Thursday Oct 29, 2015

Secure Java EE Architecture and Programming 101 [CON4155]

Earlier this week, Mario-Leander Reimer (Chief Technologist, QAware GmbH) presented session [CON4155] entitled Secure Java EE Architecture and Programming 101. This presentation introduced secure coding practices, and provided a number of basic rules and tools every secure Java developer must know. The session also discussed the secure usage of open source libraries and presented basic security patterns for constructing secure system architectures.

For more information on Java Security in general see Java SE Security and the Security section of the Java EE 7 Tutorial.

Wednesday Oct 28, 2015

JavaOne 2015: Safer and Faster: New JDK Security Features and Performance Improvements [CON6710]

On Wednesday,October 28th, Sean Mullan (Consulting Member of Technical Staff, Oracle) explains why in today’s fast-paced internet-connected world, Java applications are increasingly under attack. This session [CON6710] discusses recent and forthcoming JDK security features and performance improvements.

For related information, see: Java 8 Security Enhancements.

Monday Sep 29, 2014

JavaOne 2014: Security with Java Deployment

Monday at JavaOne, David DeHaven and Chris Bensen of Oracle gave a presentation on Security with Java Deployment, which covers the changes that were made in the deployment security model over the past few years. Best practices were also discussed.

For additional information about the topics covered, see the following Java documentation:

Tuesday Mar 25, 2014

Learn More About Security Enhancements in Java SE 8

Oracle constantly works on improving the security of the Java platform. The following security enhancements are new for JDK 8; see JDK 8 Security Enhancements for more details:

  • Client-side TLS 1.2 (an industry standard) enabled by default; improves security of data in transit; see the Protocols section of the SunJSSE Provider and Customizing JSSE
  • Enhanced support for certification revocation checking; it enables the Java community to better police their own certificates; see Check Revocation Status of Certificates with PKIXRevocationChecker Class
  • New tool, jdeps, Java class dependency analyzer, identifies external dependencies that may negatively impacting your applications' ability to upgrade to the latest security patches
  • Type Annotations help ensure that your data is consistent with your requirements
  • SSL/TLS Server Name Indication (SNI) Extension is a TLS extension to support virtual hosting environments; previously, HTTPS servers could not be hosted in a virtual hosting infrastructure where multiple domains share the same IP address; see Server Name Indication (SNI) Extension
  • High entropy random number generation; see SecureRandom section of the JCA Reference Guide and the SecureRandom API Specification
  • The cryptographic algorithms in JDK 8 have been enhanced with the SHA-224 variant of the SHA-2 family of message-digest implementations
  • Support for NSA Suite B cryptography has been enhanced
  • The PKCS 11 provider support for Windows has been expanded to include 64-bit
  • Overhauled JKS-JCEKS-PKCS12 Keystore

Many recent improvements focus on limiting attackers from using malicious applets and Rich Internet Applications (RIAs), which have been added in JDK 7 update releases and critical patch updates (CPUs) and in JDK 8. These improvements are described in Java Rich Internet Applications Enhancements in JDK 7, which include the following:

  • Ability to set the security level of the Java client in the Java Control panel
  • Ability to disable any Java application from running in the browser
  • JREs have an expiration date; JREs will behave differently after their expiration date, which encourages upgrades; see JDK 7u10 Release Notes
  • Expanded blacklisting support, which includes a certificate and jar blacklist repository maintained by Oracle; see JDK 7u21 Release Notes
  • Recommendation that all applications be privileged (previously called "signed" applications); otherwise, applications are restricted to the security sandbox
  • By default, all certificates are checked using both OCSP and CRLs
  • New JAR file manifest attributes to defend RIAs against unauthorized code repurposing
  • Deployment Rule Set feature enables an enterprise to establish a whitelist of known applications; applications on the whitelist can be run without most security prompts
  • Ability for enterprises who manage their update process to disable checking of JREs if they are expired or below the security baseline
  • Exception Site List feature provides a way for users to run Java applets and Java Web Start applications that do not meet the latest security requirements

Milton Smith has presented the screencast Java 8 Security Highlights during the Java 8 Launch Webcast, which discusses these enhancements.

See What's New in JDK 8 for additional information of other new features in JDK 8.

Download JDK 8 today and try it out!

Tuesday Oct 15, 2013

JDK 7u45 and JavaFX 2.2.45 Documentation Updates

The Java Development Kit 7 Update 45 (JDK 7u45) release with JavaFX 2.2.45 is available and can be downloaded from the Java SE Downloads page. For information about this release, see the JDK 7u45 Release Notes.

The Java Control Panel now has an option for restoring the security prompts that were hidden when the option to not show the prompt again was selected. See the documentation for the Security tab for more information on the Restore Security Prompts option.

New JAR file manifest attributes are available to provide additional security for your applets and Java Web Start applications. See JAR File Manifest Attributes for Security for information on the Application-Name, Application-Library-Allowable-Codebase, and Caller-Allowable-Codebase attributes. The launchable examples in the Java Tutorial have been updated to use these new attributes, where applicable.

Note: The Permissions attribute that was added for 7u25 is now required when the Security Level slider in the Java Control Panel is set to Very High.

In the Java Tutorial, the JAXP trail has a new lesson on Processing Limits.

Minor improvements have been made to some of the JavaFX tutorials, and the JavaFX API documentation has been updated for the 2.2.45 release.

For all tutorials, guides, and API documentation, see Java SE Technical Documentation and JavaFX 2 Documentation.

Thursday Sep 26, 2013

JavaOne 2013: Pointers to Information Related to Oracle Java Embedded Suite

Two JavaOne talks centered on the Oracle Java Embedded Suite:

For more information on Java Embedded Suite 7.0, see the Developer's Guide and Release Notes.


Blog about Java technology documentation and news about Java releases.


« July 2016