Академический Документы
Профессиональный Документы
Культура Документы
Topics
The Java Plug-in Signed Applets in Netscape Signed Applets in MS Internet Explorer Secure JDBC Connection for Applets
2
Policy-based
Security policy limits the resources a program can use java.policy Actions that are allowed
Permissions
The Sandbox
Memory
Operating System Local Code Java Virtual Machine
Sandbox Applet
HTTP
Server Client
Many reasons for stepping outside the sandbox Java 2 Security Modeltwo methods
The client can grant permissions by editing the policy file, java.policy The developer can use an RSA-signed applet that can be granted or denied permission by the client
5
Edit
Policy Applet
HTTP
Server Client
Server Client
Verifies the signer
Certificate Authority
7
Consistent runtime environment for Java Supports all Java functions Can be called instead of the browsers VM Part of JDK and JRE Downloaded the first time it is needed by browser
8
Advantages
Consistency across browsers Java capabilities provided to old browsers Same security model as Java 2
Major browsers had different security models Differences require different development
Weakness
Huge download5 to 6 MB
9
Stepping out of the sandbox, method 1 Create an applet, Java Security, p. 205
public void init() { try { mUsername = System.getProperty("user.name"); } catch( SecurityException e ) { mUsername = null; } } <APPLET CODE="UsernameApplet.class" WIDTH="300" HEIGHT="200"></APPLET>
10
11
UsernameApplet.policy
grant codeBase "file:${/}devJava${/}*" { permission java.util.PropertyPermission "user.name", "read"; }; appletviewer -J-Djava.security.policy=UsernameApplet.policy UsernameApplet.html
12
13
HTMLConverter
For IE, converts to OBJECT element For NS, converts to EMBED element
14
15
2. Edit java.policy
Open UsernameApplet.HTML
17
Stepping out of the sandbox, method 2 Real deployment requires a certificate from Verisign or Thawte Jarsigner can sign applets If the Java plug-in finds an RSA-signed digital certificate in a downloaded JAR
Checks security policy for usePolicy Checks the signatures CA Then asks user if its okay
18
19
Page 212 Create a csr file with -certreq Order a signed certificate from a CA
Double-click on the filename Click on the Install Certificate button Follow the steps in the Wizard, pp. 210211
21
22
23
Click to Grant
24
Netscape 6 and 7 use the Java plug-in Netscape 4 uses its own security model
Applet asks for permission Called the Capabilities API Uses proprietary Netscape classes Incompatible with any other browser
25
public void init() { try { PrivilegeManager.enablePrivilege("UniversalPropertyRead"); mUsername = System.getProperty("user.name"); PrivilegeManager.revertPrivilege("UniversalPropertyRead"); } catch( SecurityException e ) { mUsername = null; } } C:\> javac -classpath .;capsapi_classes.zip UsernameNetscapeApplet.java
26
Click on the lock icon at the lower left Click on Certificate > Yours Click on Import a Certificate Set the password, then Cancel the import
27
Create a self-signed certificate and key Create a directory and put in the class Create a signed JAR Add an ARCHIVE attribute to the HTML Open the HTML file in Netscape, p. 220
28
Microsoft VM support discontinued Tools are no longer available Sun JRE is provided with IE
the U.S. District Court in Baltimore, Md. issued a preliminary injunction order requiring Microsoft to include the latest Java Runtime Environment (JRE) from Sun Microsystems inversions of the Microsoft Windows XP operating system or Microsoft Internet Explorer [5]
Highthe sandbox Mediumsome extras like disk scratch files Lowsame as AllPermission in Java 2 Customsimilar to policy file in Java 2
http://support.microsoft.com/default.aspx?scid=kb;EN-US;172200
Cab files are used for signed applets Tools are in the Microsoft SDK for Java
(No longer available)
30
The problem
Firewalls interfere with the connection between a Java applet and an external db The applet uses an IDS JDBC driver to connect to an IDS server using HTTPS
31
The client is behind a firewall. The proxy server relays the clients HTTP and/or HTTPS requests. Proxy relays HTTP requests
To provide Internet access Parses the content Assumes the connection is non-persistent and drops the connection Assumes that it cannot parse content Cannot drop connection until client does
32
Required conditions
Proxy allows outbound HTTPS connections Applet must obtain the browser proxy server setting Applet must be signed IDS server must use ports 443 or 563 Obtains the proxy settings Instance passed to the the IDS driver when it creates a connection to the db
33
Applet
JDBC
HTTPS
DB
Client
client-side firewall
35
Bibliography
[1] J. Garms and D. Somerfield. Professional Java Security. Birmingham, UK: Wrox Press Ltd., 2001, pp. 202228. [2] M. Pistoia, et al. Java 2 Network Security, 2nd ed. New Jersey: Prentice Hall PTR, 1999. [3] J. Conallen. Building Web Applications with UML. AddisonWesley, 2000, pp. 7072. [4] Sun (n.d.). Developer Guide FAQs. [Online]. Available: http://java.sun.com/j2se/1.4.1/docs/guide/plugin/developer_g uide/faq/developer.html [5] Microsoft (2003, Jan.). Microsoft VM Developer FAQ. [Online]. Available: http://www.microsoft.com/java/developerFAQ.htm [6] IDS Software (1999, Nov.). JDBC Connection via HTTPS Proxy. [Online]. Available: http://www.idssoftware.com/jdbchttps.html
36