csci5931 web security1 java security model (gs: ch. 7)

csci5931 Web Security 1

Java Security Model(GS: Ch. 7)


Topics

A. Basics of Java Security Model

B. Cryptographic Signatures

C. Permissions

Customized Permissions


Basics of Java Security Model

Java 2 security is policy-based.

The policy defined in java.policy file controls the

resources that Java codes have access to.

Codesource = codebase + signer

codebase: The location that the code comes from,

either locally or from a remote site.

signer: the entity that signed the code in question


Basics of Java Security Model

Permissions: specific actions that a codesource

is allowed to take (e.g., access a file, connect to

a machine)

Types of Java codes:

Java applications

Java applets

Java servlets

Java beans, JEB


Managing Cryptographic Signatures

Tools provided by Sun: keytool jarsigner

policytool

keytool (pp. 157-161):

An application that ships with JDK

It manages keystores and can create certificates.

It replaces javakey, found in Java 1.1.

Note: Keystores are linked to the provider (e.g., Sun’s JCA

provider). A keystore file generated by one provider will not

work with a keystore file generated by another provider.


Managing Cryptographic Signatures jarsigner

A signing and verification tool for Java archive (JAR) files

Attaches a specific signer to a specific set of codes

Usage: jarsigner [options] jar-file alias

jarsigner -verify [options] jar-file

[-keystore <url>] keystore location

[-storepass <password>] password for keystore integrity

[-storetype <type>] keystore type

[-keypass <password>] password for private key (if different)

[-sigfile <file>] name of .SF/.DSA file

[-signedjar <file>] name of signed JAR file

[-verify] verify a signed JAR file

...



Jarsigner

(a) It signs JAR files.

(b) It verifies signatures on JAR files.

JAR (Java Archive): a .zip file that supports signatures.

To sign a JAR file:

You must have a private key and a certificate in your keystore.

For your signed JAR file to be verifiable by others:

Your certificate must be signed by a CA.



A signed JAR file allows the user to determine whether

the Java codes contained in the JAR can be trusted or

not.

Applets are usually signed, if extra permissions (beyond

those defined as defaults) need to be granted.

In Java 1.2.1 or higher, every class within the same

package inside a signed JAR must be signed by the same

certificate. Q: Why is this important?



Steps in signing a JAR file:

A. Use jar to create a JAR file out of the .class file(s).

B. Use keytool to generate a keypair.

C. Use jarsigner to sign the JAR file with the private key and the

certificate.

To verify a signed JAR file: jarsigner –verify …

Example usage: p.179



When a JAR is signed, it is not the JAR itself that is

signed, but some or all of the files it contains.

A signed JAR contains three files:

The manifest (HelloWorld.mf)

The signature file (HelloWorld.sf)

The digital signature file (HelloWorld.dsf)



To view the content of a JAR file:

Use jar command> jar tvf HelloWorld.jar

140 Wed Mar 19 10:22:24 CST 2003 META-INF/MANIFEST.MF

193 Wed Mar 19 10:22:24 CST 2003 META-INF/EXAMPLES.SF

1013 Wed Mar 19 10:22:24 CST 2003 META-INF/EXAMPLES.DSA

0 Wed Mar 19 10:13:58 CST 2003 META-INF/

426 Wed Mar 19 10:13:30 CST 2003 HelloWorld.class

Use winzip or something like that


Managing Permissions

The Java security manager handles the checking of

permissions as needed.

The default implementation: java.lang.SecurityManager,

which can be sub-classed or overwritten if necessary.

Java enforces security by asking the security manager

for permissions before taking any action that is

considered potentially unsafe.



Permissions are defined in the java.policy file, which is

stored in $JAVA_HOME/jre/lib/security/java.policy.

Two ways to edit java.policy file:

A. Manually by using a text editor

B. Use policytool, which is a GUI tool for editing Java security

policies (See examples on pp.188-189)

An example: pp.182, 187 (FileWriteTest.java)



The syntax for the grant command in java.policy

file:grant signedBy “signer_names”, codeBase “URL” {

permission permission_class_name “target_name”, “action”, signedBy

“signer_names”;

…

}

See sample listing on pp.183-184.

More samples on p.186.



Default permission classes in Java: p.190

AllPermission

BasicPermission

FilePermission

SocketPermission

Subclasses of BasicPermission:

AudioPermission, AWTPermission, NetPermission, …



Customized Permissions:

You may want to restrict access to certain classes based

on the caller’s codesource.

To prevent untrusted codes from calling some sensitive

classes.

An example (p.191): extending BasicPermission by

creating a subclass.



Customized Permissions: Example> java -cp SecretWordTest.jar -Djava.security.manager -

Djava.security.policy=SecretWord.policy SecretWordTest

The secret word is: ossifrage



Security properties for the JVM are defined in the java.security

file, which is stored in

$JAVA_HOME/jre/lib/security/java.security.

Security providers, policy provider, keystore type, etc. (pp.194-

195)


Next

Team Presentations SSL (GS: 9) Applet security (GS: 7) Servlets security (GS: 8) …

csci5931 web security1 java security model (gs: ch. 7)

Documents