Message-Id: <199803231724.JAA13620@taller.eng.sun.com>
Date: Mon, 23 Mar 1998 09:21:44 -0800 (PST)
From: Monica Pawlan <Monica.Pawlan@Eng>
Subject: Not working
To: java-security@web4.javasoft.com
--Tiding_of_Magpies_077_000
Content-Type: TEXT/plain; charset=us-ascii
Content-MD5: LCPug7ceCZs6781YSHL4TA==
The attached document was sent to this person to answer his
questios.
------------- Begin Forwarded Message -------------
Date: Mon, 23 Mar 1998 09:19:33 -0800 (PST)
From: Monica Pawlan <monicap@taller>
Subject: Not working
To: douglas@tp.ac.sg
Mime-Version: 1.0
Hi. The attached article is scheduled to be posted on the JDC in
two weeks. It should help answer your questions.
------------- Begin Forwarded Message -------------
Date: Mon, 23 Mar 1998 09:17:52 -0800 (PST)
From: Satya Dodda <satyad@taller>
Subject: Not working
To: monicap@shorter
MIME-Version: 1.0
Content-MD5: Sz4DYOtqtpQ1jQQPlvgoVw==
Hi Monica,
Can you please pass your document to this guy?
Thanks
Satya
------------- Begin Forwarded Message -------------
Date: Mon, 23 Mar 1998 11:40:32 +0800
From: douglas <douglas@tp.ac.sg
MIME-Version: 1.0
To: java-security@web4.javasoft.com
Subject: Not working
X-Priority: 3 (Normal)
Content-Transfer-Encoding: 7bit
Hello
This is my last resort! I've been trying to get a signed applet up and
running, but with no success. I tried 1.1.4, but then read about a bug.
So I downloaded 1.2, but still no success (I keep getting a security
exception). My OS is Win 95.
This is my java file:
import java.io.*;
import java.awt.*;
import java.applet.*;
public class Write extends Applet {
public void init(){
try {
FileWriter fw = new FileWriter("score.txt");
fw.write("New high score: 14\n");
fw.close();
} catch (IOException ioe) {System.out.println(ioe);}
}
public void paint(Graphics g) {
g.drawString("Have written the file", 10, 10);
}
}
This is what is do with keytool and jarsigner:
keytool -genkey // the alias mykey is used, and I enter a password when
prompted.
jar -cf write.jar Write.class
jarsigner write.jar mykey
It doesn't work!
I keep getting an AccessControlException.
This is driving me crazy. Any help ...? What am i doing wrong?
Thanks
Douglas
------------- End Forwarded Message -------------
------------- End Forwarded Message -------------
------------- End Forwarded Message -------------
--Tiding_of_Magpies_077_000
Content-Type: TEXT/html; name="signed.html"; charset=us-ascii
Content-Description: signed.html
Content-MD5: 9Q7Vjzsk7302db+LrjRGfw==
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]()
![]()
chat newsreader calendar
|
![]() ![]() ![]() ![]() ![]() |
||
|
||
Technical Articles Index | ||
Signed Applets, Browsers, and File Access | ||
By Monica Pawlan and Satya Dodda
|
||
![]() By default, applets have no access to local resources, but a signed applet can access local resources as allowed by the local system's security policy. The Java Development Kit (JDKTM) 1.2 provides security tools so end users and system administrators can sign applets and applications, and define their local security policy by specifying in a policy file how much access to local system resources a signed applet or application can have.
Web Browsers A JDK 1.2 applet can run in a browser enabled for JDK 1.2 or in Applet Viewer. If an applet attempts to access local system resources, the applet must be signed and the local system must have a policy file configured to allow the access. If a JDK 1.2 applet does not work when you run it in your browser, it is probably because your browser is not enabled for JDK 1.2, the applet is not signed, or you do not have a correctly configured policy file. When Project JavaTM Activator ports to JDK 1.2, you can use it to enable certain browsers not ported to JDK 1.2 to run JDK 1.2 applets. Local File Access For a JDK 1.2 applet to access local system resources, it must be archived, signed, and explicitly granted access. This example shows you how to compile a simple applet, bundle it into a Java ARchive (JAR) file, sign the JAR file, and create a policy file so the applet can create newfile in the user's home directory. This is how the example applet looks when it executes in Applet Viewer:
Files: For the example, these files are used:
javac SignedAppletDemo.java Make a JAR File: Make the compiled SignedAppletDemo.class file into a JAR file. The -cvf input to the jar command means create a new archive (c), use verbose mode (v), and specify the archive file name (f). The archive file name is SignedApplet.jar. jar cvf SignedApplet.jar SignedAppletDemo.class Set up a Keystore Database: A keystore database contains public and private key pairs and their associated certificates. Key pairs and certificates are used to sign and verify the signatures on JAR files. Key Tool is a key and certificate management command line utility for managing a keystore database. A JAR file is signed with the private key of the creator of the JAR file and the signature is verified by the recipient of the JAR file with the public key in the pair. The certificate is a statement from the owner of the private key that the public key in the pair has a parituclar value so the person using the public key can be assured the public key is authentic. Public and private keys must already exist in the keystore database before Jar Signer can be used to sign or verify the signature on a JAR file. Use Key Tool to create a keystore database: keytool -genkey -alias duke -keystore demoKeystore -keypass abcdefgh -dname "cn=Zelda" -storepass abcdefgh This keytool -genkey command invocation generates a key pair that is identified by the alias duke. Subsequent Key Tool command invocations use this alias and the key password (-keypass abcdefg) to access the private key in the generated pair. The generated key pair is stored in a keystore database called demokeystore (-keystore demoKeystore) in the local directory, and accessed with the demoKeystore password (-storepass abcdefgh). The -dname "cn=Zelda" option specifies an X.500 Distinguished Name with a commonName (cn) value. X.500 Distinguished Names identify entities for X.509 certificates. You can view all Key Tool options and parameters by typing: keytool -help Sign the JAR File: JAR Signer is a command line tool for signing and verifying the signature on JAR files. Use Jar Signer to sign the SignedApplet.jar file: jarsigner -storepass abcdefgh -keystore demoKeystore -keypass abcdefgh SignedApplet.jar duke The -storepass abcdefgh and -keystore demoKeystore options specify the keystore database and password where the private key for signing the JAR file is stored. The -keypass abcdefgh option is the password to the private key, SignedApplet.jar is the name of the JAR file, and duke is the alias to the private key. Create the Policy File: The policy file allows all programs signed by duke (the private key in the demoKeystore database) read access to the user's home directory and the ability to create newfile (and no other file) in the user's home directory. You can create a policy file with either Policy Tool or an ASCII editor. keystore "demoKeystore"; // A sample policy file that lets a JavaTM program // create newfile in user's home directory // Satya N Dodda grant SignedBy "duke" { permission java.util.PropertyPermission "user.home", "read"; permission java.io.FilePermission "${user.home}/newfile", "write"; };Run the Applet in Applet Viewer: Applet Viewer connects to the HTML documents and resources specified in the call to appletviewer, and displays the applet in its own window. To run the example, Applet Viewer is called: appletviewer -J-Djava.policy=Write.jp http://developer.javasoft.com/~ "$USER"/SignedAppletDemo.$$/SignedAppletDemo.html The -J-Djava.policy=Write.jp option tells Applet Viewer to run the applet referenced in the SignedAppletDemo.html file with the Write.jp policy file. Signed Applications By default, Java applications have access to all local system resources. You can use the JDK 1.2 tools to sign an application and restrict its access to local files, but the application must be launched with the java.security.Main option for the security policy to be in effect: java -Djava.app.class.path="/home/zelda/apps" java.security.Main anApplication The java.security.Main option causes the application to execute in a restricted environment, and the -Djava.app.class.path option ensures that any application in the specified path is subject to the security policy in force. Signed Applets in JDK 1.1 JDK 1.1 signed applets can access local system resources if the local system is properly set up to allow it. See the JDK 1.1 Signed Applet Example page for details. Conclusion It is easy to use the JDK 1.2 security tools to sign a JAR file and allow an applet or application access to only certain specific local resources. Just remember a JDK 1.2 applet will not run in a browser that is not enabled for JDK 1.2, and a JDK 1.2 application must be launched with the java.security.Main option for the security policy to be in effect. The JDC has a related article on security tools that explains the new JDK 1.2 security architecture and tools in more detail.
Visit the Security page on java.sun.com for documents that describe the JDK 1.2
security architecture, policy file, Key Tool and Jar Signer.
Monica Pawlan is a staff writer on the JDC team. She has a background in 2D and 3D graphics, security, database products, and loves to explore emerging technologies. Satya Dodda is a JavaSoftTM engineer working in the security area. Reader Feedback Tell us what you think of this article and earn 2 DukeDollars.
|
|
|||
|
![]() |
Questions? 18-Mar-98 Copyright © 1996-1998 Sun Microsystems Inc. All Rights Reserved. |
![]() |
--Tiding_of_Magpies_077_000--