Tài liệu Java 2 Network Security doc

SG24-2109-01

International Technical Support Organization

http://www.redbooks.ibm.com

Java 2 Network Security

Marco Pistoia, Duane F. Reller

Deepak Gupta, Milind Nagnur, Ashok K. Ramani

Java 2 Network Security

Marco Pistoia, Duane F. Reller

Deepak Gupta, Milind Nagnur, Ashok K. Ramani

Foreward by Li Gong

Distinguished Engineer and Chief Java Security Architect

Sun Microsystems, Inc.

June 1999

SG24-2109-01

International Technical Support Organization

© Copyright International Business Machines Corporation 1997 1999. All rights reserved.

Note to U.S Government Users – Documentation related to restricted rights – Use, duplication or disclosure is

subject to restrictions set forth in GSA ADP Schedule Contract with IBM Corp.

Second Edition (June 1999)

This edition applies to Java 2 SDK, Standard Edition, V 1.2.

Comments may be addressed to:

IBM Corporation, International Technical Support Organization

Dept. HZ8 Building 678

P.O. Box 12195

Research Triangle Park, NC 27709-2195

When you send information to IBM, you grant IBM a non-exclusive right to use or distribute the

information in any way it believes appropriate without incurring any obligation to you.

Before using this information and the product it supports, be sure to read the general information in

Appendix F, “Special Notices” on page 659.

Take Note!

© Copyright IBM Corp. 1999 3

Foreword

As the person who led the JavaSoft team that developed the Java security

technology discussed in this book, it is extremely gratifying to see people

spend their precious time writing about our technology and products. Every

engineer’s dream is to have his or her technology deployed and used by

thousands of others, and this book is a great help to Java developers who

write security-aware applications.

Security is a difficult subject to write about. On the one hand, security is in

people’s daily consciousness so that it appears easy to get across (to the

reader) some of the basic concepts. On the other hand, security applied to

computer and networking is often subtle and unexpected. Security also is

pervasive in that it touches all aspects of the computing technology, including

hardware, software, operating system, software libraries, communication

software, networking infrastructure, application software, user interface, and

management software. In order to understand security in any situation, one

has to understand the entire system under consideration as well as each

individual component so that one can identity their strengths and weaknesses

and design the appropriate solutions.

Java security is one of the more recent additions to the family of security

technologies. Ever since Sun Microsystems announced Java technology in

the spring of 1995, there has been strong and growing interest (in industry,

research laboratories, and academia) around the security of the Java platform

as well as new security issues raised by the deployment of Java technology.

Such close attention being paid to security is almost unprecedented in that

new computing technologies normally ignore security considerations when

they emerge initially. Most of them remain unsecured forever. In the few cases

where efforts are made to secure them later, the efforts are typically not very

successful because retrofitting security is usually very difficult, if possible at

all, and often causes backward compatibility problems.

Therefore, it is extremely fortunate that the Java technology had security as a

primary design goal from the very beginning. (Hats off to the original Java

development team. I joined JavaSoft only in 1996.) Although the initial

security model was very simplistic, it enabled later improvements in the

security architecture.

The Java language is a general-purpose object-oriented programming

language and is specifically designed to be platform independent so that

application developers can write a program once and then run it securely

4 Java 2 Network Security

everywhere on the Internet. To achieve this platform independence, a Java

program is compiled to a bytecode instruction set and binary format defined

in the Java Virtual Machine Specification. The Java platform consists of the

Java language and its associated tools (such as compilers), together with the

Java Virtual Machine (JVM) and its associated libraries that define a rich set

of application programming interfaces (APIs).

Security for the Java platform has multiple layers. First of all, the Java

language is strongly typed and does not include any unsafe constructs, such

as array accesses without index checking, because such unsafe constructs

may result in unspecified and unpredictable program behavior that can lead to

security compromises. Type safety is checked both at the time a piece of

bytecode is loaded into the JVM and throughout the lifetime of the bytecode

(that is, during run time) until it is no longer used and garbage collected.

Second, mechanisms (for example, class loaders) are in place to ensure a

sufficient degree of separation between multiple Java programs so that they

do not interfere with each other in undesirable ways.

Third, access to crucial system resources is mediated by the JVM. A security

manager is installed to deny all requests for unauthorized access. The access

control model, in the initial release of the Java Development Kit (JDK 1.0),

was to grant full access to local code (that is, trust such code and let it do

anything it wants) and to grant very restricted access to code loaded over the

network because such code (often referred to as applets) may not be trusted.

JDK 1.1 introduced a notion of trusted applets and granted full access to

these applets. The latest release, JDK 1.2 (also called Java 2), incorporates a

new security architecture that supports policy-driven, fine-grained, flexible,

and extensible access control. (For design rationales of this architecture, as

well as difficulties and subtleties we encountered during JDK 1.2

development, please refer to my book Inside Java 2 Platform Security.)

On top of type safety and access control, there are the Java Cryptography

Architecture (implemented in JDK 1.2 and in the Java Cryptography

Extension 1.2), support for secure communication (the Java Secure Socket

Extension), and a framework for user-based authentication and access

control (the Java Authentication and Authorization Service). These

technologies are at various stages in the development and release cycle.

Finally, applications can provide their own specific security features and can

customize security features that are built into the Java platform.

Our colleagues at IBM, among other industrial partners, have been closely

involved with the recent development of Java security technology. They have

supported our efforts in many ways, and have provided excellent technical

suggestions. This latest book from IBM is a comprehensive guidebook that

5

provides the programmer/reader with well-organized details of the Java

security APIs and their usage. The book is also broad in its coverage of the

wider security context and related issues.

I am very excited to see such a good book being published on Java security. It

will contribute greatly toward making the Java platform the most popular

deployment environment for secure computing.

Li Gong

Distinguished Engineer and Chief Java Security Architect

Sun Microsystems

Cupertino, California

May 1999

6 Java 2 Network Security

© Copyright IBM Corp. 1997 1999 vii

Contents

Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

The Team That Wrote This Redbook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Comments Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Part 1. Introduction to Java and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Chapter 1. An Overview of Java and Security . . . . . . . . . . . . . . . . . . . . 3

1.1 Java Is Not Just a Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.2 What Java Does . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.3 Java Is Not an Island: Java as a Part of Security . . . . . . . . . . . . . . . . . 5

1.3.1 Safety and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

1.3.2 Java as an Aid to Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

1.3.3 Java as a Threat to Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.3.4 Writing Secure Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

1.3.5 Staying One Jump Ahead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1.3.6 The Vigilant Web Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

1.4 Understanding Java 2 Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

1.4.1 An Example of Applet Security in Java 2 . . . . . . . . . . . . . . . . . . 14

1.4.2 An Example of Application Security in Java 2 . . . . . . . . . . . . . . . 26

1.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Chapter 2. Attack and Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

2.1 Components of Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

2.1.1 The Development Environment. . . . . . . . . . . . . . . . . . . . . . . . . . 36

2.1.2 The Execution Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

2.1.3 Interfaces and Architectures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

2.2 Java 2 and Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

2.2.1 Cryptographic Tools in Brief . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

2.2.2 Java Cryptography Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 56

2.2.3 United States Export Rules for Encryption . . . . . . . . . . . . . . . . . 57

2.2.4 Signed Code. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

2.2.5 The Other Side of the Coin – Access Control . . . . . . . . . . . . . . . 59

2.3 Attacking the World of Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

2.3.1 Perils in the Life of Remote Code . . . . . . . . . . . . . . . . . . . . . . . . 59

2.3.2 Vulnerabilities in Java Applications. . . . . . . . . . . . . . . . . . . . . . . 66

2.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Chapter 3. The New Java Security Model . . . . . . . . . . . . . . . . . . . . . . . 69

3.1 The Need for Java Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

viii Java 2 Network Security

3.2 Evolution of the Java Security Model . . . . . . . . . . . . . . . . . . . . . . . . . 70

3.2.1 The JDK 1.0 Sandbox Security Model . . . . . . . . . . . . . . . . . . . . 70

3.2.2 The Concept of Trusted Code in JDK 1.1 . . . . . . . . . . . . . . . . . . 72

3.2.3 The Fine-Grained Access Control of Java 2 . . . . . . . . . . . . . . . . 74

3.2.4 A Comparison of the Three Java Security Models . . . . . . . . . . . 78

3.3 Java 2 Protection Domain and Permissions Model . . . . . . . . . . . . . . . 80

3.4 New Class Search Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

3.4.1 Boot Class Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

3.4.2 Extensions Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

3.4.3 Application Class Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

3.4.4 Class Search Paths in Summary . . . . . . . . . . . . . . . . . . . . . . . . 89

3.5 Java 2 Class Loading Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

3.5.1 Run-Time Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

3.6 The Policy File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

3.6.1 The Default System-Wide Policy File . . . . . . . . . . . . . . . . . . . . . 96

3.7 Security Manager vs Access Controller . . . . . . . . . . . . . . . . . . . . . . . 98

3.8 Security Management with Java 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

3.8.1 Applying a Security Manager to Applets and Applications. . . . . . 99

3.8.2 Applying a User-Defined Security Policy. . . . . . . . . . . . . . . . . . . 99

3.8.3 Java Security Debugging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

3.9 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Part 2. Under the Hood. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Chapter 4. The Java Virtual Machine. . . . . . . . . . . . . . . . . . . . . . . . . . 109

4.1 The Java Virtual Machine, Close Up. . . . . . . . . . . . . . . . . . . . . . . . . 109

4.1.1 The Class Loader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

4.1.2 The Class File Verifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

4.1.3 The Heap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

4.1.4 The Class Area. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

4.1.5 The Native Method Loader . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

4.1.6 The Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

4.1.7 The Execution Engine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

4.1.8 Just-in-Time Compilers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

4.2 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Chapter 5. Class Files in Java 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

5.1 The Traditional Development Life Cycle . . . . . . . . . . . . . . . . . . . . . . 117

5.2 The Java Development Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . 119

5.3 The Java 2 Class File Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

5.3.1 Decompilation Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

5.4 The Constant Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

5.4.1 Beating the Decompilation Threat. . . . . . . . . . . . . . . . . . . . . . . 134

ix

5.5 Java Bytecode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

5.5.1 A Bytecode Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Chapter 6. The Class Loader and Class File Verifier . . . . . . . . . . . . . 145

6.1 Class Loaders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

6.1.1 Loading Classes from Trusted Sources . . . . . . . . . . . . . . . . . . 146

6.1.2 Loading Classes from Untrusted Sources . . . . . . . . . . . . . . . . . 147

6.1.3 Beyond What the JVM Provides . . . . . . . . . . . . . . . . . . . . . . . . 148

6.1.4 The Class Loading Process . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

6.1.5 Should You Build Your Own Class Loader . . . . . . . . . . . . . . . . 155

6.2 The Class File Verifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

6.2.1 An Example of Class File Verification . . . . . . . . . . . . . . . . . . . . 169

6.2.2 The Duties of the Class File Verifier . . . . . . . . . . . . . . . . . . . . . 175

6.2.3 The Four Passes of the Class File Verifier. . . . . . . . . . . . . . . . 176

6.3 The Bytecode Verifier in Detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

6.3.1 The Data Flow Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

6.4 An Incompleteness Theorem for Bytecode Verifiers . . . . . . . . . . . . . 183

6.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Chapter 7. The Java 2 SecurityManager . . . . . . . . . . . . . . . . . . . . . . . 187

7.1 What SecurityManager Does . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

7.2 Operation of the Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . 190

7.2.1 Interdependence of the Three JVM Security Elements . . . . . . . 192

7.3 Attacking the Defenses of Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

7.3.1 Types of Attack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

7.3.2 Malicious Applets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

7.4 Avoiding Security Hazards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

7.4.1 How to Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

7.5 Examples of Security Manager Extensions. . . . . . . . . . . . . . . . . . . . 206

7.5.1 First Example – Overriding checkWrite(). . . . . . . . . . . . . . . . . . 206

7.5.2 Second Example – Overriding checkPermission(). . . . . . . . . . . 211

7.5.3 Third Example – Overriding checkRead() and checkWrite() . . . 218

7.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

Chapter 8. Security Configuration Files in the Java 2 SDK . . . . . . . . 225

8.1 A Note on java.home and the JRE Installation Directory. . . . . . . . . . 225

8.2 Keystores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

8.2.1 The Certificates KeyStore File cacerts . . . . . . . . . . . . . . . . . . . 233

8.3 The Security Properties File, java.security . . . . . . . . . . . . . . . . . . . . 234

8.4 Security Policy Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

8.4.1 keystore Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

8.4.2 grant Entries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

8.5 An Example of Security Settings in the Java 2 Platform . . . . . . . . . . 248

8.5.1 The Count Application Source Code . . . . . . . . . . . . . . . . . . . . . 248

x Java 2 Network Security

8.5.2 A Sample Text File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

8.5.3 Compiling the Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

8.5.4 Running the Application without a Security Manager . . . . . . . . 250

8.5.5 Running the Application with the Default Security Manager . . . 250

8.5.6 Policy File Modification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

8.6 File Read Access to Files in the Code Base URL Directory . . . . . . . 252

8.7 Security Properties and Policy File Protection . . . . . . . . . . . . . . . . . 252

8.8 How to Implement a Policy Server . . . . . . . . . . . . . . . . . . . . . . . . . . 252

Chapter 9. Java 2 SDK Security Tools. . . . . . . . . . . . . . . . . . . . . . . . . 259

9.1 Key and Certificate Management Tool . . . . . . . . . . . . . . . . . . . . . . . 259

9.1.1 keytool Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

9.1.2 Store and Private Key Password . . . . . . . . . . . . . . . . . . . . . . . 261

9.1.3 Commands and Options Associated with keytool . . . . . . . . . . . 262

9.1.4 An Example of keytool Usage. . . . . . . . . . . . . . . . . . . . . . . . . . 269

9.2 Java Archive Tool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

9.2.1 Options of the jar Command . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

9.2.2 Running a JAR File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

9.3 JAR Signing and Verification Tool . . . . . . . . . . . . . . . . . . . . . . . . . . 275

9.3.1 jarsigner Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

9.3.2 Observations on the jarsigner Verification Process . . . . . . . . . . 284

9.3.3 Tampering with a Signed JAR File . . . . . . . . . . . . . . . . . . . . . . 286

9.4 Policy File Creation and Management Tool . . . . . . . . . . . . . . . . . . . 288

9.4.1 Observations on the Use of the Policy Tool . . . . . . . . . . . . . . . 295

Chapter 10. Security APIs in Java 2 . . . . . . . . . . . . . . . . . . . . . . . . . . 297

10.1 The Package java.security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

10.1.1 Principals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

10.1.2 Guard Interface and GuardedObject Class . . . . . . . . . . . . . . . 298

10.1.3 Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

10.1.4 The Security Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

10.1.5 Access Control APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

10.1.6 Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

10.1.7 Message Digests and DIgital Signatures. . . . . . . . . . . . . . . . . 311

10.1.8 Secure Random Number Generation . . . . . . . . . . . . . . . . . . . 316

10.1.9 The SignedObject Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

10.1.10 Permission APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

10.1.11 Code Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

10.1.12 Protection Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

10.1.13 Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

10.1.14 Secure Class Loader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

10.1.15 Algorithm Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

10.2 The Package java.security.spec . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

xi

10.3 The Package java.security.cert. . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

10.4 Package java.security.interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 324

10.5 The Package java.security.acl . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324

10.6 Examples Using the Java 2 Security APIs . . . . . . . . . . . . . . . . . . . 325

10.6.1 Signature and Signature Verification. . . . . . . . . . . . . . . . . . . . 325

10.6.2 Using Keystores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332

10.7 The Permission Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

10.7.1 How to Create New Permissions. . . . . . . . . . . . . . . . . . . . . . . 344

10.7.2 Working with Signed Permissions . . . . . . . . . . . . . . . . . . . . . . 348

10.8 How to Write Privileged Code. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

10.8.1 First Case – No Return Value, No Exception Thrown . . . . . . . 351

10.8.2 Second Case – Return Value, No Exception Thrown . . . . . . . 352

10.8.3 Third Case – Return Value, Exception Thrown . . . . . . . . . . . . 353

10.8.4 Accessing Local Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

10.8.5 An Example of Privileged Blocks Usage . . . . . . . . . . . . . . . . . 354

10.8.6 General Recommendations on Using the Privileged Blocks . . 358

Chapter 11. The Java Plug-In. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

11.1 Main Features of Java Plug-In . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360

11.2 What Does the Java Plug-In Do? . . . . . . . . . . . . . . . . . . . . . . . . . . 364

11.3 Java Plug-In HTML Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

11.3.1 Changes Supported by Navigator . . . . . . . . . . . . . . . . . . . . . . 364

11.3.2 Changes Supported by Internet Explorer . . . . . . . . . . . . . . . . 365

11.3.3 Changes Supported by Both Navigator and Internet Explorer . 366

11.3.4 All the Web Browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

11.3.5 Java Plug-in Software HTML Converter . . . . . . . . . . . . . . . . . 369

11.4 Java Plug-In Control Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

11.4.1 The Basic Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

11.4.2 The Advanced Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371

11.4.3 The Proxies Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

11.5 Java Plug-In Security Scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

11.5.1 First Step – Without Using the Java Plug-in . . . . . . . . . . . . . . 374

11.5.2 Second Step – Using the Java Plug-in . . . . . . . . . . . . . . . . . . 377

Chapter 12. Java Gets Out of Its Box . . . . . . . . . . . . . . . . . . . . . . . . . 385

12.1 JAR Files and Applet Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

12.1.1 Manifest File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

12.1.2 Signature File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392

12.1.3 Signature Block File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392

12.2 Signed Code Scenario in JDK 1.1 and Sun HotJava. . . . . . . . . . . . 393

12.2.1 Creating the CA Key Database . . . . . . . . . . . . . . . . . . . . . . . . 393

12.2.2 Creating the Server Key Database . . . . . . . . . . . . . . . . . . . . . 395

12.2.3 Creating and Signing a JAR File . . . . . . . . . . . . . . . . . . . . . . . 397

xii Java 2 Network Security

12.2.4 Running the Applet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

12.2.5 Creating the Client Key Database. . . . . . . . . . . . . . . . . . . . . . 399

12.3 Signed Code Scenario in Java 2 SDK, Standard Edition, V1.2 . . . . 400

12.3.1 Creating a Keystore for Certification Authorities . . . . . . . . . . . 401

12.3.2 Creating the Server Certificate . . . . . . . . . . . . . . . . . . . . . . . . 402

12.3.3 Creating and Signing a JAR file . . . . . . . . . . . . . . . . . . . . . . . 406

12.3.4 Granting the Permissions and Running the Applet . . . . . . . . . 407

12.4 Signed Code Scenario in Netscape Communicator. . . . . . . . . . . . . 409

12.4.1 Using the netscape.security Package . . . . . . . . . . . . . . . . . . . 410

12.4.2 Installing Keys and Certificates in Netscape Communicator . . 415

12.4.3 Signing JAR Files with Netscape Signing Tool . . . . . . . . . . . . 418

12.5 Signed Code Scenario in Microsoft Internet Explorer . . . . . . . . . . . 437

12.5.1 First Example with Signed CAB Files . . . . . . . . . . . . . . . . . . . 438

12.5.2 A More Complex Signed CAB File Example . . . . . . . . . . . . . . 450

12.6 The JAR Bug – Fixed In Java 2 SDK, Standard Edition, V1.2.1 . . . 461

12.6.1 The Solution in Java 2 SDK, Standard Edition, V1.2.1 . . . . . . 470

12.7 Future Developments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470

Part 3. Beyond the Island of Java – Surfing into the Unknown . . . . . . . . . . . . . . . . . 473

Chapter 13. Cryptography in Java 2 . . . . . . . . . . . . . . . . . . . . . . . . . . 475

13.1 Security Questions, Cryptographic Answers . . . . . . . . . . . . . . . . . . 475

13.1.1 Public Key Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478

13.2 The Java Cryptography Architecture Framework . . . . . . . . . . . . . . 480

13.2.1 JCE and United States Export Considerations . . . . . . . . . . . . 481

13.2.2 Relationship between Java 2 SDK, JCA and JCE APIs. . . . . . 482

13.3 JCA Terms and Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

13.3.1 The Provider Concept in the JCA . . . . . . . . . . . . . . . . . . . . . . 485

13.3.2 Engine Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487

13.3.3 Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489

13.4 Java Cryptography Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493

13.4.1 JCE – Packages and Their Contents . . . . . . . . . . . . . . . . . . . 493

13.4.2 The Cipher Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495

13.4.3 The Cipher Stream Classes . . . . . . . . . . . . . . . . . . . . . . . . . . 495

13.4.4 Secret Key Interfaces and Classes . . . . . . . . . . . . . . . . . . . . . 495

13.4.5 The KeyGenerator Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495

13.4.6 The KeyAgreement Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496

13.4.7 The SealedObject Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496

13.5 Java Cryptography in Practice . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496

13.5.1 First Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496

13.5.2 Second Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496

13.6 Asymmetric Encryption with the Java 2 SDK and JCE 1.2 . . . . . . . 497

13.6.1 Using Asymmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . . . 497

xiii

13.7 How to Implement Your Own Provider . . . . . . . . . . . . . . . . . . . . . . 497

13.7.1 Write the Service Implementation Code . . . . . . . . . . . . . . . . . 498

13.7.2 Give the Provider a Name. . . . . . . . . . . . . . . . . . . . . . . . . . . . 498

13.7.3 Write a Master Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498

13.7.4 Compile the Code. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498

13.7.5 Install and Configure the Provider. . . . . . . . . . . . . . . . . . . . . . 498

13.7.6 Test if the Provider Is Ready . . . . . . . . . . . . . . . . . . . . . . . . . 498

13.7.7 Algorithm Aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498

13.7.8 Dependencies on Other Algorithms . . . . . . . . . . . . . . . . . . . . 499

13.7.9 Default Initializations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499

13.7.10 A Sample Master Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499

Chapter 14. Enterprise Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501

14.1 Browser Add-On Applets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501

14.2 Networked Architectures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501

14.2.1 Applying the Java 2 Access Control Mechanisms . . . . . . . . . . 502

14.2.2 Two-Tier Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503

14.2.3 Three-Tier Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503

14.2.4 Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506

14.3 Secure Clients and Network Computers . . . . . . . . . . . . . . . . . . . . . 509

14.4 Server-Side Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510

14.4.1 The Cost of Server-Side Java . . . . . . . . . . . . . . . . . . . . . . . . . 511

14.5 Servlets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512

14.5.1 Advantages of Servlets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514

14.5.2 Servlets and CGI-BINs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515

14.5.3 Java Servlet APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516

14.5.4 Servlet Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518

14.5.5 IBM WebSphere Application Server . . . . . . . . . . . . . . . . . . . . 520

14.5.6 A Sample Servlet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522

14.5.7 The Current Servlet Security Model . . . . . . . . . . . . . . . . . . . . 530

14.6 Distributed Object Architectures – RMI . . . . . . . . . . . . . . . . . . . . . . 537

14.6.1 Stubs and Skeletons. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539

14.6.2 RMI Registry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540

14.6.3 A Sample RMI Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542

14.6.4 The Security of RMI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553

14.7 Enterprise JavaBeans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554

Chapter 15. Java and Firewalls – In and Out of the Net . . . . . . . . . . . 557

15.1 What Is a Firewall?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557

15.2 What Does a Firewall Do? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558

15.2.1 Inside a TCP/IP Packet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558

15.2.2 How Can Programs Communicate through a Firewall? . . . . . . 561

15.3 Detailed Example of TCP/IP Protocol . . . . . . . . . . . . . . . . . . . . . . . 562