEE Application Servers
java2days 2014: Attacking JavaEE Application Serversjava2days 2014: Attacking JavaEE Application Servers
java2days 2014: Attacking JavaEE Application ServersMartin Toshev
 
Chapter three Java_security.ppt
Chapter three Java_security.pptChapter three Java_security.ppt
Chapter three Java_security.pptHaymanotTadese
 
Tollas Ferenc - Java security
Tollas Ferenc - Java securityTollas Ferenc - Java security
Tollas Ferenc - Java securityveszpremimeetup
 
Spring security 2017
Spring security 2017Spring security 2017
Spring security 2017Vortexbird
 
From java to android a security analysis
From java to android a security analysisFrom java to android a security analysis
From java to android a security analysisPragati Rai
 
ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS
ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONSADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS
ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONSelliando dias
 
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Apostolos Giannakidis
 
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your CodeHow-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your CodeDevOps.com
 
Weblogic Cluster Security
Weblogic Cluster SecurityWeblogic Cluster Security
Weblogic Cluster SecurityAditya Bhuyan
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon
 

Similar to Javantura v4 - Security architecture of the Java platform - Martin Toshev (20)

Security Аrchitecture of Тhe Java Platform
Security Аrchitecture of Тhe Java PlatformSecurity Аrchitecture of Тhe Java Platform
Security Аrchitecture of Тhe Java Platform
 
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
 
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
 
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
 
Security Architecture of the Java platform
Security Architecture of the Java platformSecurity Architecture of the Java platform
Security Architecture of the Java platform
 
Java Platform Security Architecture
Java Platform Security ArchitectureJava Platform Security Architecture
Java Platform Security Architecture
 
java2days 2014: Attacking JavaEE Application Servers
java2days 2014: Attacking JavaEE Application Serversjava2days 2014: Attacking JavaEE Application Servers
java2days 2014: Attacking JavaEE Application Servers
 
Chapter three Java_security.ppt
Chapter three Java_security.pptChapter three Java_security.ppt
Chapter three Java_security.ppt
 
Tollas Ferenc - Java security
Tollas Ferenc - Java securityTollas Ferenc - Java security
Tollas Ferenc - Java security
 
Security in Java
Security in JavaSecurity in Java
Security in Java
 
Spring security 2017
Spring security 2017Spring security 2017
Spring security 2017
 
From java to android a security analysis
From java to android a security analysisFrom java to android a security analysis
From java to android a security analysis
 
ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS
ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONSADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS
ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS
 
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
 
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your CodeHow-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
 
Web security
Web securityWeb security
Web security
 
Java Security
Java SecurityJava Security
Java Security
 
Weblogic security
Weblogic securityWeblogic security
Weblogic security
 
Weblogic Cluster Security
Weblogic Cluster SecurityWeblogic Cluster Security
Weblogic Cluster Security
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
 

More from HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

More from HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association (20)

Java cro'21 the best tools for java developers in 2021 - hujak
Java cro'21 the best tools for java developers in 2021 - hujakJava cro'21 the best tools for java developers in 2021 - hujak
Java cro'21 the best tools for java developers in 2021 - hujak
 
JavaCro'21 - Java is Here To Stay - HUJAK Keynote
JavaCro'21 - Java is Here To Stay - HUJAK KeynoteJavaCro'21 - Java is Here To Stay - HUJAK Keynote
JavaCro'21 - Java is Here To Stay - HUJAK Keynote
 
Javantura v7 - Behaviour Driven Development with Cucumber - Ivan Lozić
Javantura v7 - Behaviour Driven Development with Cucumber - Ivan LozićJavantura v7 - Behaviour Driven Development with Cucumber - Ivan Lozić
Javantura v7 - Behaviour Driven Development with Cucumber - Ivan Lozić
 
Javantura v7 - The State of Java - Today and Tomowwow - HUJAK's Community Key...
Javantura v7 - The State of Java - Today and Tomowwow - HUJAK's Community Key...Javantura v7 - The State of Java - Today and Tomowwow - HUJAK's Community Key...
Javantura v7 - The State of Java - Today and Tomowwow - HUJAK's Community Key...
 
Javantura v7 - Learning to Scale Yourself: The Journey from Coder to Leader -...
Javantura v7 - Learning to Scale Yourself: The Journey from Coder to Leader -...Javantura v7 - Learning to Scale Yourself: The Journey from Coder to Leader -...
Javantura v7 - Learning to Scale Yourself: The Journey from Coder to Leader -...
 
JavaCro'19 - The State of Java and Software Development in Croatia - Communit...
JavaCro'19 - The State of Java and Software Development in Croatia - Communit...JavaCro'19 - The State of Java and Software Development in Croatia - Communit...
JavaCro'19 - The State of Java and Software Development in Croatia - Communit...
 
Javantura v6 - Java in Croatia and HUJAK - Branko Mihaljević, Aleksander Radovan
Javantura v6 - Java in Croatia and HUJAK - Branko Mihaljević, Aleksander RadovanJavantura v6 - Java in Croatia and HUJAK - Branko Mihaljević, Aleksander Radovan
Javantura v6 - Java in Croatia and HUJAK - Branko Mihaljević, Aleksander Radovan
 
Javantura v6 - On the Aspects of Polyglot Programming and Memory Management i...
Javantura v6 - On the Aspects of Polyglot Programming and Memory Management i...Javantura v6 - On the Aspects of Polyglot Programming and Memory Management i...
Javantura v6 - On the Aspects of Polyglot Programming and Memory Management i...
 
Javantura v6 - Case Study: Marketplace App with Java and Hyperledger Fabric -...
Javantura v6 - Case Study: Marketplace App with Java and Hyperledger Fabric -...Javantura v6 - Case Study: Marketplace App with Java and Hyperledger Fabric -...
Javantura v6 - Case Study: Marketplace App with Java and Hyperledger Fabric -...
 
Javantura v6 - How to help customers report bugs accurately - Miroslav Čerkez...
Javantura v6 - How to help customers report bugs accurately - Miroslav Čerkez...Javantura v6 - How to help customers report bugs accurately - Miroslav Čerkez...
Javantura v6 - How to help customers report bugs accurately - Miroslav Čerkez...
 
Javantura v6 - When remote work really works - the secrets behind successful ...
Javantura v6 - When remote work really works - the secrets behind successful ...Javantura v6 - When remote work really works - the secrets behind successful ...
Javantura v6 - When remote work really works - the secrets behind successful ...
 
Javantura v6 - Kotlin-Java Interop - Matej Vidaković
Javantura v6 - Kotlin-Java Interop - Matej VidakovićJavantura v6 - Kotlin-Java Interop - Matej Vidaković
Javantura v6 - Kotlin-Java Interop - Matej Vidaković
 
Javantura v6 - Spring HATEOAS hypermedia-driven web services, and clients tha...
Javantura v6 - Spring HATEOAS hypermedia-driven web services, and clients tha...Javantura v6 - Spring HATEOAS hypermedia-driven web services, and clients tha...
Javantura v6 - Spring HATEOAS hypermedia-driven web services, and clients tha...
 
Javantura v6 - End to End Continuous Delivery of Microservices for Kubernetes...
Javantura v6 - End to End Continuous Delivery of Microservices for Kubernetes...Javantura v6 - End to End Continuous Delivery of Microservices for Kubernetes...
Javantura v6 - End to End Continuous Delivery of Microservices for Kubernetes...
 
Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...
Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...
Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...
 
Javantura v6 - How can you improve the quality of your application - Ioannis ...
Javantura v6 - How can you improve the quality of your application - Ioannis ...Javantura v6 - How can you improve the quality of your application - Ioannis ...
Javantura v6 - How can you improve the quality of your application - Ioannis ...
 
Javantura v6 - Just say it v2 - Pavao Varela Petrac
Javantura v6 - Just say it v2 - Pavao Varela PetracJavantura v6 - Just say it v2 - Pavao Varela Petrac
Javantura v6 - Just say it v2 - Pavao Varela Petrac
 
Javantura v6 - Automation of web apps testing - Hrvoje Ruhek
Javantura v6 - Automation of web apps testing - Hrvoje RuhekJavantura v6 - Automation of web apps testing - Hrvoje Ruhek
Javantura v6 - Automation of web apps testing - Hrvoje Ruhek
 
Javantura v6 - Master the Concepts Behind the Java 10 Challenges and Eliminat...
Javantura v6 - Master the Concepts Behind the Java 10 Challenges and Eliminat...Javantura v6 - Master the Concepts Behind the Java 10 Challenges and Eliminat...
Javantura v6 - Master the Concepts Behind the Java 10 Challenges and Eliminat...
 
Javantura v6 - Building IoT Middleware with Microservices - Mario Kusek
Javantura v6 - Building IoT Middleware with Microservices - Mario KusekJavantura v6 - Building IoT Middleware with Microservices - Mario Kusek
Javantura v6 - Building IoT Middleware with Microservices - Mario Kusek
 

Recently uploaded

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 

Recently uploaded (20)

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 

Javantura v4 - Security architecture of the Java platform - Martin Toshev

  • 1. Security architecture of the Java platform Martin Toshev @martin_fmi
  • 2. Who am I Software consultant (CoffeeCupConsulting) BG JUG board member (http://jug.bg) OpenJDK and Oracle RBDMS enthusiast Twitter: @martin_fmi
  • 3.
  • 4. Agenda • Evolution of the Java security model • Outside the sandbox: APIs for secure coding • Designing and coding with security in mind
  • 5. Evolution of the Java security model
  • 6. Evolution of the Java security model • Traditionally - companies protect they assets using strict physical and network access policies • Tools such as anti-virus software, firewalls, IPS/IDS systems facilitate this approach
  • 7. Evolution of the Java security model • With the introduction of various technologies for loading and executing code on the client machine from the browser (such as Applets) - a new range of concerns emerge related to client security – this is when the Java security sandbox starts to evolve …
  • 8. Evolution of the Java security model • The goal of the Java security sandbox is to allow untrusted code from applets to be executed in a trusted environment such as the user's browser
  • 9. Evolution of the Java security model • JDK 1.0 (when it all started …) – the original sandbox model was introduced Applet (untrusted) System code (trusted) JVM Browser http://javantura.com/demoapplet
  • 10. Evolution of the Java security model • Code executed by the JVM is divided in two domains – trusted and untrusted • Strict restriction are applied by default on the security model of applets such as denial to read/write data from disk, connect to the network and so on
  • 11. Evolution of the Java security model • JDK 1.1 (gaining trust …) – applet signing introduced Applet (untrusted) System code (trusted) JVM Browser Signed Applet (trusted) http://javantura.com/demoapplet http://javantura.com/trustedapplet
  • 12. Evolution of the Java security model • Local code (as in JDK 1.0) and signed applet code (as of JDK 1.1) are trusted • Unsigned remote code (as in JDK 1.0) is not trusted
  • 13. Evolution of the Java security model • Steps needed to sign and run an applet: • Compile the applet • Create a JAR file for the applet • Generate a pair of public/private keys • Sign the applet JAR with the private key • Export a certificate for the public key • Import the Certificate as a Trusted Certificate • Create the policy file • Load and run the applet
  • 14. Evolution of the Java security model • JDK 1.2 (gaining more trust …) – fine-grained access control Applet System code JVM Browser grant codeBase http://javantura.com/demoapplet { permission java.io.FilePermisions “C:Windows” “delete” } security.policy SecurityManager.checkPermission(…) AccessController.checkPermission(…) http://javantura.com/demoapplet
  • 15. Evolution of the Java security model • The security model becomes code-centric • Additional access control decisions are specified in a security policy • No more notion of trusted and untrusted code
  • 16. Evolution of the Java security model • The notion of protection domain introduced – determined by the security policy • Two types of protection domains – system and application
  • 17. Evolution of the Java security model • The protection domain is set during classloading and contains the code source and the list of permissions for the class applet.getClass().getProtectionDomain();
  • 18. Evolution of the Java security model • One permission can imply another permission java.io.FilePermissions “C:Windows” “delete” implies java.io.FilePermissions “C:Windowssystem32” “delete”
  • 19. Evolution of the Java security model • One code source can imply another code source codeBase http://javantura.com/ implies codeBase http://javantura.com/demoapplet
  • 20. Evolution of the Java security model • Since an execution thread may pass through classes loaded by different classloaders (and hence – have different protection domains) the following rule of thumb applies: The permission set of an execution thread is considered to be the intersection of the permissions of all protection domains traversed by the execution thread
  • 21. Evolution of the Java security model • JDK 1.3, 1,4 (what about entities running the code … ?) – JAAS Applet System code JVM Browser http://javantura.com/demoapplet grant principal javax.security.auth.x500.X500Principal "cn=Tom" { permission java.io.FilePermissions “C:Windows” “delete” } security.policy
  • 22. Evolution of the Java security model • JAAS (Java Authentication and Authorization Service) extends the security model with role-based permissions • The protection domain of a class now may contain not only the code source and the permissions but a list of principals
  • 23. Evolution of the Java security model • The authentication component of JAAS is independent of the security sandbox in Java and hence is typically used in more wider context (such as JavaEE application servers) • The authorization component is the one that extends the Java security policy
  • 24. Evolution of the Java security model • Core classes of JAAS: • javax.security.auth.Subject - an authenticated subject • java.security.Principal - identifying characteristic of a subject • javax.security.auth.spi.LoginModule - interface for implementors of login (PAM) modules • javax.security.auth.login.LoginContext - creates objects used for authentication
  • 25. Evolution of the Java security model • Up to JDK 1.4 the following is a typical flow for permission checking: 1) upon system startup a security policy is set and a security manager is installed Policy.setPolicy(…) System.setSecurityManager(…)
  • 26. Evolution of the Java security model • Up to JDK 1.4 the following is a typical flow for permission checking: 2) during classloading (e.g. of a remote applet) bytecode verification is done and the protection domain is set for the current classloader (along with the code source, the set of permissions and the set of JAAS principals)
  • 27. Evolution of the Java security model • Up to JDK 1.4 the following is a typical flow for permission checking: 3) when system code is invoked from the remote code the SecurityManager is used to check against the intersection of protection domains based on the chain of threads and their call stacks
  • 28. Evolution of the Java security model • Up to JDK 1.4 the following is a typical flow for permission checking: SocketPermission permission = new SocketPermission(“javantura.com:8000-9000","connect,accept"); SecurityManager sm = System.getSecurityManager(); if (sm != null) sm.checkPermission(permission);
  • 29. Evolution of the Java security model • Up to JDK 1.4 the following is a typical flow for permission checking: 4) application code can also do permission checking against remote code using a SecurityManager or an AccessController
  • 30. Evolution of the Java security model • Up to JDK 1.4 the following is a typical flow for permission checking: SocketPermission permission = new SocketPermission(“javantura.com:8000-9000", "connect,accept"); AccessController.checkPermission(permission)
  • 31. Evolution of the Java security model • Up to JDK 1.4 the following is a typical flow for permission checking: 5) application code can also do permission checking with all permissions of the calling domain or a particular JAAS subject AccessController.doPrivileged(…) Subject.doAs(…) Subject.doAsPrivileged(…)
  • 32. Evolution of the Java security model • The security model defined by java.lang.SecurityManager is customizable • For example: Oracle JVM uses a custom SecurityManager with additional permission classes where the code source is a database schema (containing e.g. Java stored procedures)
  • 33. Evolution of the Java security model • JDK 1.5, 1.6 (enhancing the model …) – new additions to the sandbox model (e.g. LDAP support for JAAS)
  • 34. Evolution of the Java security model • JDK 1.7, 1.8 (further enhancing the model …) – enhancements to the sandbox model (e.g. AccessController.doPrivileged() for checking against a subset of permissions)
  • 35. Evolution of the Java security model • JDK 1.9 and beyond … (applying the model to modules …) application module system module 1 JVM Browser http://javantura.com/appmodule security.policy system module 2
  • 36. Evolution of the Java security model • By modules we understand modules in JDK as defined by project Jigsaw • Modules must conform to the same security model as applets – each module is loaded by a particular classloader (bootstrap, extension or system)
  • 37. Evolution of the Java security model • Modularization of the JDK system classes allows further to define fine-grained access control permissions for classes in the system domain • This is not currently allowed due to the monolithic nature of the JDK
  • 38. Outside the sandbox: APIs for secure coding
  • 39. Outside the sandbox: APIs for secure coding • The security sandbox defines a strict model for execution of remote code in the JVM • The other side of the coin are the security APIs that provide utilities for implementing the different aspects of application security …
  • 40. Outside the sandbox: APIs for secure coding • The additional set of APIs includes: • JCA (Java Cryptography Architecture) • PKI (Public Key Infrastructure) utilities • JSSE (Java Secure Socket Extension) • Java GSS API (Java Generic Security Services) • Java SASL API (Java Simple Authentication and Security Layer)
  • 41. Designing and coding with security in mind
  • 42. Designing and coding with security in mind • First of all - follow programing guidelines and best practices - most are not bound to the Java programming language (input validation, error handling, type safety, access modifiers, resource cleanup, prepared SQL queries and whatever you can think of …)
  • 43. Designing and coding with security in mind • Respect the SecurityManager - design libraries so that they work in environments with installed SecurityManager • Example: GSON library does not respect the SecurityManager and cannot be used without additional reflective permissions in some scenarios
  • 44. Designing and coding with security in mind • Grant minimal permissions to code that requires them - the principle of "least privilege" • Copy-pasting, of course, increases the risk of security flows (if the copied code is flawed)
  • 45. Designing and coding with security in mind • Sanitize exception messages from sensitive information - often this results in an unintended exposal of exploitable information • Let alone exception stacktraces … in many cases they convey a wealth of information about the system
  • 47. References • Java Security Overview (white paper) http://www.oracle.com/technetwork/java/js-white-paper-149932.pdf • Java SE Platform Security Architecture Spec http://docs.oracle.com/javase/7/docs/technotes/guides/security/spec/s ecurity-spec.doc.html • Inside Java 2 Platform Security, 2nd edition http://www.amazon.com/Inside-Java%C2%BF-Platform-Security- Implementation/dp/0201787911
  • 48. References • Java Security, 2nd edition, Scott Oaks http://shop.oreilly.com/product/9780596001575.do • Securing Java, Gary McGraw, Ed Felden http://www.securingjava.com • Secure Coding Guidelines for Java SE http://www.oracle.com/technetwork/java/seccodeguide-139067.html#0
  • 49. References • Java 2 Network Security http://www.amazon.com/JAVA-Network-Security-2nd- Edition/dp/0130155926 • Java Security Documentation http://docs.oracle.com/javase/8/docs/technotes/guides/security/index. html
  • 50. References • Core Java Security: Class Loaders, Security Managers and Encryption http://www.informit.com/articles/article.aspx?p=1187967 • Overview of Java Security Models http://docs.oracle.com/cd/E12839_01/core.1111/e10043/introjps.htm# CHDCEJGH