General.
• nothing is 100% secure
• only as strong as the weakest link (e2e security requires many layers)
• manageable (a complex system will only serve to confuse admins/users)
• security must be included as part of the design not retro-fitted
Identify Security Restrictions That Java 2 Technology Environments Normally Impose on Applets Running in a Browser
• An applet can utilize only its own code and is not allowed to load libraries or define native methods.
• An applet cannot read or write files on the host that is executing it.
• An applet can make network connections only to the host from which it was downloaded.
• An applet cannot start any program on the local host.
• An applet is restricted from reading the following system properties:
java.home, java.class.path, user.name, user.home, and user.dir.
Given an Architectural System Specification, Identify Appropriate Locations for Implementation of Specified Security Features and Select Suitable Technologies for Implementation of Those Features
• Authentication
• Authentication method: BASIC, FORM, DIGEST, and CLIENT-CERT
• Digital certificates, certificate authorities
• Secure Sockets Layer (SSL)
• Common Secure Interoperability (CSIv2)
• Identity selection: <run-as> or <use-caller-identity>
• Security roles
• Authorization
• Authorization enforced by the container (declarative), defined in the deployment descriptor
• Authorization enforced by the component (programmatic), defined within the application code