Further Reading

Most of the material in this chapter is drawn from the author's own experiments and on the documentation and other information available with J2SE SDK. Besides the tutorial, guides and Javadocs available with J2SE SDK, the book Java Security by Scott Oaks is a good read for comprehensive reference information on most of the APIs and configuration files covered in this chapter.

A good presentation on Java bytecode security model at the JVM level, originally made at Blackhat Briefings 2002, Las Vegas, by Marc Schönefeld, exists at http://www.illegalaccess.de/blackhat/blackhat.pdf. Though of little interest to an application developer, it contains a fairly detailed description of byte code security issues.

There is a good discussion on java.security.Policy framework capabilities and limitations in an online paper titled When “java.policy” Just Isn't Good Enough by Ted Neward at http://www.javageeks.com/Papers/JavaPolicy/JavaPolicy.pdf. This paper outlines the steps in replacing the default Policy classes of J2SE with your own custom classes and points out the common pitfalls.

A brief paper on PAM (Pluggable Authentication Module) framework, the inspiration behind the JAAS framework of LoginModule, LoginContext and various callback handlers, by Vipin Samar and Charlie Lai of Sun Microsystems, Inc., can be found online at http://java.sun.com/security/jaas/doc/pam.html.