1. JAVA SECURITY BASIC NETWORKING MULTITHREATING Deniz HASTORUN
Barış İbrahim SÖNMEZER

2. Security Architecture (JDK1.0)
The original security model provided by the Java platform, known as the "sandbox" model

3. Security Architecture (JDK1.1)
JDK 1.1 introduced the concept of : "signed applet"

4. Security Architecture (JDK1.2)
All code, regardless of whether it is local or remote, can now be subject to a security policy. The security policy defines the set of permissions.

5. Controlling Applets Observe Applet Restrictions
Set Up a Policy File to Grant the RequiredPermission
See the Policy File Effects

6. Observe Applet Restrictions
Currently JDK system code invokes security manager methods to perform resource access control checks.
Applets are not allowed to access resources unless it is explicitly granted permission to do so by the security policy in effect.
In Java platforms that are compatible with JDK 1.2, the permission must be granted by an entry in a policy file.

7. import java.awt.*;
import java.io.*;
import java.lang.*;
import java.applet.*;
public class WriteFile extends Applet {
String myFile = "writetest";
File f = new File(myFile);
DataOutputStream dos;
public void init() {
String osname = System.getProperty("os.name"); }
public void paint(Graphics g) {
try {
dos = new DataOutputStream(new BufferedOutputStream(new FileOutputStream(myFile),128));
dos.writeChars("Try to write to a file\n");
dos.flush();
g.drawString("Successfully wrote to the file named " + myFile + " look at it!", 10, 10); }
catch (SecurityException e) {
g.drawString("writeFile: caught security exception: " + e, 10, 10);
catch (IOException ioe) {
g.drawString("writeFile: caught i/o exception", 10, 10);
} } }
the source code for an applet named WriteFile that tries to create and to write to a file named writetest in the current directory

8. Compile : “ javac WriteFile.java “ -> Result : “ WriteFile.class “
WriteFile.html :
<html><p><applet code=WriteFile.class width=750 height=150></applet>
<p></html>
The system caught the applet trying to access a resource it doesn't have permission to access.

9. Set up a Policy File to Grant the Required Permission
A policy file is an ASCII text file and can be composed via a text editor or the graphical Policy Tool utility.
The Policy Tool saves you typing and eliminates the need for you to know the required syntax of policy files, thus reducing errors.
You will use the Policy Tool to create a policy file, in which you will add a policy entry that grants code from the directory where WriteFile.class is stored permission to write the writetest file.
Steps :
Start Policy Tool
Grant Required Permissions
Save the Policy File

10. Start Policy Tool
To start Policy Tool, simply type the following at the command line: “ policytool “
Whenever Policy Tool is started, it tries to fill in this window with policy information from what is sometimes referred to as the "user policy file".
Default policy file : “ ${user.home}/.java.policy “
If Policy Tool cannot find the user policy file, it reports the situation and displays a blank Policy Tool window (that is, a window with headings and buttons but no data in it)

11. Grant the Required Permission
Choose the Add Policy Entry button in the main Policy Tool window
The CodeBase and the SignedBy text boxes are used to specify which code you want to grant the permission(s) you will be adding.
A CodeBase value indicates the code source location.
A SignedBy value indicates the alias for a certificate stored in a keystore.
Choose the Add Permission button to bring up the Permissions dialog box.

12. Security Properties File
Whenever you run an applet, or an application with a security manager, the policy files that are loaded and used by default are the ones specified in the "security properties file", which is located at one of the following:
Windows: java.home\lib\security\java.security
UNIX: java.home/lib/security/java.security

13. Security Properties File
The default policy files, sometimes referred to as the system and user policy files, respectively, are defined in the security properties file as :
policy.url.1= file:${java.home}/lib/security/java.policy
policy.url.2 =
file:${user.home}/.java.policy
You can edit this file if you want to add another policy file.

14. How to Restrict Applications
A security manager is not automatically installed when an application is running.
To apply the same security policy to an application found on the local file system as to downloaded applets, you can invoke the interpreter with the new “-Djava.security.manager” command line argument.
Usage :
java -Djava.security.manager <Prog_name>

15. Summary of Security Tools
Policytool
Keytool
Jar
Jarsigner
are available to facilitate various security-related operations

16. Keystore
a protected database that holds keys and certificates for an enterprise
Access to a keystore is guarded by a password (defined at the time the keystore is created, by the person who creates the keystore, and changeable only when providing the current password).
Default keystore : ${user.home}/.keystore

17. Keytool Use keytool to manage your keystore, for example to
create public/private key pairs
issue certificate requests (which you send to the appropriate Certification Authority)
import certificate replies (obtained from the Certification Authority you contacted)
designate public keys belonging to other parties as trusted

18. Jar Use the jar tool to create JAR files
The Java ARchive (JAR) file format enables you to bundle multiple files into a single archive file
When you want to "digitally sign" code, you use the jar tool to place it in a JAR file and the jarsigner tool to sign the JAR file

19. Jarsigner
Use the jarsigner tool to sign JAR files, or to verify signatures on signed JAR files.
The jarsigner tool accesses a keystore that is created and managed by keytool, when it needs to find the private key and its associated certificate chain to use when signing a JAR file.