SecurityManager Survey Results

On February 5, 2018 we launched a survey to gather data on how applications and libraries use the SecurityManager. The results of the survey can now be seen online at https://www.surveymonkey.com/results/SM-PSJ6ZNMZ8/. The survey was primarily targeted at developers. We were especially interested in understanding how the SecurityManager is used outside of applets and WebStart applications, which were use cases that were already well understood. We were also interested in the...

Wednesday, March 21, 2018 | Read More

Java applications that are signed and timestamped with the GeoTrust Timestamp Authority are no longer working

Issue On October 30, 2017, the certificate for the GeoTrust TSA (Time Stamp Authority) expired. If your application is using a signed JAR that is also timestamped with the GeoTrust TSA, then you may get errors when running the applet or application with Java WebStart or Plugin. How do I know if I may be affected? To check if your JAR is timestamped with the GeoTrust TSA, you can use the jarsigner utility (although you must use JDK 9, 8u121, 7u131, 6u141 or later). Run...

Tuesday, November 7, 2017 | Java | Read More

JavaOne 2016 slides for "Making the JDK More Secure"

My slides for my JavaOne 2016 session on "Making the JDK More Secure" are here.

Tuesday, September 20, 2016 | Java | Read More

Slides for JavaOne 2015 session (Safer and Faster: New JDK Security Features and Performance Improvements)

My slides for my JavaOne 2015 session on "Safer and Faster: New JDK Security Features and Performance Improvements"  are available here. Thanks to all that attended my session (either in person or via the live-stream)!

Thursday, October 29, 2015 | Java | Read More

Slides for my JavaOne 2014 session on "Understanding the New JDK 8 Security Features"

Here are the slides for my JavaOne 2014 session on Understanding the New JDK 8 Security Features. Thanks to all who attended the session. I hope it was very useful.

Thursday, October 2, 2014 | Java | Read More

Version 5.0 of the Java Secure Coding Guidelines now available!

A new version of the Java Secure Coding Guidelines is now available at http://www.oracle.com/technetwork/java/seccodeguide-139067.html This version has many updates, including: Additional information for some of the new Java SE 8 features Several new guidelines and examples A new appendix covering the Java Native Interface A new symbolic naming for sections Several formatting changes These guidelines contain coding patterns and best practices that are extremely useful for building...

Monday, April 14, 2014 | Java | Read More

How to use the XML Signature secure validation mode

In JDK 7u25, we introduced a new secure validation mode for XML Signatures. This mode is designed to protect you from XML Signatures that contain potentially hostile constructs that could cause denial-of-service or other types of security issues.  The good news is that if you run your application with a SecurityManager, the secure validation mode is enabled by default, and there is no further action required. Otherwise, a new property with the name org.jcp.xml.dsig.secureValida...

Thursday, March 13, 2014 | Java | Read More

How to determine if a signed JAR is timestamped

Applying a timestamp when you sign a JAR is strongly recommended, as it allows you to prove that you signed the JAR during the time interval that your code signing certificate was still valid. This allows your JAR to be validated after the certificate expires thereby prolonging the lifetime of your application. There's really no good reason you should not apply a timestamp, and we are encouraging all developers to do that as we introduce stricter applet/RIA restrictions in...

Tuesday, December 3, 2013 | Java | Read More

JEP 124: Enhance the Certificate Revocation-Checking API

Revocation checking is the mechanism to determine the revocation status of a certificate. If it is revoked, it is considered invalid and should not be used. Currently as of JDK 7, the PKIX implementation of java.security.cert.CertPathValidator  includes a revocation checking implementation that supports both OCSP and CRLs, the two main methods of checking revocation. However, there are very few options that allow you to configure the behavior. You can always implement your...

Friday, November 1, 2013 | Java | Read More

Slides for my JavaOne session: "Using the New JDK 8 Security Features"

Thanks to everyone who attended my talk yesterday on "Using the New JDK 8 Security Features". Here are the slides for my session for those that could not attend or would like a copy for further reference: CON_7932_Mullan.pdf.

Wednesday, September 25, 2013 | Java | Read More

JEP 131: PKCS#11 Crypto Provider for 64-bit Windows

JEP 131 (PKCS#11 Crypto Provider for 64-bit Windows) is another of the 11 new security features funded and targeted to JDK 8. PKCS #11 is a standard that defines a platform-independent API to cryptographic tokens like smart cards and hardware security modules. Oracle's JDK currently supports PKCS #11 on Solaris (SPARC and x86), Linux (32-bit and 64-bit), and Windows (32-bit). PKCS #11 support is provided via a JCA provider which is simply a bridge to the native PKCS...

Monday, August 26, 2013 | Java | Read More

JEP 130: SHA-224 Message Digests

JEP 130 (SHA-224 Message Digests) is one of the 11 new security features funded and targeted to JDK 8. The SHA-2 cryptographic hash family includes the SHA-224, SHA-256, SHA-384, and SHA-512 algorithms. The JDK already includes support for SHA-256, SHA-384, and SHA-512. JEP 130 completes the JDK support for the SHA-2 family. SHA-224 is basically a truncated version of SHA-256. The calculated hash is 224 bits (instead of 256) and is computed with a different initial value than...

Monday, August 19, 2013 | Java | Read More

I will be speaking at JavaOne 2013 on "Using the New JDK 8 Security Features"

Hi all, I will be presenting a session at this year's JavaOne 2013 (San Francisco) on "Using the New JDK 8 Security Features". This will be an informative session describing the 11 new security features (aka "JEPs") and will include plenty of code samples. Over the next few weeks, I will be posting new blog entries with more details of each of these features. So stay tuned for more information or attend my session if you are coming to JavaOne!

Thursday, August 15, 2013 | Java | Read More

Announcing XML Signature 1.1 and Signature Properties Last Call

The W3C XML Security Working Group has released a Last Call Working Draft for XML Signature 1.1:http://www.w3.org/TR/xmldsig-core1/ An explanation of the changes against the XML Signature 1.0  specification is available:http://www.w3.org/TR/xmldsig-core1/explain.html Changes are focused on the set of mandatory to implement algorithms and markup for relevant key material. The Working Group has also released a Last Call Working Draft for XML Signature Properties:http://www.w3.or...

Friday, February 12, 2010 | Sun | Read More

Secure Coding Guidelines for the Java Programming Language, Version 3.0

A new version (3.0) of the Secure Coding Guidelines for the Java Programming Language has just been published at http://java.sun.com/security/seccodeguide.html The secure coding guidelines documents best practices and patterns that you should adhere to when writing Java code in order to avoid vulnerabilities. These guidelines are important for every Java developer, whether you are writing a trusted library or an end-user application. Version 3.0 is a significant enhancement and...

Wednesday, January 6, 2010 | Sun | Read More

Using more recent Apache XML Security Libraries with JDK 6 or JDK 7

This question has come up in user forums quite a bit: "how can I use a more recent Apache XML Security library with the XML Signature APIs (JSR 105) in JDK 6 and JDK 7?" Most of the time, you will not need to do this. Our JDK 6/7 XML Signature implementation is based on Apache XML Security and we try to keep up with the latest release. However, there may be a bug fix or new algorithm that you really need and are willing to depend on a more recent version of the Apache XML...

Thursday, October 1, 2009 | Personal | Read More

Using stronger XML Signature Algorithms in JDK 7

One of the new features of the XML Signature 1.1 specification, which is currently in draft review, is the addition of stronger cryptographic algorithms to the REQUIRED algorithms, such as the RSAwithSHA256 SignatureMethod algorithm. Additional RECOMMENDED and OPTIONAL algorithms have also been added. See section 6.1 for a complete list of algorithm requirements. In JDK 7, you can already use many of these stronger XML Signature algorithms in your Java applications. The...

Friday, July 24, 2009 | Sun | Read More

Hope to see you at our Java Security BOF next week at JavaOne

Just a reminder that we'll be holding a BOF at this year's JavaOne conference on "New Security Features in JDK™ Releases 6 and 7".  It is on Wednesday at 6:45 PM in Gateway 102/103 in the Moscone Center. We plan to have a short presentation on the latest security features in JDK 6, JDK 7 and JavaFX. Then, we are going to show a demo of the new blacklist mechanism in the just-released JRE 6u14. The remaining time will be for Q&A so please bring your questions on Java Security...

Friday, May 29, 2009 | Personal | Read More

Come to our Java Security BOF at JavaOne 2009

We'll be holding a BOF at this year's JavaOne conference on "New Security Features in JDK™ Releases 6 and 7". This is sure to be an interesting BOF, as we'll go over all of the latest security features that we have added to JDK 6 and new ones that are targeted for JDK 7. We also plan to show a demo of some of the features. There should be plenty of time for Q&A so please bring your questions on Java Security as many members of Sun's Java Security team will be on hand to help...

Friday, April 24, 2009 | Sun | Read More

New API to indicate the reason a certificate chain was invalid

In JDK 7, we have added a new method (getReason) to the java.security.cert.CertPathValidatorException class which returns an object indicating the reason a certificate chain, or CertPath, is invalid. Previously, there was no standard mechanism to determine the reason of failure, and applications had to depend on the exception message or the cause which could vary based on the underlying service provider implementation. The getReason method returns an instance of CertPathValidat...

Friday, April 3, 2009 | Sun | Read More

New CertificateRevokedException class in JDK 7

There is a new CertificateRevocationException class in JDK 7 in the java.security.cert package that indicates that an X.509 certificate is revoked and also allows you to determine additional information such as the reason the certificate has been revoked and when it was revoked.  The getRevocationReason method returns a CRLReason, which is a new enum class that enumerates the different reasons an X.509 certificate can be revoked, such as compromise of the private key. In...

Friday, March 27, 2009 | Sun | Read More


Hello everyone. Although I have been with Sun for over 10 years, this is my first blog entry at blogs.sun.com. I already have a blog over at java.net (http://weblogs.java.net/blog/mullan/), but for now I will be posting new entries right here at blogs.sun.com. I may still update my blog at java.net from time to time, or figure out a way to cross-post my entries. A little about myself. I work on the Java Security Team and have spent almost 10 years working on the Java SE...

Friday, March 20, 2009 | Sun | Read More