• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 217
  • Last Modified:

Who will be using the java.security.* and javax.crypto.* class?

Hi expert

If SSL already provided a safe channel to two parties to communicate, why use the java.security.* class and javax.crypto.* classes?  Who uses these algorithm today for the web applications?
0
4eyesgirl
Asked:
4eyesgirl
  • 9
  • 3
1 Solution
 
objectsCommented:
because ssl is not always appropriate, and the recieving end may not support it.
0
 
objectsCommented:
for example if its a web app then its needs to have ssl setup to handle https requests. By default a web container does not support https
0
 
objectsCommented:
SSL does not solve all problems, the security classes contain many different algorithems and a framework for adding new algorithms. SSL is no way removes the need for them :)
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
objectsCommented:
does your webapp support https?
0
 
4eyesgirlAuthor Commented:
This may sounds a bit ignorant, but I actually haven't learn how to setup the web application yet.,  Right now, I am in the research state at learning and writing small code for the individual components.  And that's why I want to know more about SSL vs. java.securitiy classes.

So you would think ssl is not for web application, correct?  You will still suggest me to write my own key exchange and symmetric algorithm to encrypt/decrpt important message between the sender and the receiver, correct?
0
 
objectsCommented:
ssl is for web application, and would require you to implement it for your web container.

> You will still suggest me to write my own key exchange and symmetric algorithm to
> encrypt/decrpt important message between the sender and the receiver, correct?

depends what the sender and reciever are.
0
 
objectsCommented:
And if you haven't setup your app yet it seems a bit strange you're worrying about security. Generally best to get your applications working then apply security where needed. You don't want to riddle your application with security specific code, you want to keep security seperate.
0
 
4eyesgirlAuthor Commented:
I though setting up the web should be easy and everyone is worry about security issue on the web.  And just to your reference, I have no background of security at all and I am trying to self-learn this topic so I won't have problem in the future.

I really want to understand how security can apply to web application. and I thought it would be important to understand it.

I am thinking set up some website in the future and hopefully can sell item in the web, so the receiver probably will be customer and the encrypt/decrypt message probably will be confirmation number? I don't know yet.

So am I not in the right track?
0
 
objectsCommented:
security typically is not an application issue, you simply add required security layer to your app.
For a web application typically what you want to secure is the information being passed over the wire, for which SSL can be used. This would require adding https support to your web container, and using http:// urls to access the site instead of http://
you would not need to change your application code as the security layer would handle security for you.
0
 
4eyesgirlAuthor Commented:
So I don't even need to write any security code?  Meaning I probably won't need to use the java.security* class, is this assumption correct?
0
 
objectsCommented:
typically no you won't. You may come up across a situation where there is sensitive data that needs particular protection, but until you do then theres no need to worry yourself.
and if you don't know what you're protecting and from whom, how can u write code to secure it :)

0
 
objectsCommented:
I look after the development of lots of sites, some secure and some not and would have very little security specific code. And where there is some it is completely independant of my application code.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 9
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now