WWDC2001 Session 509

Transcript

Kind: captions Language: en all right it's my great little announcement we got lost there mrj 2 to 5 is done for those of you still working with that should be available early next week sometime next week so we're gonna talk about security features on OS 10 for Java and it's specific we got a couple of questions we want to answer today and these are questions we've seen on Java dev through DTS sort of informal conversations as well first of all is there any difference between what Apple did as far as Java security is concerned and what son did on Windows and Solaris second of all will my sign to applet work on OS 10 and last of all we don't integrate with Internet Explorer like we did online so how do you get a secure connection we'll talk about all these things today and specific we're going to learn about I'm going to give you an introduction to Java tooth security model plus the very few OS 10 specific details that there are about it we're going to talk about how to sign jar file so we work with Internet Explorer on OS 10 and the Windows version of Netscape and finally how to make a secure connection without Internet Explorer then includes in your application and finally I'll give you some tips for how to debug security problems in your code if you ever get a exception that you don't know how to deal with we're small we have a little bit of news as far as the security management and on Java in OS 10 works the security architecture is completely identical to other platforms we've made no changes there no compromises there are no things you have to leave out to get your security related code working on OS 10 there's no support for extra features such as jar signing jar caching or any of those other things in the applet launcher or the command line applets we want to keep the we want to keep those two tools applet launcher and applet viewer as close to the baseline applet viewer that's available in all platforms the sign applets support is the same as that what you get in an MRA and we'll talk about exactly what that means but what it means is that if you sign an applet and mrj it will continue to work in OS 10 so let's talk a little bit about the old one 1x security model and how the way things used to work first of all security was an all-or-nothing proposition you can either sign your jar or your application at full access or it had no access at all you know this is good or bad depending on your point of view the sandbox restrictions on an applet would just way too limiting for for real for real works particularly in a corporate environment if you deliver deliver your code is an applet and you want to be able to write to the user's hard drive for example yeah you had to sign the applet you had to do a whole lot of jump through a lot of Hoops just to do something pretty basic on an environment that you control security checks we're not easily extensible and by that we mean that if you want to add a new permission you want to add something new to what your code could do it's really paying the butt to do it you had to write your a holding a whole new security manager you had to you know carefully construct it so that your code knew about that security manager just a lot of work that really shouldn't been necessary a locally installed Apple is too easily trusted if i download an applet to my hard drive there's nothing that says that applicant wipe out my drive just as easily as an application could so the new model doesn't assume that there's trusted code security managers are too easily broken and in one one very often security was to turn by the current stack depth and you know if you make a change somewhere in your code that relies on that stack depth that changes that you've suddenly broken your security model that's a really more fragile than it really ought to be so going forward we have the new Java 2 security model it's a policy based architecture I'll talk a little bit about what policy base means in a minute you get a collection of permissions specified for a particular codebase and we'll see examples of that in the system-wide Java policy code is granted permission to perform accident actions based on where it came from so what you do is you can specify a particular applet or a particular application give it different abilities than you would any other piece of code on your system and give it different abilities than any other application or java application finally no code is trusted by default regardless of location this is the probably the biggest change between Java 2 and Java 1 1 just because you put it on your hard drive doesn't mean it's automatically trusted if you put it in if you put your jar in /lib slash EXT it is fully trusted that's the only location so here's what a policy file entry looks like and what you'll see is we have the grant and the signed by and a code base and the signer name as you see you know signed by signer name or and both in the grant and for the particular permission the signer names are aliases that come out of your key store so if you import some certificates and you want to associate those certificates with particular permissions you know that that's how you make the linkage and another thing I want to point out is we have a permission permission class named target name and action target name and action we thought of as arguments if you will to the permission so for example you'll have something called a property permission and the target name is the name of the property that you want to allow access to and the action is what the user can do to it or the code I should say can do to that property can read it or write it for example ok if we go to first demo machine here I'm going to show you what Java that policy looks like on the default system I'm sorry the the system-wide policy and if you take a look here we see that here's the list of in the first section we see this grant with no arguments to it that means that any code it has has these permissions assigned to it and in particular any code is allowed to listen to a socket above 10 24 or above we have this list of property permissions that you're allowed to get at you know Java Java that version line dot separator things like that and down here at the end we have the Apple specific properties in particular mr j dot version and we think it's important that you should still be able to know what version of mr j you're looking at and finally the last one is calm dot a polite Mecosta use screen menu bar and this is used in swing to get the menu bar to up here where you want it to appear up at the top of the screen i believe that i can't remember right now exactly i think by default it's false but the important thing is that you can set it to where you want to and won't be any issues now if your code is cross-platform and you do set either those last two properties you may get a security exception on another system that's not a big deal all you have to do is wrap that set property call with a try-catch block and catch the security exception that comes back and you know you just know if it's a security exception for that particular property big deal go on and you know continue on and continue on in your code so these are what some these are some examples of permissions and what they look like you can create your own permissions we won't get into that in this session but you know know what's in here and be aware when you need to use them in your code let's go back to the slides please so there are a number of ways you establish the policy on on OS 10 in do it in one of three ways actually not one you can do it any of these three ways and in any combination there's a system-wide policy which i just showed you on in the last demo there and that's stored in the the java home directory which is slash library slash java slash home and then you continue on through lib security Java doubt policy that's where that file lives you can set it on a per user basis and you home directory if you create a file called dot Java dot policy put any number of permissions those will be added on to the default system-wide set and finally you can set it on a per application basis and you can bundle a policy spec inside your java app we'll show that in a little bit how you would go about doing that and this is important policy files do not supersede each other they're always additive so if I put things in my dot Java dot policy they don't I suppose it's possible to get like contradictory permissions but they would they would just add together so if you so if something in the default policy only allows you read access you could theoretically add on a write access and stomp over everything so you have to watch what you're doing so as an example we're gonna look at Jeannie we took a lot of heat because Jeannie didn't work in which is a genius a distributed environment and it didn't work it didn't work at all in the public beta does work in and GM believe it works very well I mean we've gotten you know good news good feedback about that so we've got two applications one that wraps up the basic providers and another one that's the simple service browser the browser needs it's an own policy file and it there are a number of additional permissions that are needed for that for that to run we can do everything in mrj app builder and if we head back over to the demo machine i'll show you how we do that so there's the Genea services application just show how that's running there here we have emerge a app builder and what I've done is I've set up the main class here and the Jeannie examples just like you do you know in in any other mrj app builder app if you look over here on the Java properties page you'll see down here I've specified Java dot security doubt policy that's probably unreadable now it's a Java dot security to that policy and then the name of the policy file and one thing note is actually pretty important in this if you notice that the class path says content / resources / what the java dot property since the security policy property is Jini browser type policy so there's no additional path information when you bundle it all the jars and the policies will all be together in one directory and the way that we load the class is it's not necessary to specify that extra path information and to show you briefly what that policy file looks like I'll open it up here okay and here I've granted on a global basis the additional ability to connect and accept connections on localhost or actually to any to any server that's what the star means and again I can connect to anybody's web server on port 80 and down here I have the gene specific properties and in specific I've granted the ability to connect and except on the multicast ports and I've also got the permission to look at the discovery to use the discovery permission properties and when I do that I can bundle everything up with mrj app builder and I've already done that for you here if we cross our fingers the browser is gonna identify all these services running on this machine I say cross your fingers because as those of you who worked with not working know you need to specify a hostname and we don't have DNS set up for these guys so hopefully this will show up something but wow look at that it did find it great ok ok so there you go Jeanne's run it up and running and you know that's something you're interested in go ahead and ten is a great platform for developing for it so let's go back to the slide please okay why should you care all right this is new stuff to learn you know you what we're going to learn today is not going to be enough to completely learn everything there is to learn about security so why should you take the extra effort policy files make sense when you have control over the environment you're gonna corporate setting you've got your own machines that you have control over where you can set the environment to your liking then you should consider using the policy file instead of going to the extra hassle of a sign of signing your application or signing your code you know in-house apps special purpose of networking such as Jeannie as I showed before internet applets if you deliver your code with an applet instead of going through the trouble of signing it you can just say you know this applet has full permissions or this what this applet has permission to read and write files off the disk what if you can't control it say you want to send out something that's you know available to everybody you may put it out on the Internet proper if that's what you were going to do then you need to use a sign jar file so we talked about sign jar file support on OS 10 it's available in the OS 10 embedded Java that's an internet explorer that's the only place that's available provide so you'll get a pop-up dialog to let the user validate the designer I will see a demo of that in a few minutes it will continues to support jar files that were signed for mrj 2.2 or dot X that's yield the DSA with the identity object those things continue to work with some extra setup work we will support RSA signed applets we'll talk about what that means here and on the next slide and if you if your certificate is based on a Verisign or thoughts certificate that will also work on OS 10 you'll get identical support to what you get on Internet explorer and our navigator so what I mean by a little bit of extra work well there's two things you can do you can install the Java Secure Sockets extension 102 that gives you the RSA provider that you need to to read and understand the RSA signature and to do the signing for that matter or you could copy son RSA sign jar from a Windows installation from from the JRE that's a pure Java file it will just come over and work to work just fine on ten sign jar files get full execution permission and using the lingo of what we were what we've been talking about for Java to security that's the equivalent of Java dot security at all permission and as far what used to work in our marriage a that's you get the same behavior that you would have had that you have when you sign an applet app when you sign a jar file on mrj you can use either Java two's code signing tools from the command line or you could use the Netscape signing tools if that's something you've done in the past there's currently no control panel so to speak for the management of certificates apples got a lot of good technologies for managing certificates and keys and things like that now and we're going to be looking at integrating those in the future you know promises we need to think about the right way to handle this but we're not going to do just a simple straightforward of what you saw on Windows with the plugin for in particular now I'd like to bring up Ted who's going to show you how to do jar signing on OS 10 good morning happy Friday so let's clean this up a little bit how many of you have signed applets on mrj yeah that was fun huh so Mac OS 10 it's much easier that you look at the books for Unix and it's the same thing and just clean this up a little bit so I'm gonna start out actually with the keystore create the keystore let me remove one okay great there's none in there and let me just type this in right now we're going to generate the key store the key stores where your your certificates are stored so I use the key tool and what we're gonna do is generate a key and we're going to use the alias let's see - live friend of mine and we're gonna use the RSA algorithm so this goes through and it'll ask you for your default keystore password and for this I'm just gonna use key store PS WD I wouldn't recommend that for most actual secure environments I'll ask for your name this whole thing it's going through when you're generating a certificate the certificate carries with it the information about who you are and all that so far go ahead use my name my Apple I work in DTS developer tech support and Cupertino California and that's us yes that's all correct takes a few seconds to do this it's generating large numbers and just goes through and Johnny it's a key store so since this is done what I'll show you then is a project I've generated I can put it up on the sample code if people like what it'll do is we're gonna head go ahead and leave my password to be the same as a general key store I'll put this up on the sample code so basically what I just did is created the key store with a certificate RS a certificate and what this project will do is go ahead take that certificate generate a simple hello world applet that I changed to actually get the user directory which is normally not allowed to back let's see let's bring that actually up and for some reason it's probably hidden down here and for some reason project dealers and liking me so let's go ahead and just quit project filler and get to bring this up again so what this project does is it generates an applet and it will sign up for you so you don't have to go through with all the headache and the whole thing when I've generated is it in the target I have a shell script that goes to head signs the jar the alias smooth and the keystore password I have it set up also so that it move has a separate password you could add that to the end it'll pass that all in to the jar signing tool so that makes it much easier than the old mrj signing process so right now it's going through and if I can bring this down a little bit see it's building the thing and then right here it just went through and signed the jar for you so that's much easier than it was on Mac OS 9 so we'll go back here into the build and I'll just show you really quick bring this up in IE now for this you're going to need the new ie that was came out on software update you also need to install it the Java secure socket extension but once you do that then all of a sudden you can just send applets over the web go ahead grant them and there you go it has access to user apple thank you [Applause] so you see it's a lot easier than it used to be and hopefully hopefully we'll get less less questions about how to do this now let's talk a little bit about how you go about debugging problems with security on on OS 10 you can find out why you're getting security exceptions this is the I I still run into this all the time when I was doing all my demos for this talk I would get things like oh you don't have this from property permission I say well what do you mean I just put it in in the policy pot what do you mean I don't have permission so I pull my hair out for a little bit and then I set the property Java that's security that debug and in specific well that'll tell you how to get all the available options but the one I used for to debug the problems with my demos as I said equal to policy and the cool thing about that is that it will go through every policy that's currently defined for your current application on the user level and at the system level and we'll dump all the curl all the policies currently in effect so you can see what permissions are set and you know what what Java thinks that the property that the permissions currently are okay a good thing that check is debug equal access and that will show you all the property chopper the permission checks that are going on through your code and if you open up the console window well if you're running a mrj app builder or project builder build application go to the console and you'll be able to see all these things dumped out if you're running the command line app it'll just spew out on the terminal window I don't know that this is thoroughly debated anywhere but if you start with debug equals help you'll get the whole list of options that are available to you and along with access you're gonna add stack or failure and it'll give you more detailed in the stack to show you where the problem actually happened in your code and to show you what's what what what permission it was trying to grant when it wasn't available to your city wasn't available to your code it's also possible to use the job of two security features to tell it to test your signed applet even before you go to the effort of signing it now so you're basing it on a commercially commercial based security and takes a little bit of time to get that certificate that doesn't stop you from doing your work created a file called that Java dot policy in your home directory you know this will set it on the user basis again and add this entry grant the code base and the path to your jar file permission Java dot security at all permission you'll effectively have the same thing as when you do sign your applet that's the exact same permission that you're going to get when the user accepts that accepts your certificate ok you'll be able to see these in the slides later on in the video so and I've also posted this to Java dev so if you search around the archives you'll find this as well yeah that's switch gears now and we'll talk about how to do secure connections in mrj or talk about secure connections in general and first let's talk about what she had in available to you and mrj in mrj you could only make a secure connection that was based around the URL connection and even and even then you can only do it inside of IE 5 and even then it was buggy you can make secure connections on OS 10 using the Java secure sites secure socket extension that's a pure Java implementation of SSL v3 also supports TLS which is the more open standard of SSL go to Java dot some Sun comm products jss see you'll get all the information you need on how to download it how to install it you're basically copying three jars over to your /lib / txt directory and modifying a poly a security file you can also bundle it into your application you know they're just jar files you can you know attach it on your application without any intervention on the onion on the user's part the JSS see if it's what's called a non-commercial reference implementation which means it works works well enough as far as Suns concern but it doesn't have a full-blown set of documentation support and all the goodies that come along with a real product the main purpose of jss see is to establish the the api that will be used going forward for secure sockets so if you write to the api that comes along with this with this package you'll be good you'll be good for future versions that may be better or third-party solutions that will be available hopefully based on this based on this API pay attention to what she download the u.s. and canada version will allow third parties to write their own RSA implementations and plug those into the plug these into the j sse architecture the international version has the same level of that's where i'm looking for the same strength of encryption believe it's they both have 128-bit encryption the international version will not allow you to plug in somebody else's RSA implementation for example you can only use what sun will ever provide okay want to briefly show you an example of an application that's bundled in SSL and how it would work and that's something called secure FTP you can get this from WWL you be calm and unfortunately do some networking problems I'm not going to be able to show you how to how to make a how to do an actual secure FTP there also may they're also going to be in the future making little wrappers and you can make a secure FTP server out of your default FTP server that's building OS 10 so as you can see this is actually a pretty good-looking OS aqua application got some internal frames you know actually looks like actually looks like a good actually looks like an application on OS 10 so to show you what you can do with it you can specify you know where you want to go to username and password over here you can set whether you're going to use SSL or not use a secure connection passive passive FTP and encrypt what you're getting if you need a proxy to do the actual communication this actually ends up being a less than interesting demonstration but it is a good example of how you can use SSL in your application to its demonstrating that you can use SF selling out an application not just in an applet another example of an application is money dance will also use secure connections I would assume to talk to your bank to get to download the financial information into the into your into your local data so we go back to the slides we'll actually talk about how you can do this in your code now so what can you do with je sse you can create an HTTP TP HTTP based URL connection the same way you do now it's almost identical there's like one or two extra steps that you need to do you can create a secure connection at the socket API level so you can get back a socket that's got to secure a secure connection backing it and talk to it just the same way as you would a plain socket and again once you have that socket or URL connection you talk to it exactly the same way as you did now so how do you use it well there's a couple ways you can do it there's three jars that you bundle into your application I'm going to talk about the case where you bundle the jars in with your app because I think that's going to be the most common use of this of this package okay what you need to do next is in the first line of your code or near the beginning of your code you want to register the SSL provider with the security system and the way you see to do that as you create an instance of that big long ugly package name and create the SSL provider and register it with AD provider excuse me now what you do next depends on what you're going to try to accomplish with that with the with J SSE for an HTTP connection first thing you have to do is define this property Java dot protocol - handler dot pkgs and what this will do is it will add that that handler package to the search path of the add it to the search path when we look up a URL connection you can either do this on the command line you know if you're just writing a command line app you can set it in your apps property file with mrj app builder or you can set it explicitly with set property in your code and before I continue on Secure Sockets i'm going to show you some code that does that if we go to the demo machine here and so we had a quit project builder so I'll open up again okay so we'd take a look here and we have a very I've written a very very simple application that's gonna fetch the homepage from from amazon.com which supports secure connections and there you see the URL I'm using to do it and if you look down here this is the this do the fetch method is the actual interesting piece of code that's doing all the work if you didn't know that this was an SSL demonstration that could be any you know that that's very standard URL connection code we'll do a you know open the stream get the input stream and we're gonna just count how many lines we get back from it however if you look up here here's that line where I do the ad provider that I mentioned before and here's where I set the property that says to look in the SSL package for the protocol handler and instead of spewing out all the data spewing out all the lines that we get back I'm gonna run this and I'm gonna show you some of the some of the features of JSS II or I'm sorry is one of the characteristics of it it is running it looks like we're hung but that's because when J SSE starts up for the first time in your app it's spending some time generating keys and you know building up a you know working with secure random and what I've done in this code is I actually do a fetch twice and there you see we've got some results so the first time it took what is that about eighteen point four seconds to fetch 3500 lines of code and the second time it took one point six so the first time you use a connection it's gonna be kind of slow but after that you get pretty good you get pretty good performance out of it okay so the secret to HTTP connections are these two lines right here when you install jss II okay okay let's go back to the slides all right now we'll talk about the other case which is a secure socket case very similar to a plain socket but again with just a few extra steps to get your code to to use a secure connection you need to get an instance of the SSL socket factory the je s SC introduces a new factory method of obtaining sockets and the default one that comes with it will generate secure sockets you ask the factory to create an SSL socket to a specific host and at that point you've gotten out of you basically got a socket a job in that socket and you can talk to it just as you would any other socket you can get an input or output stream on the socket and just start pumping data in or out from it nope so let's again go back to the demo machine example all right and again here's the magic line of code to register the ssl provider with the system with security architecture and i'm gonna get the default ssl socket factory and when you import Java X net dot SSL that star that's where you'll get the SSL factory I want to ask it to create a socket to amazon.com on the secure port of 443 and might want to read these comments which talks about some of the problems that you know if you run into an SSL error along the way he wants to look at printwriter dot check air and that's how you'll get back the error that was generated next I call so socket that start handshake this is let's see I think the SSL socket will do it by default but you can do it manually because that way you'll be able to see the i/o exceptions that happen and once I've got that socket you know from this from this point on I basically have got ordinary socket code and once again it's you know almost identical to using an ordinary socket so let's run that and I'll show you what happens here you know again we're gonna have a little bit of startup time but what this is going to do is make a connection to amazon.com and we report back all the headers that we get back in response to it there you go so we actually found it and we got a cookie back I think and we actually see that it was an HTTP connection so there you go it's very easy to do this stuff I have to admit the first time I looked at that I saw it can't be that easy but it actually is and I don't claim to be an SSL expert I don't you know know the guts of its internal implementation or anything like that but I know I don't have to which is which is I think is a good thing okay let's go back to the slides here's some resources for jss see I'll give you a chance to write all these down the best place to start is the j sse homepage java dot son comm products j sse and there was an excellent article earlier this year and dr. Dobbs about using j sse and in particular there was a good discussion about generating certificates that that you can use with a j SS c to create a server that will mean you can be a server for a recipient of an ssl connection not just a a client of an SSL session and it's actually a very good article about how to do the housekeeping and get that to happen we can go back later on if you want to you know you haven't written this down or you can look at it in the slides in a little bit okay so what's next i would recommend that if security is something that's in java that's something that's important to you i would go out and get a book on on the topic sun has published a really good book on the security architecture if you look on amazon.com you'll find at least ten books now and java to java security i would get one and read it and learn about how to write your own properties how to you know how to work with the security architecture install GSS see if you haven't done so already I'll get you the RSA provider that you need and it's available right now and you can start figuring out how to use it but before you do any of that we got the job of feedback for them right after this in j1 so please come to that if you've got any questions and give us feedback on all the great sessions we've had this group this year getting questions Alan see Alan you