|
|
Featured White Papers
- Why choose an Open Source BPM?
- 10 FAQs on Business Process Management
- Best Practices for Getting Started with BPM
- Free Your Devs From The Pain Of Java Redeploys
- Increase Velocity 40% by Using JRebel
- What Developers Want: The End of Application Redeploys
- Developer Productivity Report: Java Tools, Tech, Devs, and Data
- Coding with JRebel: Java Forever Changed
- Utilizing Fast Testing to Transform Java Development
- Do You Really Get Classloaders?
- Pragmatic Continuous Delivery with Jenkins, Nexus, and LiveRebel
- Your Next Java Web App: Less XML, No Long Restarts, Fewer Hassles
- Coding with JRebel, Java Forever Changed
- 2012 Developer Productivity Report: Java Tools, Tech, Devs, and Data
Sponsored Links
Sponsored Links
Optimize with a SATA RAID Storage Solution
Range of capacities as low as $1250 per TB. Ideal if you currently rely on servers/disks/JBODs
Java security evolution and concepts, Part 3: Applet security
Tackle Java applet security with confidence
Page 2 of 6
/**
* By default, this raises a security exception as an applet.
*
* With JDK 1.2 appletviewer,
* if you configure your system to grant applets signed by "Duke"
* and downloaded from the Java Software Website to write a file
* to your /tmp directory (or to the file named "C:\tmpfoo" on a
* Windows system), then this applet can run.
*
* @version JDK 1.2
* @author Marianne Mueller
* @Modified by Raghavan Srinivas[Rags]
*/
import java.awt.*;
import java.io.*;
import java.lang.*;
import java.applet.*;
public class writeFile extends Applet {
String myFile = "/tmp/foo";
File f = new File(myFile);
DataOutputStream dos;
public void init() {
String osname = System.getProperty("os.name");
if (osname.indexOf("Windows") != -1) {
myFile="C:" + File.separator + "tmpfoo";
}
}
public void paint(Graphics g) {
try {
dos = new DataOutputStream(new BufferedOutputStream(new FileOutputStream(myFile),128));
dos.writeBytes("Cats can hypnotize you when you least expect it\n");
dos.flush();
dos.close();
g.drawString("Successfully wrote to the file named " + myFile + " -- go take a look at it!", 10, 10);
}
catch (SecurityException e) {
g.drawString("writeFile: caught security exception", 10, 10);
}
catch (IOException ioe) {
g.drawString("writeFile: caught i/o exception", 10, 10);
}
}
public static void main(String args[]) {
Frame f = new Frame("writeFile");
writeFile writefile = new writeFile();
writefile.init();
writefile.start();
f.add("Center", writefile);
f.setSize(300, 100);
f.show();
}
}
Running the bytecode generated in a Java 2 Runtime Environment, Standard Edition (JRE) will let the application modify the file on the local filesystem by default, since the default policy does not subject Java 2 applications to a security manager. This policy is justified because applications are typically locally generated code and not downloaded over the network. The following command line produces the window shown in Figure 1, indicating that the file was created and written into.
$ java writeFile
Figure 1. writeFile Application -- no security manager
To subject the code to the Java 2 security manager, invoke the following command line, which should produce the results indicated in Figure 2. Notice that the application generated a security exception caused by an attempt to modify the local filesystem. The explicitly included security manager generated the exception.
$ java -Djava.security.manager writeFile
Figure 2. writeFile Application -- including the security manager
The cases illustrated above represent extreme examples of security policy. In the former case, the application was not subject to any control; in the latter, it was subject to a very rigid control. In most cases it will be necessary to set the policy somewhere in between.
You can accomplish an in-between policy using a policy file. To do so, create a policy file called all.policy in the working directory:
grant {
permission java.io.FilePermission "<<ALL FILES>>", "write";
};
Running the same piece of code with the following command line will allow modification of the local filesystem:
- Feedback
More from JavaWorld
Resources
- To run this article's example applet, go to
http://www.javaworld.com/javaworld/jw-12-2000/security/writeFile.html - For all of the files, including the
writeFile.javasource file, associated with this article, go to
http://www.javaworld.com/javaworld/jw-12-2000/security/jw-1215-security.zip - "Java Security Evolution and Concepts," Raghavan N. Srinivas (JavaWorld):
- Part 1Learn computer security concepts and terms in this introductory overview (April 2000)
- Part 2Discover the ins and outs of Java security (July 2000)
- Part 3Tackle Java applet security with confidence (December 2000)
- Part 4Learn how optional packages extend and enhance Java security (May 2001)
- Part 5J2SE 1.4 offers numerous improvements to Java security (December 2001)
- JavaWorld's security-related resources
- For more articles covering Java security, visit the Security section of JavaWorld's Topical Index
http://www.javaworld.com/javaworld/topicalindex/jw-ti-security.html - The Java Security discussion offers numerous conversations concerning security. It's also a great place to ask questions
http://www.itworld.com/jump/jw-1215-security/forums.itworld.com/webx?14@@.ee6b80e - Sign up for the JavaWorld This Week free weekly email newsletter and keep up with what's new at JavaWorld
http://www.idg.net/jw-subscribe - JavaWorld's Java Bookstore security page can point you to numerous security-related books
http://www.javaworld.com/javaworld/books/jw-books-security.html - Security information from Java.sun.com
- For comprehensive Java security information, read the Java Security API page
http://java.sun.com/security - For the latest documentation on Java security, read the documentation from Java 2 version 1.3
http://java.sun.com/j2se/1.3/docs/guide/security/index.html - "Low Level Security in Java," Frank Yellin
http://java.sun.com/sfaq/verifier.html - Java security Q&A archives
http://archives.java.sun.com/archives/java-security.html - "Frequently Asked Questions -- Java Security"
http://java.sun.com/sfaq/ - "TrailSecurity in Java 2 SDK 1.2," Mary Dageforde
http://web2.java.sun.com/docs/books/tutorial/security1.2/index.html - Java 2 SDK platform security tools
http://java.sun.com/j2se/1.3/docs/tooldocs/tools.html#security - Default Policy Implementation and Policy File Syntax
http://java.sun.com/j2se/1.3/docs/guide/security/PolicyFiles.html - Java 2 version 1.2 code signing example
http://java.sun.com/security/signExample12/ - Java plug-in documentation and download
http://java.sun.com/products/plugin/index.html - Other important security-related resources
- A list of CAs from which you can obtain code-signing certificates
https://certs.netscape.com/client.html - Netscape's security tools including
signtool
http://developer.netscape.com/docs/manuals/index.html?content=security.html - CERT advisories -- a comprehensive list of security related problems with suggested remedial action
http://www.cert.org/ - Applied CryptographyProtocols, Algorithms, and Source Code in C, 2nd Ed., Bruce Schneier (John Wiley and Sons, 1996) -- a fascinating book on the science and politics of cryptography
http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=0471128457 - RSA Labs' FAQ about today's cryptographyftp://ftp.rsasecurity.com/pub/labsfaq/labsfaq4.pdf
- X.509 standard for certificates
http://www.ietf.org/rfc/rfc2459.txt