Master Java security: classloaders, permissions, authentication, encryption, and web security
The Java language inherently contains numerous mechanisms for developing secure programs. These mechanisms address various aspects of security, such as integrity, confidentiality, identification, and protection against malicious attacks.
Is it for you ?
Developers, designers, project managers, technical architects
Prerequisites
Have programming experience in JAVA.
What You'll Walk Away With
- ✓ Master JVM security mechanisms including classloaders, bytecode verification, and memory management
- ✓ Configure and enforce security policies using the Java Security Manager and permissions
- ✓ Implement authentication and authorization solutions with JAAS and role management
- ✓ Secure applications with digital signatures, keystores, and AES/RSA encryption
- ✓ Identify web vulnerabilities (OWASP) and perform dynamic application security testing with specialized tools
Training content
1 Introduction and reminders
2 Loading and verifying classes
- Role of the Java compiler
- Role of classloaders
- The different memory areas of the JVM and their management by the garbage collector
- Hierarchy of the different classloaders
- Verifying bytecode
- Dynamic class loading
- Implementing a class loader
- Practical work: Modifying a .class file and executing it with the -noverify option, Implementing a class loader that loads encrypted classes
3 Security manager and permissions
- Controllable operations
- Activating the security manager
- Protection domain, code source, and permissions
- API overview
- Policy file
- Permission classes
- Implementing a Permission class
- Practical work: Developing a policy file, implementing a Permission class
4 JAAS, Authentication, and Authorizations
- Introduction to JAAS
- LoginContext and LoginModule
- Configuration and stacking of login modules
- Available LoginModules
- Implementing a specific login module, CallbackHandlers
- Packaging a login module
- Authorizations, Subject Objects, and Principals
- PrivilegedAction interface
- Permission configuration
- Practical work: Implementation of a LoginModule, configuration of authorizations based on user roles
5 Digital signatures and encryption
- Message digest: SHA1 and MD5
- The keytool tool and keystores
- The jarsigner tool
- Certification authorities
- Deployment of signed code on an intranet or the internet
- Keystore-based permissions
- Data encryption, AES and RSA algorithms
- Practical work: Verifying a fingerprint, Deploying an applet on an intranet, Symmetric and asymmetric encryption
6 Applying security in a web environment
- Securing a Java application server
- Securing a Java application server
- User authentication, web application deployment descriptor
- Configuring module logins in major application servers
- Declarative security for various Java EE third parties
- SSL
- Practical work: Securing a web application
7 Web attacks
- OWASP resources
- The ten most critical web application security risks according to OWASP
- Identifying the main risks in cybersecurity
8 Dynamic application auditing with APPSCAN Standard
- Configuring a scan
- Launching the scan operation
- Analyzing the results
📌 Practical information
Our training sessions are offered in Montreal or Quebec City, in person or in a virtual classroom. Dates and locations are specified when you select your session below. If you have any questions, check out our FAQ.