Java Security & Applets

This web page has information on Java Security.

• General Information.
  • Web browsers allow downloaded Java applets to execute within a limited context called the "applet sandbox".  Applet's are not allowed to access your local file system or network connections unless the applet is given permission by a system administrator who creates a digital signature (ie: signed applet aka trusted applet).
  • There have been major changes between Security in JDK 1.1 and Java 2 JDK 1.2.  JDK 1.3 & JDK 1.2 seems to be identical.
    • On version 1.1 of the Java platform, a trusted applet has the same freedom to perform operations as a local application. On version 1.2 of the platform, a trusted applet would have freedoms as specified by the policy file in force.
    • JDK1.1 - "trusted applets" have permission like local applications.
    • JDK 1.2 use policy files for permissions.
    • JDK 1.3 use policy files for permissions.
  • JDK 1.1 Trusted Applets
    Summary of process
    • Signer signs the JAR file using a private key (use JavaKey.exe)
    • You obtain a digital certificate from a "certification authority" - companies that specializing in digital security (like Verisign)
    • The Public key is placed in the JAR file along with a digital certificate.
  • JDK 1.2/1.3 Trusted Applets - depending on the browsers implementation of Java you will probably need to load the Java Plug-in to be able to use JDK 1.2 policy files (ie: IE 5 & NS 4).  Netscape 6 implements the JDK 1.2 without a Java Plug-In.
    • Digital Certificates are not needed.  (use keytool.exe & jarsigner.exe)
    • Use PolicyTool.exe to create the policy files with the neccessary permissions.
  • In Java2 JDK1.2, reading or writing a file, are not permitted for applets unless explicitly allowed by a permission in a policy file.  JDK 1.1 is much harder to implement because your Applet must be digital signed to be trusted.  With JDK 1.2 you can also apply security constraints to Java applications.
  • The Java^™ 2 Standard Edition Runtime Environment includes the Java Plug-In.
  • With Java 2, you can configure the Java Plug-In via the control panel's icon "Java Plug-In".
  • You can optionally sign a JAR file with your electronic "signature." Users who verify your signature can grant your JAR-bundled software security privileges that it wouldn't ordinarily have. Conversely, you can verify the signatures of signed JAR files that you want to use.
• Good Books
  • Java in a Nutshell by O'Reilly 3rd Edition - CH 5 - Java Security.
  • Java Examples in a Nutshell by O'Reilly 2nd Edition - CH 6 Security and Cryptography
• Java Tooldocs
  • http://java.sun.com/j2se/1.3/docs/tooldocs/tools.html - Java 2 JDK 1.3
    • JDK1.2 Tools:  policytool.exe, keytool.exe, jarsigner.exe
• Java Plug-in (Windows & MAC)
  • http://java.sun.com/products/plugin - Sun's Java Plugin allows access to the latest JRE (Java Runtime Environment) instead of your browsers JRE.  At the bottom of the web page is some links to examples that will test your install.
    • Download JRE - Installs the Java Plugin.
    • Download HTML Converter - Converts the HTML <applet> tags to work with the Java plugin.
  • www.apple.com/java - MAC JRE.
  • Resources on using Java Plugin
    • http://java.sun.com/products/plugin/1.1.1/docs/tags.html
• Tutorial for JDK1.2 Java Applets & Local File Systems
  • Java Tutorials on Security
    • http://java.sun.com/docs/books/tutorial/security1.2/index.html - JDK1.2
    • http://java.sun.com/docs/books/tutorial/security1.1/index.html - JDK1.1
  • http://java.sun.com/docs/books/tutorial/security1.1/index.html - 
  • Deploying RSA Signed Applets - http://java.sun.com/products/plugin/1.2/docs/nsobjsigning.html
• Tutorial for JDK1.1 Java Applets & Local File Systems
  • http://java.sun.com/security/signExample - Sun's example and instructions on how to create a Signed Applet so that the Applet Security Manager will allow your applet to access the local file system using JDK1.1.  Example uses the Appletviewer.   In a real solution you will still need the Java Plug-In.
• Sun's Forums:  http://forum.java.sun.com
• Applet Security Manager
  • Applet Security Manager (AppletSecurity.java)
  • http://www.sun.com/960901/feature3/javasecure.html - Information on the Applet Security Manager.
  • http://java.sun.com/sfaq/ - FAQ's about Java Security. 
  • http://java.sun.com/docs/books/tutorial/jar/ - Java Tutorial on JAR's.
  • http://java.sun.com/products/jdk/1.1/docs/tooldocs/win32/jar.html - the jar tool (Note: JDK1.1 includes support for digital signatures using the JAR and manifest specifications.)
  • http://java.sun.com/products/jdk/1.1/docs/guide/jar/manifest.html - Jar Signing.
  • http://java.sun.com/products/jdk/1.1/docs/tooldocs/win32/javakey.html - JavaKey - Java Security Key.
  • http://java.sun.com/security/codesign/ - Draft Specifications for Digital Signing
• MAC - Examples of Applets & local file systems
  • http://developer.apple.com/technotes/tn/tn1175.html - How to sign an applet to run on MAC.

Trusted Applets (IE & Netscape)

Since the browser implements the security model you need to study each browser.

• IE (Signing a CAB file)
  • http://www.microsoft.com/java/security/default.htm - IE's Java Security Overview.
    • http://www.microsoft.com/java/security/secfaq.htm.
  • http://www.microsoft.com/java/sdk/default.htm - Microsoft SDK for Java.  For application an applet developers.
  • http://support.microsoft.com/support/kb/articles/Q193/8/77.ASP - HOWTO: Making your Java Code Trusted in Internet Explorer
  • http://support.microsoft.com/support/kb/articles/Q177/1/68.ASP - INFO: How does the VM search for Java Classes?
  • http://support.microsoft.com/support/java/
  • Make an Applet trusted by placing the file in a signed cabinet file, or by placing the class in the classpath
  • CABARC.exe - Microsoft's utility to create CAB files.
    Dubuild.exe utility in the SDK for Java
    You sign a CAB using the Signcode.exe utility in the SDK
    for Java.
  • You can sign a CAB file by using the Authenticode mechanism.
  • For your classes to run with permissions above the sandbox level, the classes must be delivered to the client computer
    inside a signed cabinet (CAB) file. When you sign the CAB file, you also must specify the permissions that the contained
    classes require.  You must sign your cabinet file with the appropriate permissions. -Low or -LowX permission will guarantee you have appropriate access or you may sign with the appropriate granular permissions using an ini file passed to Signcode.exe
  • Associate CAB's with an Applet.
    • <applet CODE="a.class" WIDTH="100" HEIGHT="100">
      <param NAME="cabbase" VALUE="abc.cab">
      </applet>
  • Sing an Applet - use JavaKey.exe by Sun.
• Netscape
  • Digitally sign Jar files.
    • ZIGbert - Netscape utility.
    • GUIJAR Archiver - Netscape utility.
  • http://developer.netscape.com/support/faqs/champions/security.html - DevEdge Newsgroups FAQ's about Security.
  • http://developer.netscape.com/docs/manuals/signedobj/overview.html - DevEdge Object Signing Resources.
  • http://www.codeguru.com/java/articles/505.shtml - Sign an Applet.  The below are additional pages at the same web directory.
    • 505.shtml - Sign an Applet.  Use Netscape's utilities: ZIGbert or GUIJAR 
    • 506.shtml - Bypass the need for a certificate when granting local file access to applets.
    • 507.shtml - Start an executable on the client.
    • 508.shtml - Read/Write an local file from an Applet.
  • http://java.sun.com/security/signExample/writeFile.java - Example in Netscape.
    
• IE & Netscape resources
  • http://www.coe.uncc.edu/~spradhip/jug/Security.html - IE & Netscape information.
• Miscellaneous Links & Notes

  	http://www.codeguru.com/java/articles/547.shtml - Using a Jar/Zip/CAB file with an Applet.
  	Trusted applets: http://manuals.sybase.com/onlinebooks/group-pj/pjg0350e/pjprgd/@Generic__BookTextView/17857
  	Object-Signing Tools:  http://developer.netscape.com/software/signedobj/jarpack.html
  	Netscape Signing Tool: http://developer.netscape.com/docs/manuals/cms/41/adm_gide/app_sign.htm#1012681
  	Which certificate should I get - Thawte - A veriSign Company: http://www.thawte.com/support/developer/whichone.html
  	Creating signed CAB file: http://kitap.ankara.edu.tr/1575211580/jak15.htm
  	http://www.verisign.com/developer/rsc/gd/signing/
  	http://mindprod.com/capabilities.html - Kinds of permissions you can grant (Netscape)
  	http://developer.netscape.com/quickfind.cgi?cp=dev01qfin - Kinds of permissions you can grant (Netscape)

My Examples

• Java PlugIn & PolicyTool (Applet writes to a local file)
• Flash & Java Plugin using Applet to write to a file
• Signed Applets & Writing to a local file