Platform & Advanced APIs

Security Basics

Java-flavored application security: the JCA crypto architecture (hashing, signatures, encryption), TLS defaults, secret handling, and the perennial Java-specific holes — deserialization, injection, and XML external entities.
  • Passwords: salted adaptive hashes (bcrypt/scrypt/Argon2) — never MD5/SHA-x, never reversible
  • Symmetric crypto: AES-GCM via Cipher ("AES/GCM/NoPadding"), fresh random IV per message
  • SecureRandom for anything security-relevant; Random/ThreadLocalRandom are predictable
  • Java-specific sins: native Serialization of untrusted data, SQL injection (Jdbc Database), XXE in XML parsers
  • Validate input at trust boundaries; encode output for its destination (HTML, SQL, shell)
  • Keep the JDK current — crypto defaults and TLS versions improve per release
JCA in practice
// Hashing (integrity, not passwords):
byte[] digest = MessageDigest.getInstance("SHA-256").digest(data);

// AES-GCM encryption:
KeyGenerator kg = KeyGenerator.getInstance("AES");
kg.init(256);
SecretKey key = kg.generateKey();

byte[] iv = new byte[12];
SecureRandom.getInstanceStrong().nextBytes(iv);
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
cipher.init(Cipher.ENCRYPT_MODE, key, new GCMParameterSpec(128, iv));
byte[] ct = cipher.doFinal(plaintext);   // store iv || ct

The JCA's provider architecture (Core Java II ch. 9) means algorithms are named strings resolved against pluggable providers — which is why agility ("switch to a stronger algorithm") is a configuration concern, and why copy-pasted "AES/ECB/PKCS5Padding" from 2009 Stack Overflow still compiles: ECB mode leaks patterns and is never correct for general data. GCM gives confidentiality + integrity together; never reuse an IV with the same key.

Passwords are their own category: slow, salted, adaptive functions (Argon2id preferred, bcrypt fine) so brute force costs attackers real money; a pepper in a secrets manager adds a second factor the database dump doesn't contain. Secrets never live in code or images — environment injection or a manager (Vault, cloud KMS); and char[] over String for in-memory passwords is marginal hygiene, not a strategy.

Sources
  • Core Java, Volume II: Advanced Features (13th ed.)Ch. 9 — Security
  • Effective Java (3rd ed.)Item 85 — deserialization
  • Java Secrets: High Performance and ScalabilitySecurity chapters