JAVA 机密机制初探(JCA)—— 概览
java中安全服务都是从java.security.Provider类中的类似MessageDigestSpi 的子类提供的.
XXXSpi是抽象父类:
比如如下代码:
MessageDigest md = MessageDigest.getInstance("MD5"); // JCA的算法名是大小写不敏感的。 |
java运行的时候会按照如下图的模型去找ProviderA,中的MD5实现,
provierA 找不到再去找providerB中的实现。
而ProviderA 还是ProviderC 是Java\jre1.5.0_16\lib\security文件中定义的:(可以到JDK目录下面去搜索出来,JAVA按照此文件中定义的provider顺序进行查找)
security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=com.sun.net.ssl.internal.ssl.Provider
security.provider.4=com.sun.crypto.provider.SunJCE
security.provider.5=sun.security.jgss.SunProvider
security.provider.6=com.sun.security.sasl.Provider
当然我们也可以实现自己的Provider。或者用不是SUN提供的第三方的Provider。
MessageDigest md = MessageDigest.getInstance("MD5", "ProviderC"); |
类图如下:
SUN提供的每个provider里面的已经实现了的算法实现 见:
http://java.sun.com/javase/6/docs/technotes/guides/security/SunProviders.html#SUNProvider
============================== 大致类描述表 ===============================
Table 1 Key Java security packages and classes
Package |
Class/Interface Name |
Usage |
com.sun.security.auth.module |
JndiLoginModule |
Performs username/password authentication using LDAP or NIS database |
KeyStoreLoginModule |
Performs authentication based on key store login |
|
Krb5LoginModule |
Performs authentication using Kerberos protocols |
|
java.lang |
SecurityException |
Indicates a security violation |
SecurityManager |
Mediates all access control decisions |
|
System |
Installs the SecurityManager |
|
java.security |
AccessController |
Called by default implementation of SecurityManager to make access control decisions |
Key |
Represents a cryptographic key |
|
KeyStore |
Represents a repository of keys and trusted certificates |
|
MessageDigest |
Represents a message digest |
|
Permission |
Represents access to a particular resource |
|
Policy |
Encapsulates the security policy |
|
Provider |
Encapsulates security service implementations |
|
Security |
Manages security providers and security properties |
|
Signature |
Creates and verifies digital signatures |
|
java.security.cert |
Certificate |
Represents a public key certificate |
CertStore |
Represents a repository of unrelated and typically untrusted certificates |
|
javax.crypto |
Cipher |
Performs encryption and decryption |
KeyAgreement |
Performs a key exchange |
|
javax.net.ssl |
KeyManager |
Manages keys used to perform SSL/TLS authentication |
SSLEngine |
Produces/consumes SSL/TLS packets, allowing the application freedom to choose a transport mechanism |
|
SSLSocket |
Represents a network socket that encapsulates SSL/TLS support on top of a normal stream socket |
|
TrustManager |
Makes decisions about who to trust in SSL/TLS interactions (for example, based on trusted certificates in key stores) |
|
javax.security.auth |
Subject |
Represents a user |
javax.security.auth.kerberos
|
KerberosPrincipal |
Represents a Kerberos principal |
KerberosTicket |
Represents a Kerberos ticket |
|
javax.security.auth.login |
LoginContext |
Supports pluggable authentication |
javax.security.auth.spi |
LoginModule |
Implements a specific authentication mechanism |
javax.security.sasl |
Sasl |
Creates SaslClient and SaslServer objects |
SaslClient |
Performs SASL authentication as a client |
|
SaslServer |
Performs SASL authentication as a server |
|
org.ietf.jgss |
GSSContext |
Encapsulates a GSS-API security context and provides the security services available via the context |