Establishing Secure Connection Using SSL

Start course
Overview
Difficulty
Intermediate
Duration
2h 6m
Students
5
Description

This course takes an in-depth look at security in Java Enterprise Edition. We'll cover a wide range of topics as listed below. Finally, we'll round off the course by taking a look at some example exam questions similar to those you can expect to find on the Oracle Certified Java EE exams.

Learning Objectives

  • Understand the fundamentals of security in Java EE
  • Learn the following concepts and features:
    • Securing GlassFish server
    • Working with users, groups, and roles
    • SSL
    • Securing your web applications
    • Securing enterprise beans
    • Digital certificates
    • Security architecture
    • Security threats
    • And much more...

Intended Audience

This course is intended for anyone who already has basic knowledge of Java and now wants to learn about Java Enterprise Edition.

Prerequisites

Basic knowledge of Java programming

Transcript

Establishing a secure connection using SSL. Secure Sockets Layer, SSL, is security that is implemented at the transport layer. Transport security is a point-to-point security mechanism that can be used for authentication, message integrity, and confidentiality. SSL allows web browsers and web servers to communicate over a secure connection. In this secure connection, the data is encrypted before being sent and then is decrypted upon receipt and before processing. Both the browser and the server encrypt all traffic before sending any data. SSL addresses the following important security considerations: Authentication. During your initial attempt to communicate with a web server over a secure connection, that server will present your web browser with a set of credentials in the form of a server certificate. The purpose of this certificate is to verify that the site is who and what it claims to be. In some cases, the server may request a certificate proving that the client is and what it claims to be.

This mechanism is known as client authentication. Confidentiality. When data is being passed between the client and the server on a network, third parties can view and intercept this data. SSL responses are encrypted, so that the data cannot be deciphered by the third party and the data remains confidential. Integrity. SSL helps guarantee that the data will not be modified in transit by that 3rd party. The SSL protocol is designed to be as efficient as securely possible. However, encryption and decryption are computationally expensive processes from a performance standpoint. It's not strictly necessary to run an entire web application over SSL, and it's customary for a developer to decide which pages require a secure connection and which do not. Pages that might require a secure connection include those for login, personal information, shopping cart checkouts, buying operations, or credit card information transmittal. Any page within an application can be requested over a secure socket by simply prefixing the address with https instead of http.

Any pages that absolutely require a secure connection should check the protocol type associated with the page request and take the appropriate action if https is not specified. Using name based virtual hosts on a secured connection can be problematic. This is a design limitation of the SSL protocol itself. The SSL handshake, whereby the client browser accepts the server certificate must occur before the http request is accessed. As a result, the request information containing the virtual host name cannot be determined before authentication and it is therefore not possible to assign multiple certificates to a single IP address. 

If all virtual hosts on a single IP address need to authenticate against the same certificate, the addition of multiple virtual hosts should not interfere with normal SSL operations on the server. Be aware however, that most client browsers will compare the server's domain name against the domain name listed in the certificate, if any. This is applicable primarily to official certificates signed by a certificate authority. If the domain names do not match, these browsers will display a warning to the client. In general, only address based virtual hosts are commonly used with SSL in a production environment.

 

About the Author
Students
413
Courses
35
Learning Paths
2

OAK Academy is made up of tech experts who have been in the sector for years and years and are deeply rooted in the tech world. They specialize in critical areas like cybersecurity, coding, IT, game development, app monetization, and mobile development.

Covered Topics