Who will be using the java.security.* and javax.crypto.* class?

because ssl is not always appropriate, and the recieving end may not support it.

for example if its a web app then its needs to have ssl setup to handle https requests. By default a web container does not support https

SSL does not solve all problems, the security classes contain many different algorithems and a framework for adding new algorithms. SSL is no way removes the need for them :)

does your webapp support https?

This may sounds a bit ignorant, but I actually haven't learn how to setup the web application yet.,  Right now, I am in the research state at learning and writing small code for the individual components.  And that's why I want to know more about SSL vs. java.securitiy classes.

So you would think ssl is not for web application, correct?  You will still suggest me to write my own key exchange and symmetric algorithm to encrypt/decrpt important message between the sender and the receiver, correct?

ssl is for web application, and would require you to implement it for your web container.

> You will still suggest me to write my own key exchange and symmetric algorithm to
> encrypt/decrpt important message between the sender and the receiver, correct?

depends what the sender and reciever are.

And if you haven't setup your app yet it seems a bit strange you're worrying about security. Generally best to get your applications working then apply security where needed. You don't want to riddle your application with security specific code, you want to keep security seperate.

I though setting up the web should be easy and everyone is worry about security issue on the web.  And just to your reference, I have no background of security at all and I am trying to self-learn this topic so I won't have problem in the future.

I really want to understand how security can apply to web application. and I thought it would be important to understand it.

I am thinking set up some website in the future and hopefully can sell item in the web, so the receiver probably will be customer and the encrypt/decrypt message probably will be confirmation number? I don't know yet.

So am I not in the right track?

security typically is not an application issue, you simply add required security layer to your app.
For a web application typically what you want to secure is the information being passed over the wire, for which SSL can be used. This would require adding https support to your web container, and using http:// urls to access the site instead of http://
you would not need to change your application code as the security layer would handle security for you.

So I don't even need to write any security code?  Meaning I probably won't need to use the java.security* class, is this assumption correct?

I look after the development of lots of sites, some secure and some not and would have very little security specific code. And where there is some it is completely independant of my application code.