Date: Fri, 25 Jul 1997 14:34:53 -0700
Message-Id: <199707252134.OAA03164@puffin.eng.sun.com>
From: Marianne Mueller <mrm@Eng>
To: benedict.lobo@gte.com
Subject: Re: Java Security
Hi,
A signed applet can be granted the ability to cause another program to
run on the client side (I don't know what you mean by "load" - if you
mean Java class loading, or, if you mean "cause another program to
start running.")
This functionality is in the early access of JDK 1.2, which you can
use either as a Java licensee or by signing up for the early access
program via http://java.sun.com/jdc (Java Developer Connection.)
As for digital signatures in detail, the main thing to know is that as
of JDK 1.1, we have digital signatures for JAR files. a JAR file is a
Java ARchive (it's really a zip file, plus a meta-data file that is
called the Manifest, and accompanying signature files.) Unfortunately
although you can use JDK 1.1 (as of today, you should fetch and use
JDK 1.1.3) to sign JAR files, these signatures are not yet recognized
by the Java enabled browsers other than HotJava.
There is a "how to" for signing JAR files at
http://java.sun.com/security/usingJavakey.html
Once you have a signed JAR file, in your HTML file, you refer to it
using the archive attribute of the <applet> tag:
<applet code=foo.class archive=foo.jar width=100 height=100>
</applet>
More info on JAR is online, at
http://java.sun.com/products/jdk/1.1/docs/guide/jar/jarGuide.html
As for the security of Java for reading/writing on the disk: if you
are in the US or Canada, you can download the JCE (Java Cryptography
Extension) to use data encryption on files read/written. The JCE
distribution has a demo program that shows how to use those APIs.
JCE may be downloaded from http://java.sun.com/products/jdk/1.1/jce
Thanks,
Marianne