1 / 23

Java Applet Security

Foundations of Java Security. Java Applet Security. 자바 애플릿 보안. What is an Applet?. PIG. PIGLET. APPLE. APPLET. An Applet is a graphical Java program, downloadable over a network, that executes inside a web browser or applet viewer. Applet Security refers to various requirements

komala
Download Presentation

Java Applet Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Foundations of Java Security Java Applet Security 자바 애플릿 보안

  2. What is an Applet?

  3. PIG PIGLET

  4. APPLE APPLET

  5. An Applet is a graphical Java program, downloadable over a network, that executes inside a web browser or applet viewer Applet Security refers to various requirements for securely running Java code downloaded from a network

  6. JDK 1.0 Sandbox approach Trust all standalone Java applications Does not trust any applet downloaded from the network

  7. JDK 1.1 Enhanced the original sandbox approach Trust all standalone Java applications Certain applets can be trusted. Trusted applets are given unrestricted access

  8. JDK 1.2 Method of Least Privilege Specify a security policy that determines what an applet or application is allowed to do based on: • Source • Identities of those who signed it

  9. Example: The ReadFileApplet What it does: • Read C:\autoexec.bat • Display the contents of C:\autoexec.bat • into a text area inside the applet

  10. Java Code import java.applet.*; import java.awt.*; import java.awt.event.*; import java.io.*; public class ReadFileApplet extends Applet { TextArea text = new TextArea(); Button goButton = new Button("Read Local File"); Panel panel = new Panel(); String fileName = ""; public void init() { fileName = getParameter("fileName"); setLayout(new BorderLayout()); goButton.addActionListener(new ButtonHandler()); panel.add(goButton); add("North",panel); add("Center",text); }

  11. class ButtonHandler implements ActionListener { public void actionPerformed(ActionEvent e){ String s = e.getActionCommand(); if("Read Local File".equals(s)){ try { FileInputStream inStream = new FileInputStream(fileName); int inBytes = inStream.available(); byte inBuf[] = new byte[inBytes]; int bytesRead = inStream.read(inBuf,0,inBytes); text.setText(new String(inBuf)); }catch(Exception ex){ text.setText(ex.toString()); } } } } } // End of Code

  12. HTML Code <HTML> <HEAD> <TITLE>An Applet that reads local files</TITLE> </HEAD> <BODY> <H1>An Applet that reads local files.</H1> <APPLET CODE="ReadFileApplet.class" HEIGHT=300 WIDTH=600> <PARAM NAME="fileName" VALUE="C:\AUTOEXEC.BAT"> Text displayed by browsers that are not Java-enabled. </APPLET> </BODY> </HTML>

  13. Security Exception

  14. 3 Steps: • Create the JAR file • Sign the JAR file • Specify the applet security policy

  15. Create the JAR File JAR: Java ARchive The JAR tool provides similar functions to a normal compression utility, except that it makes it more efficient for Java-enabled browsers to load files used by an applet, application or API, by combining multiple files into one JAR file Only one HTTP connection is required Reduces the time to download an applet jar cf rfa.jar ReadFileApplet*.class

  16. Sign the JAR File Important concepts: The keystoreThe keystore is a password-protected database that holds private keys and certificates (located in user.home directory Eg. C:\Windows) Keystore entry A private key and a X.509 certificate chain that authenticates the associated public key keytool –genkey –alias “someone” Enter Passphrase for keystore: 123456 jarsigner rfa.jar “someone” Enter Passphrase for keystore: 123456

  17. Specify the Applet Security Policy Add the following lines to .java.policy (located in java.home\lib\security eg. C:\jdk1.2.2\jre\lib\security\) Keystore “file:/C:/Windows/.keystore”; grant { permission java.io.FilePermission “/AUTOEXEC.BAT”, “read”, signedBy “someone”; };

  18. HTML Code <HTML> <HEAD> <TITLE>An Applet that reads local files</TITLE> </HEAD> <BODY> <H1>An Applet that reads local files.</H1> <APPLET CODE="ReadFileApplet.class" ARCHIVE=“rfa.jar” HEIGHT=300 WIDTH=600> <PARAM NAME="fileName" VALUE="C:\AUTOEXEC.BAT"> Text displayed by browsers that are not Java-enabled. </APPLET> </BODY> </HTML>

  19. Success!!!

  20. Applet Deployment under Java 2 Version 1.2 • By default, the ReadFileApplet generated a security exception • due to the restrictions placed on downloaded code. • We had to create a signed JAR file using our own key pair • To overcome the restrictions placed, we placed • permissions based on the signer. • Finally, we were able to run the code without generating • an exception. • Be aware that to run applet code that is signed from the Internet, • we have to import the public key of the signer into the keystore • and give it privileges before we can run the code.

  21. Evolution to Java 2 Version 1.3 • Every class loaded from a JAR file has a codesource, which contain: • Location (URL) • Certificates • The PluginClassLoader will extract the certificates and pass them to • the browser, which will verify them • If verification is successful, the browser will prompt • the user as follows: • Grant permission for this session • Don’t grant permission • Grant permission always • More information • usePolicy permission: only the permissions specified in the • security policy will be granted, and no prompting will take place

  22. Conclusion Applet security is an integral part in forming a flexible and secure environment to run downloaded code from the Internet

  23. The End

More Related