Not working

Monica Pawlan (Monica.Pawlan@Eng)
Mon, 23 Mar 1998 09:21:44 -0800 (PST)

Message-Id: <199803231724.JAA13620@taller.eng.sun.com>
Date: Mon, 23 Mar 1998 09:21:44 -0800 (PST)
From: Monica Pawlan <Monica.Pawlan@Eng>
Subject: Not working
To: java-security@web4.javasoft.com

--Tiding_of_Magpies_077_000
Content-Type: TEXT/plain; charset=us-ascii
Content-MD5: LCPug7ceCZs6781YSHL4TA==

The attached document was sent to this person to answer his
questios.
------------- Begin Forwarded Message -------------

Date: Mon, 23 Mar 1998 09:19:33 -0800 (PST)
From: Monica Pawlan <monicap@taller>
Subject: Not working
To: douglas@tp.ac.sg
Mime-Version: 1.0

Hi. The attached article is scheduled to be posted on the JDC in
two weeks. It should help answer your questions.

------------- Begin Forwarded Message -------------

Date: Mon, 23 Mar 1998 09:17:52 -0800 (PST)
From: Satya Dodda <satyad@taller>
Subject: Not working
To: monicap@shorter
MIME-Version: 1.0
Content-MD5: Sz4DYOtqtpQ1jQQPlvgoVw==

Hi Monica,

Can you please pass your document to this guy?

Thanks
Satya

------------- Begin Forwarded Message -------------

Date: Mon, 23 Mar 1998 11:40:32 +0800
From: douglas <douglas@tp.ac.sg
MIME-Version: 1.0
To: java-security@web4.javasoft.com
Subject: Not working
X-Priority: 3 (Normal)
Content-Transfer-Encoding: 7bit

Hello

This is my last resort! I've been trying to get a signed applet up and
running, but with no success. I tried 1.1.4, but then read about a bug.
So I downloaded 1.2, but still no success (I keep getting a security
exception). My OS is Win 95.

This is my java file:

import java.io.*;
import java.awt.*;
import java.applet.*;

public class Write extends Applet {
public void init(){
try {
FileWriter fw = new FileWriter("score.txt");
fw.write("New high score: 14\n");
fw.close();
} catch (IOException ioe) {System.out.println(ioe);}
}

public void paint(Graphics g) {
g.drawString("Have written the file", 10, 10);
}
}

This is what is do with keytool and jarsigner:

keytool -genkey // the alias mykey is used, and I enter a password when
prompted.

jar -cf write.jar Write.class

jarsigner write.jar mykey

It doesn't work!

I keep getting an AccessControlException.

This is driving me crazy. Any help ...? What am i doing wrong?

Thanks
Douglas

------------- End Forwarded Message -------------

------------- End Forwarded Message -------------

------------- End Forwarded Message -------------

--Tiding_of_Magpies_077_000
Content-Type: TEXT/html; name="signed.html"; charset=us-ascii
Content-Description: signed.html
Content-MD5: 9Q7Vjzsk7302db+LrjRGfw==

Signed Applets, Browsers, and File Access
Technical Support
Discussion Forum
Online Training
Technical Articles
Bug Parade
JDC Resources
DukeDollars
Early Access

Java Cup Logo

JDC Home Page

JDC Applets
chat
newsreader
calendar

Log Out

Java Developer Connection
shadowSearchFAQFeedback

Technical Articles Index
Signed Applets, Browsers, and File Access
By Monica Pawlan and Satya Dodda

Have you ever asked yourself "How do I sign an applet so it can access local system resources?", or "Why does an applet work in Applet Viewer, but not in my browser?" This article answers these questions, and shows you how to sign an applet, give it access to a local file, and successfully run it.

By default, applets have no access to local resources, but a signed applet can access local resources as allowed by the local system's security policy. The Java Development Kit (JDKTM) 1.2 provides security tools so end users and system administrators can sign applets and applications, and define their local security policy by specifying in a policy file how much access to local system resources a signed applet or application can have.

Web Browsers

A JDK 1.2 applet can run in a browser enabled for JDK 1.2 or in Applet Viewer. If an applet attempts to access local system resources, the applet must be signed and the local system must have a policy file configured to allow the access. If a JDK 1.2 applet does not work when you run it in your browser, it is probably because your browser is not enabled for JDK 1.2, the applet is not signed, or you do not have a correctly configured policy file.

When Project JavaTM Activator ports to JDK 1.2, you can use it to enable certain browsers not ported to JDK 1.2 to run JDK 1.2 applets.

Local File Access

For a JDK 1.2 applet to access local system resources, it must be archived, signed, and explicitly granted access. This example shows you how to compile a simple applet, bundle it into a Java ARchive (JAR) file, sign the JAR file, and create a policy file so the applet can create newfile in the user's home directory. This is how the example applet looks when it executes in Applet Viewer:

Files: For the example, these files are used:

Compile the Applet: Use the javac command to compile the SignedAppletDemo.java class. The output from the javac command is SignedAppletDemo.class.

javac SignedAppletDemo.java

Make a JAR File: Make the compiled SignedAppletDemo.class file into a JAR file. The -cvf input to the jar command means create a new archive (c), use verbose mode (v), and specify the archive file name (f). The archive file name is SignedApplet.jar.

jar cvf SignedApplet.jar SignedAppletDemo.class

Set up a Keystore Database: A keystore database contains public and private key pairs and their associated certificates. Key pairs and certificates are used to sign and verify the signatures on JAR files. Key Tool is a key and certificate management command line utility for managing a keystore database.

A JAR file is signed with the private key of the creator of the JAR file and the signature is verified by the recipient of the JAR file with the public key in the pair. The certificate is a statement from the owner of the private key that the public key in the pair has a parituclar value so the person using the public key can be assured the public key is authentic. Public and private keys must already exist in the keystore database before Jar Signer can be used to sign or verify the signature on a JAR file.

Use Key Tool to create a keystore database:

keytool -genkey -alias duke -keystore demoKeystore -keypass abcdefgh -dname "cn=Zelda" -storepass abcdefgh

This keytool -genkey command invocation generates a key pair that is identified by the alias duke. Subsequent Key Tool command invocations use this alias and the key password (-keypass abcdefg) to access the private key in the generated pair.

The generated key pair is stored in a keystore database called demokeystore (-keystore demoKeystore) in the local directory, and accessed with the demoKeystore password (-storepass abcdefgh).

The -dname "cn=Zelda" option specifies an X.500 Distinguished Name with a commonName (cn) value. X.500 Distinguished Names identify entities for X.509 certificates.

You can view all Key Tool options and parameters by typing:

keytool -help

Sign the JAR File: JAR Signer is a command line tool for signing and verifying the signature on JAR files.

Use Jar Signer to sign the SignedApplet.jar file:

jarsigner -storepass abcdefgh -keystore demoKeystore -keypass abcdefgh SignedApplet.jar duke

The -storepass abcdefgh and -keystore demoKeystore options specify the keystore database and password where the private key for signing the JAR file is stored. The -keypass abcdefgh option is the password to the private key, SignedApplet.jar is the name of the JAR file, and duke is the alias to the private key.

Create the Policy File: The policy file allows all programs signed by duke (the private key in the demoKeystore database) read access to the user's home directory and the ability to create newfile (and no other file) in the user's home directory. You can create a policy file with either Policy Tool or an ASCII editor.


keystore "demoKeystore";

// A sample policy file that lets a JavaTM program 
// create newfile in user's home directory
// Satya N Dodda


grant SignedBy "duke" {
        permission java.util.PropertyPermission "user.home", "read";
        permission java.io.FilePermission "${user.home}/newfile",
"write";
};


Run the Applet in Applet Viewer: Applet Viewer connects to the HTML documents and resources specified in the call to appletviewer, and displays the applet in its own window. To run the example, Applet Viewer is called:

appletviewer -J-Djava.policy=Write.jp http://developer.javasoft.com/~ "$USER"/SignedAppletDemo.$$/SignedAppletDemo.html

The -J-Djava.policy=Write.jp option tells Applet Viewer to run the applet referenced in the SignedAppletDemo.html file with the Write.jp policy file.

Signed Applications

By default, Java applications have access to all local system resources. You can use the JDK 1.2 tools to sign an application and restrict its access to local files, but the application must be launched with the java.security.Main option for the security policy to be in effect:

java -Djava.app.class.path="/home/zelda/apps" java.security.Main anApplication

The java.security.Main option causes the application to execute in a restricted environment, and the -Djava.app.class.path option ensures that any application in the specified path is subject to the security policy in force.

Signed Applets in JDK 1.1

JDK 1.1 signed applets can access local system resources if the local system is properly set up to allow it. See the JDK 1.1 Signed Applet Example page for details.

Conclusion

It is easy to use the JDK 1.2 security tools to sign a JAR file and allow an applet or application access to only certain specific local resources. Just remember a JDK 1.2 applet will not run in a browser that is not enabled for JDK 1.2, and a JDK 1.2 application must be launched with the java.security.Main option for the security policy to be in effect.

The JDC has a related article on security tools that explains the new JDK 1.2 security architecture and tools in more detail.

Visit the Security page on java.sun.com for documents that describe the JDK 1.2 security architecture, policy file, Key Tool and Jar Signer.

Monica Pawlan is a staff writer on the JDC team. She has a background in 2D and 3D graphics, security, database products, and loves to explore emerging technologies.

Satya Dodda is a JavaSoftTM engineer working in the security area.


Reader Feedback

Tell us what you think of this article and earn 2 DukeDollars.

Very worth reading Worth reading Not worth reading

If you have other comments or ideas for future articles, please type them here:





Questions?
18-Mar-98
Copyright © 1996-1998 Sun Microsystems Inc.
All Rights Reserved.
Sun Logo

--Tiding_of_Magpies_077_000--