JAVA7 security mechanisms and the use of self-signed certificates __java

JAVA7 Security mechanisms and the use of self-signed certificates

Created on 2013-11-13

Updated on 2014-5-8

Java to enhance security, up to 1.7.45 has added several security features, meta-inf/manifest in the jar package. MF files are used to describe the configuration and security information of the jar file, and 7 security attributes can be explicitly defined in the added security information.

1 Privilege attribute, which validates the permissions that the RIA runtime requests and the permissions that are set in the jar file generation, can prevent others from redeploying with a signed program and running under different permissions, permissions. The property value can be set to sandbox or all-permissions, the signature jar defaults to all-permissions, and unsigned defaults to sandbox.

Sandbox: Enables applets or Webstart to run in a sandbox, isolated from the local environment.

manifest-version:1.0

...

Permissions:sandbox

....

MANIFEST. The permissions defined in MF is consistent with the parameter label permissions of the applet sandbox

<applet ...>

<param name= "Permissions" value= "sandbox"/>

<applet>

All-permissions: Enables unsigned applets or Webstart to be accessed in a local environment without restriction.

manifest-version:1.0

...

Permissions:all-permissions

....

MANIFEST. The permissions defined in MF is consistent with the parameter label permissions of the applet all-permissions

<?xml version= "1.0" encoding= "Utf-8"?>

<!--JNLP File application-->

<JNLP ...

<security>

<all-permissions/>

</security>

</jnlp>

The property values that are set must be consistent with the applet label or JNLP security attributes, and will be blocked when they are inconsistent, and if there is no permission attribute, a yellow exclamation point warning message with no "permission" is ejected when the security level of the Java console is high or medium, and cannot be hidden. is blocked when the Java console security level is very high.

You can remove a yellow background reminder by adding permission properties

Suppose the MANIFEST.txt file is under classes

Permissions:all-permissions

APPLICATION-NAME:SSC File Transfer

caller-allowable-codebase:https://127.0.0.1

application-library-allowable-codebase:https://127.0.0.1

codebase:https://127.0.0.1

Trusted-only:true

Trusted-library:true

Perform

Cdd:\workspaces\eclipse_main\filebrowserapplet\bin

Jar CVFM Filebrowser.jar MANIFEST.TXTCN

2 code Library Properties codebase attribute

Used to restrict the operation of the jar code base on the specified domain name to prevent the malicious redeployment of unauthorized applications at other addresses.

value	Match	does not match
*	All domains
Https://*.example.com	Https://a.example.com Https://a.b.example.com	Http://a.example.com Http://a.b.example.com
www.example.com	Https://www.example.com, http://www.example.com	http://example.com Http://example.net
www.example.com:8085	https://www.example.com:8085, http://www.example.com:8085	http://www.example.com
*.example.com	Https://a.example.com, http://a.example.com Https://a.b.example.com, http://a.b.example.com Https://example.com, http://example.com	Http://example.net
127.0.0.1	http://127.0.0.1 http://127.0.0.1:8080 Http://127.0.0.1:80	http://localhost
127.0.0.1:8080	http://127.0.0.1:8080	http://127.0.0.1 Http://127.0.0.1:80

The code library properties must match the actual address of the applet running, and if there are no code library properties, a warning is displayed in the console, and the code base for the applet or JNLP tag is used. If you do not define a rule such as HTTPS security match, you may be intercepted and attacked in a man-in-the-middle attack mode.

3 Apply name attribute Application-name: Used to display the name of the signature application in the Security dialog box.

Application-name:hello World

If the Name property is not applied, a warning is displayed in the console and replaced with the entry class (Main-class) property.

4 Application Library license code library Properties application-library-allowable-codebase attribute

Defines which addresses the applet of the signature can be used in, and is displayed in the address bar of the security dialog box to a different address from the user applet to the JNLP or page address. Set the address for the jar, JNLP, and HTML for the property, using a space split.

If the applet's jar file is with JNLP and HTML at an address, it does not need to be set.

Application-library-allowable-codebase:https://host.example.com *.samplehost.com/apps

5 caller license code library Properties caller-allowable-codebase attribute

Determine which addresses of JavaScript can invoke applets, set property values for the addresses that run JavaScript invoke applets, and block calls if the JavaScript call applet's address is not defined.

If the caller license code base property is not set, a security prompt pops up when JavaScript attempts to invoke the applet, and the user decides whether or not to block.

In addition, there is a problem with compatibility between the Trusted-library property and the Caller-allowable-codebase property, and the Trusted-library ClassLoader becomes the parent class loader for all libraries in the Java 7u45. The previous version of all the trusted libraries were loaded into the standalone and unique ClassLoader, causing the Java 7u45 to add the Trusted-library property while adding the Caller-allowable-codebase attribute, or it would eject the warning.

Application-name: ...

Codebase: *

Caller-allowable-codebase: *

Permissions:all-permissions

Tested Jvms:java 6u20 (OK) Java 7u21– must contain trusted-library otherwise warning Java 7u25-must contain trusted-library otherwise warning Java 7u40-must contain Trusted-library Otherwise warning Java 7u45 (OK) Java 7u55 (OK)

When JavaScript invokes an applet, it must be located on an address with the primary jar file.

1.7.55 when you use * as the caller-allowable-codebase value alone, calling applets from JavaScript displays a security warning box that allows users to choose allow and block, while providing an option to remember user actions, if you choose to remember actions, An RIA no longer displays a warning box when it is started.

6 only trusted attributes Trusted-only attribute

Used to block untrusted class files or resources from being loaded by applets. This property is set to True to block the use of untrusted components, so you need to sign all class files and components and use All-permissions.

trusted-only:true

 

7 Trusted Library Properties Trusted-libraryattribute

Used to design applets to allow untrusted components that do not eject the warning dialog box when the applet loads untrusted class files or resources. This property is set to True to block the use of untrusted components, so you need to sign all class files and components and use All-permissions. In a mixed-code applet, all privileged classes and resources must have the Trusted-library attribute, which is used to invoke each other between privileged code and sandboxed code.

If the certificate for the Web site is not valid, the JRE will eject the warning dialog box when it verifies that the Web site is not trusted and cannot hide it, and notify the site that the certificate is invalid, and when used temporarily, click the "Continue" button.

If the certificate for the signed file is not valid, a warning box pops up and cannot be hidden. When I use it temporarily click I accept the risk and want to run this application.

When the certificate is invalid or caller-allowable-codebase: When you invoke the applet for *,javascript, you are prompted for the warning box, and you can click "Yes" when you use it temporarily.

1.7.55 added remember the option to remember the default action.

After testing and verification, there are five ways to solve the problem of the bomb box:

The first JRE was reduced to 1.7.25 ago.

The second Java-approved CA digital signature.

Effects such as http://docs.oracle.com/javase/tutorial/deployment/applet/deployingApplet.html

The third client adds a self-signed certificate library and certificate.

Add an applet certificate to the signer CA to avoid unknown publisher warnings.

The fourth Windows operating system imports the certificate to the trusted root certification authority, which is only valid for IE browsers.

The fifth modifies the user%appdata% javasecurity directory trust.cacert file.

To add a Web site certificate to a secure site certificate, it is recommended that the Web site certificate be consistent with the applet certificate to prevent the Web site from connecting to a trusted warning.

You can avoid running a prompt box by adding an applet certificate to a trusted certificate.

Reference:

1Java and digital signature

Http://www.blogjava.net/sylilzy/articles/javaadndigtalsign.html

2oracle The official Java digitally signed plugin

Http://docs.oracle.com/javase/tutorial/deployment/applet/deployingApplet.html

3oracle Enhanced Security properties

Http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/manifest.html#codebase

4Oracle Official manifest

Http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/manifest.html#codebase

5oracle official 7U45 Release

Http://www.oracle.com/technetwork/java/javase/7u45-relnotes-2016950.html