Here are the slides for my JavaOne 2014 session on Understanding the New JDK 8 Security Features.
Thanks to all who attended the session. I hope it was very useful.
A new version of the Java Secure Coding Guidelines is now available at http://www.oracle.com/technetwork/java/seccodeguide-139067.html
This version has many updates, including:
A new version (3.0) of the Secure Coding Guidelines for the Java Programming Language has just been published at http://java.sun.com/security/seccodeguide.html
The secure coding guidelines documents best practices and patterns that you should adhere to when writing Java code in order to avoid vulnerabilities. These guidelines are important for every Java developer, whether you are writing a trusted library or an end-user application.
Version 3.0 is a significant enhancement and includes a new section on fundamentals as well as many new guidelines and enhancements.
Please send me any feedback you may have.
This question has come up in user forums quite a bit: "how can I use a more recent Apache XML Security library with the XML Signature APIs (JSR 105) in JDK 6 and JDK 7?"
Most of the time, you will not need to do this. Our JDK 6/7 XML Signature implementation is based on Apache XML Security and we try to keep up with the latest release. However, there may be a bug fix or new algorithm that you really need and are willing to depend on a more recent version of the Apache XML Security library that has that fix. Here is what you need to do if so:
One of the new features of the XML Signature 1.1 specification, which is currently in draft review, is the addition of stronger cryptographic algorithms to the REQUIRED algorithms, such as the RSAwithSHA256 SignatureMethod algorithm. Additional RECOMMENDED and OPTIONAL algorithms have also been added. See section 6.1 for a complete list of algorithm requirements.
In JDK 7, you can already use many of these stronger XML Signature algorithms in your Java applications. The following algorithms are newly supported: the RSAwithSHA256, RSAwithSHA384, RSAwithSHA512 signature algorithms and the HMAC-SHA256, HMAC-SHA384, and HMAC-SHA512 mac algorithms.
To take advantage of these stronger algorithms when generating XML Signatures, you may have to specify the URI of the algorithm (if there isn't a String constant already defined in the API). For example:
XMLSignatureFactory factory = XMLSignatureFactory.getInstance();
SignatureMethod sm =
factory.newSignatureMethod
("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
(SignatureMethodParameterSpec) null);
No special code is required when validating XML Signatures with these algorithms as the implementation will automatically identify the algorithm URIs.
We plan to add String constants for these URIs in a future revision of the JSR 105 API, but for now you must specify the URIs when generating signatures.
Last, but not least, we are planning to backport support for these stronger signature and mac algorithms to JDK 6.
Just a reminder that we'll be holding a BOF at this year's JavaOne conference on "New Security Features in JDK™ Releases 6 and 7". It is on Wednesday at 6:45 PM in Gateway 102/103 in the Moscone Center. We plan to have a short presentation on the latest security features in JDK 6, JDK 7 and JavaFX. Then, we are going to show a demo of the new blacklist mechanism in the just-released JRE 6u14. The remaining time will be for Q&A so please bring your questions on Java Security as many members of Sun's Java Security team will be on hand to help answer them.
We'll be holding a BOF at this year's JavaOne conference on "New Security Features in JDK™ Releases 6 and 7". This is sure to be an interesting BOF, as we'll go over all of the latest security features that we have added to JDK 6 and new ones that are targeted for JDK 7. We also plan to show a demo of some of the features. There should be plenty of time for Q&A so please bring your questions on Java Security as many members of Sun's Java Security team will be on hand to help answer them.
I'll add more details as we get closer to JavaOne.
Sean Mullan