Java Security & Applets

This web page has information on Java Security.

General Information.

Web browsers allow downloaded Java applets to execute within a limited context called the "applet sandbox". Applet's are not allowed to access your local file system or network connections unless the applet is given permission by a system administrator who creates a digital signature (ie: signed applet aka trusted applet).

There have been major changes between Security in JDK 1.1 and Java 2 JDK 1.2. JDK 1.3 & JDK 1.2 seems to be identical.

	On version 1.1 of the Java platform, a trusted applet has the same freedom to perform operations as a local application. On version 1.2 of the platform, a trusted applet would have freedoms as specified by the policy file in force.
	JDK1.1 - "trusted applets" have permission like local applications.
	JDK 1.2 use policy files for permissions.
	JDK 1.3 use policy files for permissions.

JDK 1.1 Trusted Applets
Summary of process

	Signer signs the JAR file using a private key (use JavaKey.exe)
	You obtain a digital certificate from a "certification authority" - companies that specializing in digital security (like Verisign)
	The Public key is placed in the JAR file along with a digital certificate.

JDK 1.2/1.3 Trusted Applets - depending on the browsers implementation of Java you will probably need to load the Java Plug-in to be able to use JDK 1.2 policy files (ie: IE 5 & NS 4). Netscape 6 implements the JDK 1.2 without a Java Plug-In.

	Digital Certificates are not needed. (use keytool.exe & jarsigner.exe)
	Use PolicyTool.exe to create the policy files with the neccessary permissions.

In Java2 JDK1.2, reading or writing a file, are not permitted for applets unless explicitly allowed by a permission in a policy file. JDK 1.1 is much harder to implement because your Applet must be digital signed to be trusted. With JDK 1.2 you can also apply security constraints to Java applications.

The Java^™ 2 Standard Edition Runtime Environment includes the Java Plug-In.

With Java 2, you can configure the Java Plug-In via the control panel's icon "Java Plug-In".

You can optionally sign a JAR file with your electronic "signature." Users who verify your signature can grant your JAR-bundled software security privileges that it wouldn't ordinarily have. Conversely, you can verify the signatures of signed JAR files that you want to use.

Good Books

	Java in a Nutshell by O'Reilly 3rd Edition - CH 5 - Java Security.
	Java Examples in a Nutshell by O'Reilly 2nd Edition - CH 6 Security and Cryptography

Java Tooldocs

http://java.sun.com/j2se/1.3/docs/tooldocs/tools.html - Java 2 JDK 1.3

JDK1.2 Tools: policytool.exe, keytool.exe, jarsigner.exe

Java Plug-in (Windows & MAC)

http://java.sun.com/products/plugin - Sun's Java Plugin allows access to the latest JRE (Java Runtime Environment) instead of your browsers JRE. At the bottom of the web page is some links to examples that will test your install.

	Download JRE - Installs the Java Plugin.
	Download HTML Converter - Converts the HTML <applet> tags to work with the Java plugin.

www.apple.com/java - MAC JRE.

Resources on using Java Plugin

http://java.sun.com/products/plugin/1.1.1/docs/tags.html

Tutorial for JDK1.2 Java Applets & Local File Systems

Java Tutorials on Security

	http://java.sun.com/docs/books/tutorial/security1.2/index.html - JDK1.2
	http://java.sun.com/docs/books/tutorial/security1.1/index.html - JDK1.1

http://java.sun.com/docs/books/tutorial/security1.1/index.html -

Deploying RSA Signed Applets - http://java.sun.com/products/plugin/1.2/docs/nsobjsigning.html

Tutorial for JDK1.1 Java Applets & Local File Systems

http://java.sun.com/security/signExample - Sun's example and instructions on how to create a Signed Applet so that the Applet Security Manager will allow your applet to access the local file system using JDK1.1. Example uses the Appletviewer. In a real solution you will still need the Java Plug-In.

Sun's Forums: http://forum.java.sun.com

Applet Security Manager

	Applet Security Manager (AppletSecurity.java)
	http://www.sun.com/960901/feature3/javasecure.html - Information on the Applet Security Manager.
	http://java.sun.com/sfaq/ - FAQ's about Java Security.
	http://java.sun.com/docs/books/tutorial/jar/ - Java Tutorial on JAR's.
	http://java.sun.com/products/jdk/1.1/docs/tooldocs/win32/jar.html - the jar tool (Note: JDK1.1 includes support for digital signatures using the JAR and manifest specifications.)
	http://java.sun.com/products/jdk/1.1/docs/guide/jar/manifest.html - Jar Signing.
	http://java.sun.com/products/jdk/1.1/docs/tooldocs/win32/javakey.html - JavaKey - Java Security Key.
	http://java.sun.com/security/codesign/ - Draft Specifications for Digital Signing

MAC - Examples of Applets & local file systems

http://developer.apple.com/technotes/tn/tn1175.html - How to sign an applet to run on MAC.

Trusted Applets (IE & Netscape)

Since the browser implements the security model you need to study each browser.

IE (Signing a CAB file)

http://www.microsoft.com/java/security/default.htm - IE's Java Security Overview.

http://www.microsoft.com/java/security/secfaq.htm.

http://www.microsoft.com/java/sdk/default.htm - Microsoft SDK for Java. For application an applet developers.

http://support.microsoft.com/support/kb/articles/Q193/8/77.ASP - HOWTO: Making your Java Code Trusted in Internet Explorer

http://support.microsoft.com/support/kb/articles/Q177/1/68.ASP - INFO: How does the VM search for Java Classes?

http://support.microsoft.com/support/java/

Make an Applet trusted by placing the file in a signed cabinet file, or by placing the class in the classpath

CABARC.exe - Microsoft's utility to create CAB files.
Dubuild.exe utility in the SDK for Java
You sign a CAB using the Signcode.exe utility in the SDK
for Java.

You can sign a CAB file by using the Authenticode mechanism.

For your classes to run with permissions above the sandbox level, the classes must be delivered to the client computer
inside a signed cabinet (CAB) file. When you sign the CAB file, you also must specify the permissions that the contained
classes require. You must sign your cabinet file with the appropriate permissions. -Low or -LowX permission will guarantee you have appropriate access or you may sign with the appropriate granular permissions using an ini file passed to Signcode.exe

Associate CAB's with an Applet.

Sing an Applet - use JavaKey.exe by Sun.

Netscape

Digitally sign Jar files.

	ZIGbert - Netscape utility.
	GUIJAR Archiver - Netscape utility.

http://developer.netscape.com/support/faqs/champions/security.html - DevEdge Newsgroups FAQ's about Security.

http://developer.netscape.com/docs/manuals/signedobj/overview.html - DevEdge Object Signing Resources.

http://www.codeguru.com/java/articles/505.shtml - Sign an Applet. The below are additional pages at the same web directory.

	505.shtml - Sign an Applet. Use Netscape's utilities: ZIGbert or GUIJAR
	506.shtml - Bypass the need for a certificate when granting local file access to applets.
	507.shtml - Start an executable on the client.
	508.shtml - Read/Write an local file from an Applet.

http://java.sun.com/security/signExample/writeFile.java - Example in Netscape.

IE & Netscape resources

http://www.coe.uncc.edu/~spradhip/jug/Security.html - IE & Netscape information.

Miscellaneous Links & Notes

	http://www.codeguru.com/java/articles/547.shtml - Using a Jar/Zip/CAB file with an Applet.
	Trusted applets: http://manuals.sybase.com/onlinebooks/group-pj/pjg0350e/pjprgd/@Generic__BookTextView/17857
	Object-Signing Tools: http://developer.netscape.com/software/signedobj/jarpack.html
	Netscape Signing Tool: http://developer.netscape.com/docs/manuals/cms/41/adm_gide/app_sign.htm#1012681
	Which certificate should I get - Thawte - A veriSign Company: http://www.thawte.com/support/developer/whichone.html
	Creating signed CAB file: http://kitap.ankara.edu.tr/1575211580/jak15.htm
	http://www.verisign.com/developer/rsc/gd/signing/
	http://mindprod.com/capabilities.html - Kinds of permissions you can grant (Netscape)
	http://developer.netscape.com/quickfind.cgi?cp=dev01qfin - Kinds of permissions you can grant (Netscape)

My Examples

	Java PlugIn & PolicyTool (Applet writes to a local file)
	Flash & Java Plugin using Applet to write to a file
	Signed Applets & Writing to a local file