Applet security
Since 1997 - after Microsoft realized that the Internet is important - you have
to battle with the battle of Sun/Netscape and Microsoft. Java virtual machines
and browsers support different technologies - especially in treating security.
You should read IBM's Java 2 Network Security
(or local copy) or Sun's security page
to get a deeper insight into Java security.
In iX, 11 pp 202-205 you find
special instructions for signing applets for Netscape or Explorer.
If you want to publish an applet in the internet which wants to break out of the
Java-sandbox you have to do a lot of work and a lot of things to imagine:
Sun technology
With JDK 1.0 you can't break out of the sandbox.
With JDK 1.1 you can sign your code and the user/browser trusts
you or not. See IBM's Java 2 Network Security
or Sun's javakey tool for details of signing the code.
With JDK 1.2 for Netscape 4.x and Explorer 5 (with JDK-plugin) you have
the choice to sign your applet code (or not) and the user trusts you
(or not) and grants specific rights to you in his policy file (see
also
the JDK 1.2 security page. You have to:
- generate your certificate (see
Keytool): keytool -genkey -alias yourCert -keystore yourKeystore
- export your certificate: keytool -export -keystore yourKeystore -alias yourCert -file yourCert.crt
- compile your code: javac testApplet.java
- pack your code: jar cvf testApplet.jar testApplet.class
- sign your code: jarsigner -keystore yourKeystoreFile testApplet.jar yourCert
- publish a link to your certificate (crt-file): example certificate
- the user imports this certificate into his local keystore file (if he trusts it):
keytool -import -keystore yourKeystoreFile -file yourCert.crt -alias yourCert
- add some lines into your JDK1.2 policy file (for example these lines).
Your global policy-file is located
in your JRE-directory (JRE-HOME/1.2/lib/security/java.policy) and
your user policy-file is located in your home directory
(USER-HOME/.java.policy).
- construct the HTML-File which starts the Applet as a plugin (example see here)
I think (just like the authors of the Java 2 Network Security book) the best
solution at this time is to develop code only for the Java-plugin 1.2 because of
the following reasons:
- both important browsers (Netscape, Explorer) support Java-plugins
- JDK is separated from the browser
- developing software is easier because you don't have to develop for
different browsers but "only" for different JDK-plugins
- the user don't have to wait for the browsers to support the
newest Java technologies
- JDK is de facto standard and a good basis for reusing code
- Java-code of third party developers could be integrated
- VM's (or JIT's) of third party vendors could be used
Netscape technology
With JDK 1.1 for Netscape 4.x (with internal JDK 1.1.x; no JDK-plugin) you have to:
- generate your certificate (see Signtool): signtool -G myName
- write your code and insert some of the following lines into it: netscape.security.PrivilegeManager.enablePrivilege("yourPrivilege");
- compile your code: javac testApplet.java
- pack your code: jar cvf testApplet.jar testApplet.class
- sign your code: signtool -k myName -Z testApplet.jar testAppletDirectory
- if this is not already done, extend your WWW-Server to support cacert files through editing the mime.types-file of your WWW-Server and add the following line: application/x-x509-ca-cert cacert
- publish a link to your certificate (cacert-file): example certificate so that the user/browser can load this certificate into his browser. Prerequesite is that the user/browser also has an entry in his preferences applications for cacert (normally this is already done in Netscape)
- construct the HTML-File which starts the Applet (example see here)
If you want to start an applet without security checks (attention!)
you can configure your Netscape to do so:
- Exit Netscape
- Extend your user preferences in your Netscape-profile-directory
(Unix: preferences.js; Windows: prefs.js):
user_pref("signed.applets.codebase_principal_support", true);
user_pref("signed.applets.local_classes_have_30_powers", true);
Microsoft technology
With Microsoft SDK 3.2 for Explorer 5 (with internal Microsoft Virtual Machine; no JDK-plugin) you have to:
- generate your certificate (see Microsoft SDK): makecert -sk myName -n "CN=MyName" myName.cer
- convert your certificate into SPC: cert2spc myName.cer myName.spc
- define your rights in an .ini-file: piniedit myName.ini
- write your code and insert some of the following lines into it: com.ms.security.PolicyEngine.assertPermission (com.ms.security.PermissionID.YOUR-PERMISSION);
- compile your code: jvc testApplet.java
- pack your code: cabarc -r -p -P applet\ n testApplet.cab applet\*.class
- sign your code: signcode -j JavaSign.dll -jp myName.ini -k MyName -spc myName.spc testApplet.cab
- construct the HTML-File which starts the Applet (example see here)
18. November 1999, Josef Willenborg