|
|
Recommended: Sing it, brah! 5 fabulous songs for developers
JW's Top 5
Featured White Papers
- Measuring Risk to Improve Java Software Quality
- Do You Really Get Classloaders?
- Pragmatic Continuous Delivery with Jenkins, Nexus, and LiveRebel
- Your Next Java Web App: Less XML, No Long Restarts, Fewer Hassles
- Coding with JRebel, Java Forever Changed
- 2012 Developer Productivity Report: Java Tools, Tech, Devs, and Data
Sponsored Links
-
Graph databases are 1000x faster than relational.
Learn More!
-
Career opportunities at Harman- Careers That'll Rock Your Socks Off.
Learn More!
-
Developer-friendly Java PDF libraries by Qoppa Software
Live Demos
-
Stop blaming your app! Diagnose Java performance issues.
Free tool >
-
UrbanCode: Go From Continuous Integration to
Continuous DeliveryLearn More!
Sponsored Links
Optimize with a SATA RAID Storage Solution
Range of capacities as low as $1250 per TB. Ideal if you currently rely on servers/disks/JBODs
Java security evolution and concepts, Part 5
J2SE 1.4 offers numerous improvements to Java security
Page 2 of 6
Next, strong cipher support is available via JCE and JSSE, albeit with some important control restrictions. In JCE, the cryptographic
strengths are limited through the jurisdiction files by default. JSSE, for its part, now restricts the replacement of the
default SSLSocketFactory and SSLServerSocketFactory classes.
Moreover, you'll find support for dynamic policies. Prior to J2SE 1.4, the security policy was associated at the time of class loading. In 1.4, the security policy association is deferred until the security check becomes necessary.
In addition, J2SE 1.4 includes some changes to the functionality of the security classes. As an example, the javax.security.cert class is available only for backward compatibility, with its functionality carried forward by the java.security.cert class. Newer applications should use this class.
Finally, applet security as enforced by 1.4 is different, which we'll look into in the next section.
Java Plug-in enhancements
You'll see some changes in security between the J2SE 1.3 Java Plug-in and the 1.4 Java Plug-in (for more, see Sidebar 1: Java Plug-in Primer). Since we are interested in security, I explore the changes by revisiting the signed applets developed in Part 3.
Security in the J2SE 1.3 Java Plug-in
To illustrate how the J2SE 1.3 Plug-in handles applet security, let's first look at the writeFile applet from Part 3 of this series. Execute the writeFile signed applet under the J2SE 1.3 Java Plug-in. Make sure that the policy files do not allow the temp file (/tmp/foo on Unix systems and c:\tmpfoo on Windows) to be modified. If the clock on your system is set correctly, the signed applet's signature should not validate
because it has expired; therefore, the applet will not initialize. If you set your system's clock back to a date between December
13, 2000 and December 21, 2001 (that is, to a time when the certificate is valid), the signature validates, and you should
see a dialog box asking whether the applet should run or not.
As another example, run the signed applet discussed in "JDK 1.2 -- Signed Applet Example" under the J2SE 1.3 Java Plug-in. The applet has been signed by a key -- Duke -- whose public key has been self-certified. That means the Certification Authority (CA) used to sign the certificate is not trusted by default in the environment. As a result, the signature validation fails again, and the dialog box again fails to pop up.
Security in the J2SE 1.4 Java Plug-in
Now, let's run the same applet examples under the J2SE 1.4 Java Plug-in.
When executing the example from Part 3, the signed applet with the expired certificate, the user sees a dialog box clearly indicating that the certificate is expired, as shown in Figure 1. Here, the ultimate decision to execute the applet is left to the user's discretion.
Figure 1. Signed applet with an expired certificate
Likewise, in the second example of the signed applet with the untrusted certificate, the user sees a dialog box, this time indicating that the CA cannot be trusted. The applet can still be executed if the user so chooses, as seen in Figure 2.
- Feedback
More from JavaWorld
Resources
- "Java Security Evolution and Concepts," Raghavan N. Srinivas (JavaWorld):
- Part 1Learn computer security concepts and terms in this introductory overview (April 2000)
- Part 2Discover the ins and outs of Java security (July 2000)
- Part 3Tackle Java applet security with confidence (December 2000)
- Part 4Learn how optional packages extend and enhance Java security (May 2001)
- Part 5J2SE 1.4 offers numerous improvements to Java security (December 2001)
- Java security resources from java.sun.com:
- For comprehensive Java security information, read Sun Microsystems' Java Security API page
http://java.sun.com/security - For the latest documentation on Java security, read the documentation from Java 2 1.4
http://java.sun.com/j2se/1.4/docs/relnotes/features.html#security - "Java 2 Platform, Standard Edition, v 1.4.0 API Specification"
http://java.sun.com/j2se/1.4/docs/api/index.html - "Java Cryptography Extension (JCE) Reference Guide"
http://java.sun.com/j2se/1.4/docs/guide/security/jce/JCERefGuide.html - "Java Secure Socket Extension (JSSE) Reference Guide"
http://java.sun.com/j2se/1.4/docs/guide/security/jsse/JSSERefGuide.html - For "Archives of java-security@sun.com," see
http://archives.java.sun.com/archives/java-security.html - "Frequently Asked Questions -- Java Security"
http://java.sun.com/sfaq/ - Java 2 SDK platform security tools
http://java.sun.com/j2se/1.4/docs/tooldocs/tools.html#security - "Default Policy Implementation and Policy File Syntax"
http://java.sun.com/j2se/1.3/docs/guide/security/PolicyFiles.html - "JDK 1.2 - Signed Applet Example,"
http://java.sun.com/security/signExample12/ - Java Plug-in documentation and download
http://java.sun.com/products/plugin/index.html - "Java Certification Path API Programmer's Guide," Sean Mullan
http://java.sun.com/j2se/1.4/docs/guide/security/certpath/CertPathProgGuide.html - "Java Authentication and Authorization Service (JAAS) Reference Guide"
http://java.sun.com/j2se/1.4/docs/guide/security/jaas/JAASRefGuide.html - "Introduction to JAAS and Java GSS-API Tutorials"
http://java.sun.com/j2se/1.4/docs/guide/security/jgss/tutorials/index.html
- Security-related Java Specification Requests at the Java Community Process:
- Java Certification Path API (JSR 000055)
http://jcp.org/jsr/detail/055.jsp - Java GSS-API (JSR 000072)
http://www.jcp.org/jsr/detail/72.jsp
- Other important Java security resources:
- A list of CAs for obtaining code-signing certificateshttps://certs.netscape.com/client.html
- Netscape's security tools, including signtool
http://developer.netscape.com/docs/manuals/index.html?content=security.html - A comprehensive list of security-related problems with suggested remedial action, known as CERT advisories
http://www.cert.org/ - Applied CryptographyProtocols, Algorithms, and Source Code in C, Second Edition, Bruce Schneier (John Wiley and Sons, 1996; ISBN0471117099) -- a fascinating book on the science and politics of cryptography
http://www.amazon.com/exec/obidos/ASIN/0471117099/javaworld - RSA Labs' FAQ about today's cryptography (in PDF format)ftp://ftp.rsasecurity.com/pub/labsfaq/labsfaq4.pdf
- X.509 standard for certificates
http://www.ietf.org/rfc/rfc2459.txt - Generic Security Service API Version 2Java Bindings
http://www.ietf.org/rfc/rfc2853.txt - Kerberos information, including source code and binaries
http://web.mit.edu/kerberos/www/
- JavaWorld's Java security resources:
- "Construct Secure Networked Applications with Certificates," Todd Sundsted (JavaWorld):
- Part 1Certificates add value to public-key cryptography (January 2001)
- Part 2Learn to use X.509 certificates (February 2001)
- Part 3Use the Java CRL and X509CRL classes (March 2001)
- Part 4Authenticate clients and servers, and verify certificate chains (April 2001)
- For more Java security stories, visit the Security section of JavaWorld's Topical Index
http://www.javaworld.com/channel_content/jw-security-index.shtml - Discuss Java security in our Java Security discussion
http://forums.idg.net/webx?50@@.ee6b80e - JavaWorld's Java Bookstore security page can point you to numerous security-related books
http://www.javaworld.com/javaworld/books/jw-books-security.html - Sign up for JavaWorld's free Enterprise Java newsletter
http://www.javaworld.com/subscribe
- You'll find a wealth of IT-related articles from our sister publications at IDG.net
About Us | Advertise | Contact Us | Terms of Service/Privacy | AdChoices
Copyright, 2006-2013 Infoworld, Inc. All rights reserved.