详解 标记Applets, 浏览器和文件访问

文章来源: http://java.sun.com/developer/technicalArticles/Security/Signed/

 

Monica Pawlan and Satya Dodda
4月 1998
翻译:cuile Blog

你是否曾经问自己"我怎么才能标记一个applet让它可以访问本地系统资源?",或者"为什么applet可以在Applet Viewer中工作,但不能在我的浏览器中工作?".这篇详解将回答这些问题,并向你展示如何标记一个applet,访问本地文件和顺利的运行它.

根据默认值,applets不能访问它们运行目录以外的系统资源,但是一个标记过的applet可以根据本地系统的安全策略访问本地系统资 源. Java Development Kit (JDK) 1.2 提供了安全工具,因此终端用户和系统管理员能够标记applets和应用程序,并通过策略文件定义它们的本地安全策略,多少本地系统资源是标记 applet和应用可以访问的.

Web 浏览器

一个JDK 1.2 applet 能够运行在浏览器或Applet Viewer里. 如果一个applet试图访问本地系统资源,applet必须标记并且本地系统必须有一个策略文件配置允许访问. 如果一个 JDK 1.2 applet 不能在你的浏览器中工作,可能因为你的浏览器没有安装 JDK 1.2, 或者applet没有标记, 又或者你没有适当的配置策略文件.

你能够不受操作系统或浏览器的限制升级JAVA平台. 更多信息请看 Project Java Activator .

本地文件访问

当JDK 1.2的applet访问运行文件夹以外的本地系统资源时,applet必须确认外部访问的是那些资源. applet确认访问资源是通过装载包含一个或多个URL资源的策略文件指定的. 当applet启动时,它必须启动策略文件以获得链接. 有时需要在策略文件里指定applet可以访问标记的URL同时不能访问其它未标记的.

例子

如果策略文件需要标记applet,如果它的签名正确applet就能够访问文件.如果applet的签名错误或没有签名,它将不能访问文件.策略 文件写操作的时候可能需要一个签名,但读的时候不需要.如果applet有正确的签名,它将能够写,但如果它没有,那applet将只允许读.

Example

If a signature is needed for the access, the applet has to be bundled into a Java ARchive (JAR) file before it can be signed. This example shows you how to sign and grant permission to an applet so it can create newfile in the user's home directory when it executes in Applet Viewer. See the Security in JDK 1.2 trail in The Java Tutorial for additional information.

These files are used for the example. You can copy them to or create them in your working directory.

• SignedAppletDemo.java file containing the applet code
• Write.jp policy file granting access to the user's home directory
• Applet tag embedded in the SignedApplet.html file:

  <applet code="SignedAppletDemo.class"
  
              archive="SSignedApplet.jar"
  
              width=400 height=400>
  
              <param name=file value="/etc/inet/hosts">
  
              </applet>
  
              
  
              

  
  

Usually an applet is bundled and signed by one person and handed off to another who verifies the signature and runs the applet. In this example, Susan performs Steps 1 through 5 and Ray performs Steps 6 through 8. But, to keep things simple, all steps occur in the same working directory.

1. Compile the applet
2. Create a JAR file
3. Generate Keys
4. Sign the JAR file
5. Export the Public Key Certificate
6. Import the Certificate as a Trusted Certificate
7. Create the policy file
8. Run the applet

Susan

Susan bundles the applet executable in a JAR file, signs the JAR file, and exports the public key certificate.

1. Compile the Applet

   In her working directory, Susan uses the javac command to compile the SignedAppletDemo.java class. The output from the javac command is the SignedAppletDemo.class.

   javac SignedAppletDemo.java

2. Make a JAR File

    

   Susan then makes the compiled SignedAppletDemo.class file into a JAR file. The -cvf option to the jar command creates a new archive (c), using verbose mode (v), and specifies the archive file name (f). The archive file name is SignedApplet.jar.

   jar cvf SignedApplet.jar SignedAppletDemo.class

3. Generate Keys

    

   Susan creates a keystore database named susanstore that has an entry for a newly generated public and private key pair with the public key in a certificate.

   A JAR file is signed with the private key of the creator of the JAR file and the signature is verified by the recipient of the JAR file with the public key in the pair. The certificate is a statement from the owner of the private key that the public key in the pair has a particular value so the person using the public key can be assured the public key is authentic. Public and private keys must already exist in the keystore database before jarsigner can be used to sign or verify the signature on a JAR file.

   In her working directory, Susan creates a keystore database and generates the keys:

   keytool -genkey -alias signFiles -keystore susanstore -keypass kpi135 -dname "cn=jones" -storepass ab987c

   This keytool -genkey command invocation generates a key pair that is identified by the alias signFiles. Subsequent keytool command invocations use this alias and the key password (-keypass kpi135) to access the private key in the generated pair.

   The generated key pair is stored in a keystore database called susanstore (-keystore susanstore) in the current directory, and accessed with the susanstore password (-storepass ab987c).

   The -dname "cn=jones" option specifies an X.500 Distinguished Name with a commonName (cn) value. X.500 Distinguished Names identify entities for X.509 certificates.

   You can view all keytool options and parameters by typing:

   keytool -help

4. Sign the JAR File

    

   JAR Signer is a command line tool for signing and verifying the signature on JAR files. In her working directory, Susan uses jarsigner to make a signed copy of the SignedApplet.jar file.

   jarsigner -keystore susanstore -storepass ab987c -keypass kpi135 -signedjar SSignedApplet.jar SignedApplet.jar signFiles

   The -storepass ab987c and -keystore susanstore options specify the keystore database and password where the private key for signing the JAR file is stored. The -keypass kpi135 option is the password to the private key, SSignedApplet.jar is the name of the signed JAR file, and signFiles is the alias to the private key. jarsigner extracts the certificate from the keystore whose entry is signFiles and attaches it to the generated signature of the signed JAR file.

5. Export the Public Key Certificate

    

   The public key certificate is sent with the JAR file to the whoever is going to use the applet. That person uses the certificate to authenticate the signature on the JAR file. To send a certificate, you have to first export it.

   The -storepass ab987c and -keystore susanstore options specify the keystore database and password where the private key for signing the JAR file is stored. The -keypass kpi135 option is the password to the private key, SSignedApplet.jar is the name of the signed JAR file, and signFiles is the alias to the private key. jarsigner extracts the certificate from the keystore whose entry is signFiles and attaches it to the generated signature of the signed JAR file.

   5: Export the Public Key Certificate

   The public key certificate is sent with the JAR file to the whoever is going to use the applet. That person uses the certificate to authenticate the signature on the JAR file. To send a certificate, you have to first export it.

   In her working directory, Susan uses keytool to copy the certificate from susanstore to a file named SusanJones.cer as follows:

   keytool -export -keystore susanstore -storepass ab987c -alias signFiles -file SusanJones.cer

Ray

Ray receives the JAR file from Susan, imports the certificate, creates a policy file granting the applet access, and runs the applet.

6. Import Certificate as a Trusted Certificate

    

   Ray has received SSignedApplet.jar and SusanJones.cer from Susan. He puts them in his home directory. Ray must now create a keystore database (raystore) and import the certificate into it. Ray uses keytool in his home directory /home/ray to import the certificate:

   keytool -import -alias susan -file SusanJones.cer -keystore raystore -storepass abcdefgh

7. Create the Policy File

    

   The policy file grants the SSignedApplet.jar file signed by the alias susan permission to create newfile (and no other file) in the user's home directory.

   Ray creates the policy file in his home directory using either policytool or an ASCII editor.

   keystore "/home/ray/raystore";
   
               // A sample policy file that lets a JavaTM program 
   
               // create newfile in user's home directory
   
               // Satya N Dodda
   
               
   
               grant SignedBy "susan" {
   
               permission java.util.PropertyPermission 
   
               "user.home", "read"
   
               permission java.io.FilePermission 
   
               "${user.home}/newfile", "write"
   
               };
   
               

   
   

8. Run the Applet in Applet Viewer

    

   Applet Viewer connects to the HTML documents and resources specified in the call to appletviewer, and displays the applet in its own window. To run the example, Ray copies the signed JAR file and HTML file to /home/aURL/public_html and invokes Applet viewer from his home directory as follows:

   appletviewer -J-Djava.security.policy=Write.jp 
   
       http://aURL.com/SignedApplet.html
   
       

   Note: Type everything on one line and put a space after Write.jp

   The -J-Djava.security.policy=Write.jp option tells Applet Viewer to run the applet referenced in the SignedApplet.html file with the Write.jp policy file.

   Note: The Policy file can be stored on a server and specified in the appletviewer invocation as a URL.

Signed Applets in JDK 1.1

JDK 1.1 signed applets can access local system resources if the local system is properly set up to allow it. See the JDK 1.1 Signed Applet Example page for details.

Conclusion

It is easy to use the JDK 1.2 security tools to sign a JAR file and allow an applet or application access to only certain specific local resources. Just remember a JDK 1.2 applet will not run in a browser that is not enabled for JDK 1.2.

The JDC has a related article on security tools that explains the new JDK 1.2 security architecture and tools in more detail.

Visit the Security page on java.sun.com for documents that describe the JDK 1.2 security architecture, policy file, and keytool and jarsigner tools.

Monica Pawlan, a staff writer for the Java Developer Connection (JDC), is author of Essentials of the Java Programming Language: A Hands-On Guide (Addison-Wesley, 2000), and co-author of Advanced Programming for the Java 2 Platform (Addison-Wesley, 2000).

Satya Dodda is a JavaSoft engineer working in the security area.