Presentation is loading. Please wait.

Presentation is loading. Please wait.

Csci5931 Web Security1 Java Security Model (GS: Ch. 7)

Published byRalf Sanders Modified over 9 years ago

Similar presentations

Presentation on theme: "Csci5931 Web Security1 Java Security Model (GS: Ch. 7)"— Presentation transcript:

1 csci5931 Web Security1 Java Security Model (GS: Ch. 7)

2 csci5931 Web Security2 Topics A. Basics of Java Security Model B. Cryptographic Signatures C. Permissions  Customized Permissions

3 csci5931 Web Security3 Basics of Java Security Model  Java 2 security is policy-based.  The policy defined in java.policy file controls the resources that Java codes have access to.  Codesource = codebase + signer  codebase: The location that the code comes from, either locally or from a remote site.  signer: the entity that signed the code in question

4 csci5931 Web Security4 Basics of Java Security Model  Permissions: specific actions that a codesource is allowed to take (e.g., access a file, connect to a machine)  Types of Java codes:  Java applications  Java applets  Java servlets  Java beans, JEB

5 csci5931 Web Security5 Managing Cryptographic Signatures  Tools provided by Sun: keytooljarsigner policytool  keytool (pp. 157-161): An application that ships with JDK It manages keystores and can create certificates. It replaces javakey, found in Java 1.1. Note: Keystores are linked to the provider (e.g., Sun’s JCA provider). A keystore file generated by one provider will not work with a keystore file generated by another provider.

6 csci5931 Web Security6 Managing Cryptographic Signatures  jarsigner A signing and verification tool for Java archive (JAR) files Attaches a specific signer to a specific set of codes Usage: jarsigner [options] jar-file alias jarsigner -verify [options] jar-file [-keystore ] keystore location [-storepass ] password for keystore integrity [-storetype ] keystore type [-keypass ] password for private key (if different) [-sigfile ] name of.SF/.DSA file [-signedjar ] name of signed JAR file [-verify] verify a signed JAR file...

7 csci5931 Web Security7 Managing Cryptographic Signatures  Jarsigner (a) It signs JAR files. (b) It verifies signatures on JAR files.  JAR (Java Archive): a.zip file that supports signatures.  To sign a JAR file: You must have a private key and a certificate in your keystore.  For your signed JAR file to be verifiable by others: Your certificate must be signed by a CA.

8 csci5931 Web Security8 Managing Cryptographic Signatures  A signed JAR file allows the user to determine whether the Java codes contained in the JAR can be trusted or not.  Applets are usually signed, if extra permissions (beyond those defined as defaults) need to be granted.  In Java 1.2.1 or higher, every class within the same package inside a signed JAR must be signed by the same certificate. Q: Why is this important?

9 csci5931 Web Security9 Managing Cryptographic Signatures  Steps in signing a JAR file: A. Use jar to create a JAR file out of the.class file(s). B. Use keytool to generate a keypair. C. Use jarsigner to sign the JAR file with the private key and the certificate.  To verify a signed JAR file: jarsigner –verify …  Example usage: p.179

10 csci5931 Web Security10 Managing Cryptographic Signatures  When a JAR is signed, it is not the JAR itself that is signed, but some or all of the files it contains.  A signed JAR contains three files:  The manifest (HelloWorld.mf)  The signature file (HelloWorld.sf)  The digital signature file (HelloWorld.dsf)

11 csci5931 Web Security11 Managing Cryptographic Signatures  To view the content of a JAR file:  Use jar command > jar tvf HelloWorld.jar 140 Wed Mar 19 10:22:24 CST 2003 META-INF/MANIFEST.MF 193 Wed Mar 19 10:22:24 CST 2003 META-INF/EXAMPLES.SF 1013 Wed Mar 19 10:22:24 CST 2003 META-INF/EXAMPLES.DSA 0 Wed Mar 19 10:13:58 CST 2003 META-INF/ 426 Wed Mar 19 10:13:30 CST 2003 HelloWorld.class  Use winzip or something like that

12 csci5931 Web Security12 Managing Permissions  The Java security manager handles the checking of permissions as needed.  The default implementation: java.lang.SecurityManager, which can be sub-classed or overwritten if necessary.  Java enforces security by asking the security manager for permissions before taking any action that is considered potentially unsafe.

13 csci5931 Web Security13 Managing Permissions  Permissions are defined in the java.policy file, which is stored in $JAVA_HOME/jre/lib/security/java.policy.  Two ways to edit java.policy file: A. Manually by using a text editor B. Use policytool, which is a GUI tool for editing Java security policies (See examples on pp.188-189)  An example: pp.182, 187 (FileWriteTest.java)

14 csci5931 Web Security14 Managing Permissions  The syntax for the grant command in java.policy file: grant signedBy “signer_names”, codeBase “URL” { permission permission_class_name “target_name”, “action”, signedBy “signer_names”; … }  See sample listing on pp.183-184.  More samples on p.186.

15 csci5931 Web Security15 Managing Permissions  Default permission classes in Java: p.190  AllPermission  BasicPermission  FilePermission  SocketPermission  Subclasses of BasicPermission:  AudioPermission, AWTPermission, NetPermission, …

16 csci5931 Web Security16 Managing Permissions  Customized Permissions:  You may want to restrict access to certain classes based on the caller’s codesource.  To prevent untrusted codes from calling some sensitive classes.  An example (p.191): extending BasicPermission by creating a subclass.

17 csci5931 Web Security17 Managing Permissions  Customized Permissions: Example > java -cp SecretWordTest.jar -Djava.security.manager - Djava.security.policy=SecretWord.policy SecretWordTest The secret word is: ossifrage

18 csci5931 Web Security18 Managing Permissions  Security properties for the JVM are defined in the java.security file, which is stored in $JAVA_HOME/jre/lib/security/java.security.  Security providers, policy provider, keystore type, etc. (pp.194- 195)

19 csci5931 Web Security19 Next  Team Presentations  SSL (GS: 9)  Applet security (GS: 7)  Servlets security (GS: 8)  …

Download ppt "Csci5931 Web Security1 Java Security Model (GS: Ch. 7)"

Similar presentations

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 17 Secure Coding in Java and.NET Part 2: Code Access Control.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 17 Secure Coding in Java and.NET Part 2: Code Access Control.
George Blank University Lecturer. Java Security Overview of Java Security features Java Technology uses three mechanisms to ensure safety. Language design.

George Blank University Lecturer. Java Security Overview of Java Security features Java Technology uses three mechanisms to ensure safety. Language design.
Java security (in a nutshell)

Java security (in a nutshell)
Java Security CS-328. JDK 1.0 Security Model Sandbox Java Virtual Machine Local Code Remote Code Local Host System Resources (File System, Sockets, Printers…)

Java Security CS-328. JDK 1.0 Security Model Sandbox Java Virtual Machine Local Code Remote Code Local Host System Resources (File System, Sockets, Printers…)
Dan Sedlacek CTO, Systems Management Group Sterling Software Java Security and Encryption.

Dan Sedlacek CTO, Systems Management Group Sterling Software Java Security and Encryption.
Java Security. Overview Hermetically Sealed vs. Networked Executable Content (Web Pages & email) Java Security on the Browser Java Security in the Enterprise.

Java Security. Overview Hermetically Sealed vs. Networked Executable Content (Web Pages & ) Java Security on the Browser Java Security in the Enterprise.
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee 2007. 04. 23.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
Java Security cont’d. Laboratuar Study  Study the Java code of the 15th slide which was given in previous lesson, - 3_May lecture notes-.  After running.

Java Security cont’d. Laboratuar Study  Study the Java code of the 15th slide which was given in previous lesson, - 3_May lecture notes-.  After running.
Csci5233 Computer Security1 GS: Chapter 6 Using Java Cryptography for Authentication (Part B)

Csci5233 Computer Security1 GS: Chapter 6 Using Java Cryptography for Authentication (Part B)
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Creating Jar Files Jin Hung, Gregory Olds, George Blank, Sun Java Web Site.

Creating Jar Files Jin Hung, Gregory Olds, George Blank, Sun Java Web Site.
Security CS-328. The need for security In most of the programming classes that we’ve taken the emphasis has always been on getting the “job” done and.

Security CS-328. The need for security In most of the programming classes that we’ve taken the emphasis has always been on getting the “job” done and.
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)

Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
1 Lecture 4 George Koutsogiannakis/Summer 2011 CS441 CURRENT TOPICS IN PROGRAMMING LANGUAGES.

1 Lecture 4 George Koutsogiannakis/Summer 2011 CS441 CURRENT TOPICS IN PROGRAMMING LANGUAGES.
Administrivia Final exam: Wed, May 12, 3:00-5:00, in this room Q&A on it today Playoffs: Fri, May 14, noon-2:00, FEC 141 Post-class survey (anonymous)

Administrivia Final exam: Wed, May 12, 3:00-5:00, in this room Q&A on it today Playoffs: Fri, May 14, noon-2:00, FEC 141 Post-class survey (anonymous)
Certificates By Purvi Shah. What is a Certificate A certificate is basically a digitally signed statement from one entity (person, company, etc.), saying.

Certificates By Purvi Shah. What is a Certificate A certificate is basically a digitally signed statement from one entity (person, company, etc.), saying.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Similar presentations

Ads by Google