270 likes | 298 Views
Java Security cont’d. Laboratuar Study. Study the Java code of the 15 th slide which was given in previous lesson , - 3_May lecture notes -. After running the related code , make the following changes :
E N D
Laboratuar Study • Study the Java code of the 15th slide which was given in previous lesson, - 3_May lecture notes-. • After running the related code, make the following changes: • Explain the important lines (as the color green) constituting the input-output concepts of that application, which were define in java.io package. For example:BufferedOutputStream, FileOutputStream, writeBytes, flush()……..... • Change your class name as “FirstSecurity” • Change your directory which you will write your manuscript in it as “mycheck” • Change your note in the frame as two different lines as follows: You successfully wrote your manuscript to the - ….- file in your computer \n You can share it with your fiends
Laboratuar Study cont’d • Change the method which implements the writing process to the object dos as follows one by one, then explain the differences. • write ( byte[] b, int off, int len); http://stein.cshl.org/jade/distrib/docs/java.io.OutputStream. Html & • writeChars (String s); & • write(byte[] b); & • write(int i);
Laboratuar Study cont’d //*The following code lines helps to create a sample buffer *of bytes by first making a String and then using the *getBytes() method to extract the byte array equivalent */ //* FileOptputStream creates an OutputStream that we can use * to write bytes to a file */ …………………………………………. String source = "Ayse went to school"; int length= source.length(); byte buffer[] = source.getBytes(); …………………………………… dos.write(length); dos.write(buffer);
Laboratuar Study cont’d "Now is the time for all good mento come to the aid of their countryand pay their due taxes.” • Write the statement above as three different lines to the file named dos. • Compare the following three different code lines results on the file dos and write the differences for each ones ……………………................. for (int i =0; i < buffer. length; i += 2) dos.write(buffer[i]); ............................................ and …………………..................... dos.write(buffer); ……………………..................... and ………………………................................... dos.write(buffer,buffer.length/4,buffer.length/4); ………………………………….................. and -------------------------------------- dos.write(buffer, buffer.length-buffer.length/4, buffer.length/4); -------------------------------------
Appletviewer // Create a file called writeFile.html with the following //contents <html><title> Java Security Example: Writing Files</title><h1> Java Security Example: Writing Files </h1><hr><APPLET CODE = writeFile.class WIDTH = 500 HEIGHT = 50 ></APPLET><hr></html> Running the applet: appletviewer writeFile.html
applet viewer -- applets subject to security manager by default
Running the Applet • In contrast to what would happen with an application, the applet generated an exception • since the applet is subject to the security manager by default. • If it is required,the installation can be governed by a customizable policy,. • Running the following command line: • appletviewer -J"-Djava.security.policy=all. policy" writeFile.html • Wouldallow modification of the file (tmpfoo) • since this was permitted in accordance with the policy file.
Example Creating a window from an applet
import java.awt.*; import java.applet.*; public class myWindow extends Applet { public void init() { new DialogFrame("Java Security FAQ Example"); } public class DialogFrame extends Frame { DialogFrame(String title) { super(title); setLayout(new FlowLayout()); add(new Label("Dismiss?")); add(new Button("Yes")); add(new Button("No")); resize(300, 100); show(); } public boolean action(Event e, Object arg) { String label = (String)arg; if (label.equals("Yes")) { dispose(); } return true; } }}
Creating a New Policy File • We use policytool to create or editan existing policy file. • The following is an example of a policy file created using policytool. • It grants two permissions. • It grants code signed by Duke permission to read files located in the user's home directory. • It also grants code from the location http://someserver/myjar.jar (regardless of who signed it) to read the file.encoding system property. > policytool -file .policy keystore ".keystore"; grant signedBy "Duke" {permission java.io.FilePermission "${user.dir}/-", "read"; }; grant codeBase "http://someserver/myjar.jar" { permission java.util.PropertyPermission "file.encoding", "read"; }
Managing Policy Files • By default, the JDK uses the policy files located in file:${java.home}/lib/security/java.policy file:${user.home}/.java.policy • These policy files are specified in the default security file: ${java.home}/lib/security/java.security • The final policy is the union of all granted permissions in all policy files. • To specify an additional policy file, you can set the java.security.policy system property at the command line: > java -Djava.security.manager – Djava.security.policy=someURLMyApp or >appletviewer-J-Djava.security.policy=someURLHTMLfile
Managing Policy Files cont’d • To ignore the policies in the java.security file, and only use the specified policy, use `==' instead of `=': > java –Djava.security.manager - Djava.security.policy==someURLMyApp
Specifying an Additional Policy File at Runtime • It is also possible to specify an additional or a different policy file when invoking execution of an application. • This can be done via the "-Djava.security.policy" command line argument, • which sets the value of the java.security.policy property. For example, if you use java -Djava.security.manager -Djava.security.policy=someURL SomeApp • where someURL is a URL specifying the location of a policy file • Then the specified policy file will be loaded in addition to all the policy files that are specified in the security properties file.
Specifying an Additional Policy File at Runtimecont’d • If we want to pass a policy file to the appletviewer, then we can use a "-J-Djava.security.policy" argument as follows: appletviewer -J-Djava.security.policy=someURL myApplet Please note: The "-Djava.security.policy" policy file value will be ignored (for both java and appletviewer commands) if the "policy.allowSystemProperty" property in the security properties file is set to false. The default is true.
Policy File Syntax • The policy configuration file(s) for a SDK installation specify • what permissions (which types of system resource accesses) are allowedby code from specified code sources. • In order for an applet (or an application running under a security manager) to be allowed to perform • secured actions (such as reading or writing a file), • the applet (or application) must be granted permission for that particular action. • In the default Policy implementation • that permission must be granted • by a grant entry in a policy configuration file. • A policy configuration file essentially contains a list of entries. • It may contain a "keystore" entry, and contains zero or more "grant" entries.
Keystore Entry • A keystoreis a database of private keys and their associated digital certificates such as X.509 certificate chains • authenticating the corresponding public keys. • The keytool utility is used to create and administer keystores. • The keystore specified in a policy configuration file is used to look up the public keys of the signers specified in the grant entries of the file. • A keystore entry must appear in a policy configuration file • if any grant entries specify signer aliases
Listing all Aliases in a Key Store try { // Load the keystore in the user's home directory File file = new File(System.getProperty("user.home") + File.separatorChar + ".keystore"); FileInputStream is = new FileInputStream(file); KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); String password = "my-keystore-password"; keystore.load(is, password.toCharArray()); // List the aliases Enumeration enum = keystore.aliases(); for (; enum.hasMoreElements(); ) { String alias = (String)enum.nextElement(); // Does alias refer to a private key? boolean b = keystore.isKeyEntry(alias); // Does alias refer to a trusted certificate? b = keystore.isCertificateEntry(alias); }
is.close(); }catch (java.security.cert.CertificateException e) { } catch (NoSuchAlgorithmException e) { } catch (FileNotFoundException e) { // Keystore does not exist } catch (KeyStoreException e) { } catch (IOException e) { } The aliases can also be listed using keytool: > keytool -list -storepass my-keystore-password
Retrieving a Certificate from a Key Store try { // Load the keystore in the user's home directory FileInputStream is = new FileInputStream(System.getProperty("user.home") + File.separatorChar + ".keystore"); KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); keystore.load(is, "my-keystore-password".toCharArray()); // Get certificate java.security.cert.Certificate cert = keystore.getCertificate("myalias"); } catch (KeyStoreException e) { } catch (java.security.cert.CertificateException e) { } catch (NoSuchAlgorithmException e) { } catch (java.io.IOException e) { }
Adding a Certificate to a Key Store /** This method adds a certificate with the specified */ alias to the specified keystore file. public static void addToKeyStore(File keystoreFile,char[]keystorePassword, String alias, java.security.cert.Certificate cert) { {try { // Create an empty keystore object KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); // Load the keystore contents FileInputStream in = new FileInputStream(keystoreFile); keystore.load(in, keystorePassword); in.close(); // Add the certificate keystore.setCertificateEntry(alias, cert);
// Save the new keystore contents FileOutputStream out = new FileOutputStream(keystoreFile); keystore.store(out, keystorePassword); out. close(); } catch (java.security.cert.CertificateException e) { } catch (NoSuchAlgorithmException e) { } catch (FileNotFoundException e) { // Keystore does not exist } catch (KeyStoreException e) { } catch (IOException e) { } }
The interaction of key classes • The KeyPairGenerator class generates keys from scratch. • With no input (or, possibly, input to initialize it to a certain state), the generator can produce one or more pairs of keys. • The KeyFactory class translates between key objects and their external representations which may be either a byte array or a key specification; this translation goes bothways
Generating a Public/Private Key Pair try { // Generate a 1024-bit Digital Signature Algorithm (DSA) key pair KeyPairGenerator keyGen = KeyPairGenerator.getInstance("DSA"); keyGen.initialize(1024); KeyPair keypair = keyGen.genKeyPair(); PrivateKey privateKey = keypair.getPrivate(); PublicKey publicKey = keypair.getPublic(); // Generate a 576-bit DH key pair keyGen = KeyPairGenerator.getInstance("DH"); keyGen.initialize(576); keypair = keyGen.genKeyPair(); privateKey = keypair.getPrivate(); publicKey = keypair.getPublic();
// Generate a 1024-bit RSA key pair keyGen = KeyPairGenerator.getInstance("RSA"); keyGen.initialize(1024); keypair = keyGen.genKeyPair(); privateKey = keypair.getPrivate(); publicKey = keypair.getPublic(); } catch (java.security.NoSuchAlgorithmException e) { }