WWDC2001 Session 509

Transcript

Kind: captions
Language: en
all right it's my great little
announcement we got lost there mrj 2 to
5 is done for those of you still working
with that should be available early next
week sometime next week
so we're gonna talk about security
features on OS 10 for Java and it's
specific we got a couple of questions we
want to answer today and these are
questions we've seen on Java dev through
DTS sort of informal conversations as
well first of all is there any
difference between what Apple did as far
as Java security is concerned and what
son did on Windows and Solaris second of
all will my sign to applet work on OS 10
and last of all we don't integrate with
Internet Explorer like we did online so
how do you get a secure connection we'll
talk about all these things today and
specific we're going to learn about I'm
going to give you an introduction to
Java tooth security model plus the very
few OS 10 specific details that there
are about it we're going to talk about
how to sign jar file so we work with
Internet Explorer on OS 10 and the
Windows version of Netscape and finally
how to make a secure connection without
Internet Explorer then includes in your
application and finally I'll give you
some tips for how to debug security
problems in your code if you ever get a
exception that you don't know how to
deal with we're small we have a little
bit of news as far as the security
management and on Java in OS 10 works
the security architecture is completely
identical to other platforms we've made
no changes there no compromises there
are no things you have to leave out to
get your security related code working
on OS 10 there's no support for extra
features such as jar signing jar caching
or any of those other things in the
applet launcher or the command line
applets
we want to keep the we want to keep
those two tools applet launcher and
applet viewer as close to the baseline
applet viewer that's available in all
platforms
the sign applets support is the same as
that what you get in an MRA and we'll
talk about exactly what that means but
what it means is that if you sign an
applet and mrj it will continue to work
in OS 10 so let's talk a little bit
about the old one 1x security model and
how the way things used to work
first of all security was an
all-or-nothing proposition you can
either sign your jar or your application
at full access or it had no access at
all you know this is good or bad
depending on your point of view the
sandbox restrictions on an applet would
just way too limiting for for real for
real works particularly in a corporate
environment if you deliver deliver your
code is an applet and you want to be
able to write to the user's hard drive
for example yeah you had to sign the
applet you had to do a whole lot of jump
through a lot of Hoops just to do
something pretty basic on an environment
that you control security checks we're
not easily extensible and by that we
mean that if you want to add a new
permission you want to add something new
to what your code could do it's really
paying the butt to do it you had to
write your a holding a whole new
security manager you had to you know
carefully construct it so that your code
knew about that security manager just a
lot of work that really shouldn't been
necessary a locally installed Apple is
too easily trusted if i download an
applet to my hard drive there's nothing
that says that applicant wipe out my
drive just as easily as an application
could so the new model doesn't assume
that there's trusted code security
managers are too easily broken and in
one one very often security was to turn
by the current stack depth and you know
if you make a change somewhere in your
code that relies on that stack depth
that changes that you've suddenly broken
your security model that's a really more
fragile than it really ought to be so
going forward we have the new Java 2
security model it's a policy based
architecture I'll talk a little bit
about what policy base means in a minute
you get a collection of
permissions specified for a particular
codebase and we'll see examples of that
in the system-wide Java policy code is
granted permission to perform accident
actions based on where it came from so
what you do is you can specify a
particular applet or a particular
application give it different abilities
than you would any other piece of code
on your system and give it different
abilities than any other application or
java application finally no code is
trusted by default regardless of
location this is the probably the
biggest change between Java 2 and Java 1
1 just because you put it on your hard
drive doesn't mean it's automatically
trusted if you put it in if you put your
jar in /lib slash EXT it is fully
trusted that's the only location so
here's what a policy file entry looks
like and what you'll see is we have the
grant and the signed by and a code base
and the signer name as you see you know
signed by signer name or and both in the
grant and for the particular permission
the signer names are aliases that come
out of your key store so if you import
some certificates and you want to
associate those certificates with
particular permissions you know that
that's how you make the linkage and
another thing I want to point out is we
have a permission permission class named
target name and action target name and
action we thought of as arguments if you
will to the permission so for example
you'll have something called a property
permission and the target name is the
name of the property that you want to
allow access to and the action is what
the user can do to it or the code I
should say can do to that property can
read it or write it for example ok if we
go to first demo machine here I'm going
to show you what Java that policy looks
like on the default system I'm sorry the
the system-wide policy and if you take a
look here we see that here's the list of
in the first section we see this grant
with no arguments to it that means that
any code it has has these permissions
assigned to it and in particular any
code is allowed to listen to a socket
above 10 24 or above we have this list
of property permissions that you're
allowed to get at you know Java Java
that version line dot separator things
like that and down here at the end we
have the Apple specific properties in
particular mr j dot version and we think
it's important that you should still be
able to know what version of mr j you're
looking at and finally the last one is
calm dot a polite Mecosta use screen
menu bar and this is used in swing to
get the menu bar to up here where you
want it to appear up at the top of the
screen i believe that i can't remember
right now exactly i think by default
it's false but the important thing is
that you can set it to where you want to
and won't be any issues now if your code
is cross-platform and you do set either
those last two properties you may get a
security exception on another system
that's not a big deal all you have to do
is wrap that set property call with a
try-catch block and catch the security
exception that comes back and you know
you just know if it's a security
exception for that particular property
big deal go on and you know continue on
and continue on in your code so these
are what some these are some examples of
permissions and what they look like you
can create your own permissions we won't
get into that in this session but you
know know what's in here and be aware
when you need to use them in your code
let's go back to the slides please so
there are a number of ways you establish
the policy on on OS 10 in do it in one
of three ways actually not one you can
do it any of these three ways and in any
combination there's a system-wide policy
which i just showed you on in the last
demo there and that's stored in the the
java home directory which is slash
library slash java slash home
and then you continue on through lib
security Java doubt policy that's where
that file lives you can set it on a per
user basis and you home directory if you
create a file called dot Java dot policy
put any number of permissions those will
be added on to the default system-wide
set and finally you can set it on a per
application basis and you can bundle a
policy spec inside your java app we'll
show that in a little bit how you would
go about doing that and this is
important policy files do not supersede
each other they're always additive so if
I put things in my dot Java dot policy
they don't I suppose it's possible to
get like contradictory permissions but
they would they would just add together
so if you so if something in the default
policy only allows you read access you
could theoretically add on a write
access and stomp over everything so you
have to watch what you're doing so as an
example we're gonna look at Jeannie
we took a lot of heat because Jeannie
didn't work in which is a genius a
distributed environment and it didn't
work it didn't work at all in the public
beta does work in and GM believe it
works very well
I mean we've gotten you know good news
good feedback about that so we've got
two applications one that wraps up the
basic providers and another one that's
the simple service browser the browser
needs it's an own policy file and it
there are a number of additional
permissions that are needed for that for
that to run we can do everything in mrj
app builder and if we head back over to
the demo machine i'll show you how we do
that
so there's the Genea services
application just show how that's running
there here we have emerge a app builder
and what I've done is I've set up the
main class here and the Jeannie examples
just like you do you know in in any
other mrj app builder app if you look
over here on the Java properties page
you'll see down here I've specified Java
dot security doubt policy that's
probably unreadable now it's a Java dot
security to that policy and then the
name of the policy file and one thing
note is actually pretty important in
this if you notice that the class path
says content / resources / what the java
dot property since the security policy
property is Jini browser type policy so
there's no additional path information
when you bundle it all the jars and the
policies will all be together in one
directory and the way that we load the
class is it's not necessary to specify
that extra path information and to show
you briefly what that policy file looks
like I'll open it up here
okay
and here I've granted on a global basis
the additional ability to connect and
accept connections on localhost or
actually to any to any server that's
what the star means and again I can
connect to anybody's web server on port
80 and down here I have the gene
specific properties and in specific I've
granted the ability to connect and
except on the multicast ports and I've
also got the permission to look at the
discovery to use the discovery
permission properties and when I do that
I can bundle everything up with mrj app
builder and I've already done that for
you here if we cross our fingers the
browser is gonna identify all these
services running on this machine I say
cross your fingers because as those of
you who worked with not working know you
need to specify a hostname and we don't
have DNS set up for these guys so
hopefully this will show up something
but wow look at that it did find it
great ok ok so there you go Jeanne's run
it up and running and you know that's
something you're interested in go ahead
and ten is a great platform for
developing for it so let's go back to
the slide please okay why should you
care all right this is new stuff to
learn you know you what we're going to
learn today is not going to be enough to
completely learn everything there is to
learn about security so why should you
take the extra effort policy files make
sense when you have control over the
environment you're gonna corporate
setting you've got your own machines
that you have control over where you can
set the environment to your liking then
you should consider using the policy
file instead of going to the extra
hassle of a sign of signing your
application or signing your code you
know in-house apps
special purpose of networking such as
Jeannie as I showed before internet
applets if you deliver your code with an
applet instead of going through the
trouble of signing it you can just say
you know this applet has full
permissions or this what this applet has
permission to read and write files off
the disk what if you can't control it
say you want to send out something
that's you know available to everybody
you may put it out on the Internet
proper if that's what you were going to
do then you need to use a sign jar file
so we talked about sign jar file support
on OS 10 it's available in the OS 10
embedded Java that's an internet
explorer that's the only place that's
available provide so you'll get a pop-up
dialog to let the user validate the
designer I will see a demo of that in a
few minutes it will continues to support
jar files that were signed for mrj 2.2
or dot X that's yield the DSA with the
identity object those things continue to
work with some extra setup work
we will support RSA signed applets we'll
talk about what that means here and on
the next slide and if you if your
certificate is based on a Verisign or
thoughts certificate that will also work
on OS 10
you'll get identical support to what you
get on Internet explorer and our
navigator so what I mean by a little bit
of extra work well there's two things
you can do you can install the Java
Secure Sockets extension 102 that gives
you the RSA provider that you need to to
read and understand the RSA signature
and to do the signing for that matter or
you could copy son RSA sign jar from a
Windows installation from from the JRE
that's a pure Java file it will just
come over and work to work just fine on
ten sign jar files get full execution
permission and using the lingo of what
we were what we've been talking about
for Java to security that's the
equivalent of Java dot security at all
permission and as far
what used to work in our marriage a
that's you get the same behavior that
you would have had that you have when
you sign an applet app when you sign a
jar file on mrj you can use either Java
two's code signing tools from the
command line or you could use the
Netscape signing tools if that's
something you've done in the past
there's currently no control panel so to
speak for the management of certificates
apples got a lot of good technologies
for managing certificates and keys and
things like that now and we're going to
be looking at integrating those in the
future you know promises we need to
think about the right way to handle this
but we're not going to do just a simple
straightforward of what you saw on
Windows with the plugin for in
particular now I'd like to bring up Ted
who's going to show you how to do jar
signing on OS 10 good morning happy
Friday
so let's clean this up a little bit how
many of you have signed applets on mrj
yeah that was fun huh so Mac OS 10 it's
much easier that you look at the books
for Unix
and it's the same thing and just clean
this up a little bit so I'm gonna start
out actually with the keystore create
the keystore let me remove one okay
great
there's none in there and let me just
type this in right now we're going to
generate the key store the key stores
where your your certificates are stored
so I use the key tool and what we're
gonna do is generate a key and we're
going to use the alias
let's see - live friend of mine and
we're gonna use the RSA algorithm so
this goes through and it'll ask you for
your default keystore password and for
this I'm just gonna use key store PS WD
I wouldn't recommend that for most
actual secure environments I'll ask for
your name this whole thing it's going
through when you're generating a
certificate the certificate carries with
it the information about who you are and
all that so far go ahead use my name my
Apple
I work in DTS developer tech support and
Cupertino California and that's us yes
that's all correct takes a few seconds
to do this it's generating large numbers
and just goes through and Johnny it's a
key store so since this is done what
I'll show you then is a project I've
generated I can put it up on the sample
code if people like what it'll do is
we're gonna head go ahead and leave my
password to be the same as a general key
store I'll put this up on the sample
code so basically what I just did is
created the key store with a certificate
RS a certificate and what this project
will do is go ahead take that
certificate generate a simple hello
world applet that I changed to actually
get the user directory which is normally
not allowed to back let's see let's
bring that actually up and for some
reason it's probably hidden down here
and for some reason project dealers and
liking me so let's go ahead and just
quit project filler and get to bring
this up again so what this project does
is it generates an applet and it will
sign up for you so you don't have to go
through with all the headache and the
whole thing when I've generated is it in
the target I have a shell script that
goes to head signs the jar the alias
smooth and the keystore password I have
it set up also so that it move has a
separate password you could add that to
the end it'll pass that all in to the
jar signing tool so that makes it much
easier than the old mrj signing process
so right now it's going through and if I
can bring this down a little bit see
it's building the thing and then right
here it just went through and signed the
jar for you so that's much easier than
it was on Mac OS 9 so we'll go back here
into the build and I'll just show you
really quick bring this up in IE now for
this you're going to need the new ie
that was came out on software update you
also need to install it the Java
secure socket extension but once you do
that then all of a sudden you can just
send applets over the web
go ahead grant them and there you go it
has access to user apple thank you
[Applause]
so you see it's a lot easier than it
used to be and hopefully hopefully we'll
get less less questions about how to do
this now
let's talk a little bit about how you go
about debugging problems with security
on on OS 10 you can find out why you're
getting security exceptions this is the
I I still run into this all the time
when I was doing all my demos for this
talk I would get things like oh you
don't have this from property permission
I say well what do you mean I just put
it in in the policy pot what do you mean
I don't have permission so I pull my
hair out for a little bit and then I set
the property Java that's security that
debug and in specific well that'll tell
you how to get all the available options
but the one I used for to debug the
problems with my demos as I said equal
to policy and the cool thing about that
is that it will go through every policy
that's currently defined for your
current application on the user level
and at the system level and we'll dump
all the curl all the policies currently
in effect so you can see what
permissions are set and you know what
what Java thinks that the property that
the permissions currently are okay a
good thing that check is debug equal
access and that will show you all the
property chopper the permission checks
that are going on through your code and
if you open up the console window well
if you're running a mrj app builder or
project builder build application go to
the console and you'll be able to see
all these things dumped out if you're
running the command line app it'll just
spew out on the terminal window I don't
know that this is thoroughly debated
anywhere but if you start with debug
equals help you'll get the whole list of
options that are available to you
and along with access you're gonna add
stack or failure and it'll give you more
detailed in the stack to show you where
the problem actually happened in your
code and to show you what's what what
what permission it was trying to grant
when it wasn't available to your city
wasn't available to your code it's also
possible to use the job of two security
features to tell it to test your signed
applet even before you go to the effort
of signing it now so you're basing it on
a commercially commercial based security
and takes a little bit of time to get
that certificate that doesn't stop you
from doing your work created a file
called that Java dot policy in your home
directory you know this will set it on
the user basis again and add this entry
grant the code base and the path to your
jar file permission Java dot security at
all permission you'll effectively have
the same thing as when you do sign your
applet that's the exact same permission
that you're going to get when the user
accepts that accepts your certificate ok
you'll be able to see these in the
slides later on in the video so and I've
also posted this to Java dev so if you
search around the archives you'll find
this as well yeah that's switch gears
now and we'll talk about how to do
secure connections in mrj or talk about
secure connections in general and first
let's talk about what she had in
available to you and mrj in mrj you
could only make a secure connection that
was based around the URL connection and
even and even then you can only do it
inside of IE 5 and even then it was
buggy
you can make secure connections on OS 10
using the Java secure sites secure
socket extension that's a pure Java
implementation of SSL v3 also supports
TLS which is the more open standard of
SSL go to Java dot some Sun comm
products jss see you'll get all the
information you need on how to download
it how to install it you're basically
copying three jars over to your /lib /
txt directory and modifying a poly a
security file you can also bundle it
into your application you know they're
just jar files you can you know attach
it on your application without any
intervention on the onion on the user's
part the JSS see if it's what's called a
non-commercial reference implementation
which means it works works well enough
as far as Suns concern but it doesn't
have a full-blown set of documentation
support and all the goodies that come
along with a real product the main
purpose of jss see is to establish the
the api that will be used going forward
for secure sockets so if you write to
the api that comes along with this with
this package you'll be good you'll be
good for future versions that may be
better or third-party solutions that
will be available hopefully based on
this based on this API pay attention to
what she download the u.s. and canada
version will allow third parties to
write their own RSA implementations and
plug those into the plug these into the
j sse architecture the international
version has the same level of that's
where i'm looking for the same strength
of encryption believe it's they both
have 128-bit encryption the
international version will not allow you
to plug in somebody else's RSA
implementation for example you can only
use what sun will ever provide
okay want to briefly show you an example
of an application that's bundled in SSL
and how it would work and that's
something called secure FTP you can get
this from WWL you be calm and
unfortunately do some networking
problems I'm not going to be able to
show you how to how to make a how to do
an actual secure FTP there also may
they're also going to be in the future
making little wrappers and you can make
a secure FTP server out of your default
FTP server that's building OS 10 so as
you can see this is actually a pretty
good-looking OS aqua application got
some internal frames you know actually
looks like actually looks like a good
actually looks like an application on OS
10 so to show you what you can do with
it you can specify you know where you
want to go to username and password
over here you can set whether you're
going to use SSL or not use a secure
connection passive passive FTP and
encrypt what you're getting if you need
a proxy to do the actual communication
this actually ends up being a less than
interesting demonstration but it is a
good example of how you can use SSL in
your application to its demonstrating
that you can use SF selling out an
application not just in an applet
another example of an application is
money dance will also use secure
connections
I would assume to talk to your bank to
get to download the financial
information into the into your into your
local data
so we go back to the slides we'll
actually talk about how you can do this
in your code now so what can you do with
je sse you can create an HTTP TP HTTP
based URL connection the same way you do
now it's almost identical there's like
one or two extra steps that you need to
do you can create a secure connection at
the socket API level so you can get back
a socket that's got to secure a secure
connection backing it and talk to it
just the same way as you would a plain
socket and again once you have that
socket or URL connection you talk to it
exactly the same way as you did now so
how do you use it well there's a couple
ways you can do it there's three jars
that you bundle into your application
I'm going to talk about the case where
you bundle the jars in with your app
because I think that's going to be the
most common use of this of this package
okay what you need to do next is in the
first line of your code or near the
beginning of your code you want to
register the SSL provider with the
security system and the way you see to
do that as you create an instance of
that big long ugly package name and
create the SSL provider and register it
with AD provider
excuse me now what you do next depends
on what you're going to try to
accomplish with that with the with J SSE
for an HTTP connection first thing you
have to do is define this property Java
dot protocol - handler dot pkgs
and what this will do is it will add
that that handler package to the search
path of the add it to the search path
when we look up a URL connection you can
either do this on the command line you
know if you're just writing a command
line app you can set it in your apps
property file with mrj app builder or
you can set it explicitly with set
property in your code and before I
continue on Secure Sockets i'm going to
show you some code that does that if we
go to the demo machine here and so we
had a quit project builder so I'll open
up again
okay so we'd take a look here and we
have a very I've written a very very
simple application that's gonna fetch
the homepage from from amazon.com which
supports secure connections and there
you see the URL I'm using to do it and
if you look down here this is the this
do the fetch method is the actual
interesting piece of code that's doing
all the work if you didn't know that
this was an SSL demonstration that could
be any you know that that's very
standard URL connection code we'll do a
you know open the stream get the input
stream and we're gonna just count how
many lines we get back from it however
if you look up here here's that line
where I do the ad provider that I
mentioned before and here's where I set
the property that says to look in the
SSL package for the protocol handler and
instead of spewing out all the data
spewing out all the lines that we get
back I'm gonna run this and I'm gonna
show you some of the some of the
features of JSS II or I'm sorry is one
of the characteristics of it it is
running it looks like we're hung but
that's because when J SSE starts up for
the first time in your app it's spending
some time generating keys and you know
building up a you know working with
secure random and what I've done in this
code is I actually do a fetch twice and
there you see we've got some results so
the first time it took what is that
about eighteen point four seconds to
fetch 3500 lines of code and the second
time it took one point six so the first
time you use a connection it's gonna be
kind of slow but after that you get
pretty good you get pretty good
performance out of it okay
so the secret to HTTP connections are
these two lines right here when you
install jss II okay okay let's go back
to the slides all right now we'll talk
about the other case which is a secure
socket case very similar to a plain
socket but again with just a few extra
steps to get your code to to use a
secure connection you need to get an
instance of the SSL socket factory the
je s SC introduces a new factory method
of obtaining sockets and the default one
that comes with it will generate secure
sockets you ask the factory to create an
SSL socket to a specific host and at
that point you've gotten out of you
basically got a socket a job in that
socket and you can talk to it just as
you would any other socket you can get
an input or output stream on the socket
and just start pumping data in or out
from it nope so let's again go back to
the demo machine example
all right and again here's the magic
line of code to register the ssl
provider with the system with security
architecture and i'm gonna get the
default ssl socket factory and when you
import Java X net dot SSL that star
that's where you'll get the SSL factory
I want to ask it to create a socket to
amazon.com on the secure port of 443 and
might want to read these comments which
talks about some of the problems that
you know if you run into an SSL error
along the way he wants to look at
printwriter dot check air and that's how
you'll get back the error that was
generated next I call so socket that
start handshake this is let's see I
think the SSL socket will do it by
default but you can do it manually
because that way you'll be able to see
the i/o exceptions that happen and once
I've got that socket you know from this
from this point on I basically have got
ordinary socket code and once again it's
you know almost identical to using an
ordinary socket so let's run that and
I'll show you what happens here you know
again we're gonna have a little bit of
startup time but what this is going to
do is make a connection to amazon.com
and we report back all the headers that
we get back in response to it
there you go so we actually found it and
we got a cookie back I think and we
actually see that it was an HTTP
connection so there you go it's very
easy to do this stuff I have to admit
the first time I looked at that I saw it
can't be that easy but it actually is
and I don't claim to be an SSL expert I
don't you know know the guts of its
internal implementation or anything like
that but I know I don't have to which is
which is I think is a good thing okay
let's go back to the slides here's some
resources for jss see I'll give you a
chance to write all these down the best
place to start is the j sse homepage
java dot son comm products j sse and
there was an excellent article earlier
this year and dr. Dobbs about using j
sse and in particular there was a good
discussion about generating certificates
that that you can use with a j SS c to
create a server that will mean you can
be a server for a recipient of an ssl
connection not just a a client of an SSL
session and it's actually a very good
article about how to do the housekeeping
and get that to happen we can go back
later on if you want to you know you
haven't written this down or you can
look at it in the slides in a little bit
okay so what's next i would recommend
that if security is something that's in
java that's something that's important
to you i would go out and get a book on
on the topic sun has published a really
good book on the security architecture
if you look on amazon.com you'll find at
least ten books now and java to java
security
i would get one and read it and learn
about how to write your own properties
how to you know how to work with the
security architecture install GSS see if
you haven't done so already I'll get you
the RSA provider that you need and it's
available right now and you can start
figuring out how to use it but before
you do any of that we got the job of
feedback for them right after this in j1
so please come to that if you've got any
questions and give us feedback on all
the great sessions we've had this group
this year getting questions Alan see
Alan
you