Java developers need to be more conscious on security aspect while doing Java application development. The article gives some insight for such security aspect.
As a standardized development platform, Java has tools that support securing its "distributable." For Java ARchive (JAR) files, the concept is called JAR signing. Signing a JAR is no different from signing a document; the signature merely verifies that the JAR is valid content and you are aware of what is in it. When publishing an application over the Internet or simply developing applications that can be run in an Internet environment, employing JAR signing can ensure security.
How Does Signing Work?
Signing is a digital method of telling the user of a file that you are the creator or that you are aware of its contents and that they are safe to use. The most important requirement is for a mechanism to indicate that the contents of the file have not changed or been modified. When the user knows that the file is from a trusted source, he or she can rely on it for the features that it offers.
As an example, say you are monitoring the stock market using an online application, maybe an applet. While the applet is just displaying data, you are absolutely fine with it. However, at some point, the applet requests permission to save content and write to your disk. Granting permission for this operation seems risky, because you don't know what the applet will do to your local file system. You are safe though, because by default applets are controlled by the Java runtime, and not allowed to perform any operation (such as writing a file, modifying contents of files, etc.) on a local system.
However, suppose you want the applet to write to your disk in this case. That brings up the question of credibility; you would provide or grant permissions to the applet to perform activities on the local system if you knew its source. Enter the public and private key infrastructure, which resolves this trust issue. The public key (which, as its name indicates, is available publicly) can verify a signature made by a private key, and a private key can be verified only by a corresponding public key.
But how can you be sure the public key is from a trusted source, as it claims? The verification process closes the loop here. Companies specialize in the verification business and support this requirement. These trustworthy companies award certificates that declare who owns a given public key.
Getting back to JARs, when a JAR is signed, the public key becomes part of it. Anyone who wants to use the JAR can rely on the public key to verify the JAR's trustworthiness and to be doubly sure that the public key is using a certificate.
To summarize, if your application needs the capability to access resources outside the JVM, sign it. The user can then decide to grant your application the required permission to perform its intended actions.
- Related Videos
- Related Articles
- Ask / Related Q&A
- Importance of Web Application Development-J2EE
- What to Look for in a Hyper-effective Team of J2ee Developers
- Outsourcing Java development to India
- Offshore Website Development
- Establishing Java Code: the Future of Software Development
- Web Development Using Java Technologies
- Software Development in Vietnam
- Outsourced Product Development
More than calling and Texting!
By: Rapidsoft | 08/12/2009The concept of a mobile phone itself has become different! These days, mobile phones serve not only the purpose of communication. A small, tiny handset device can give you much that can be beyond your imagination.
Spotting a Genuine Search Engine Optimization Company
By: kayla tyler | 08/12/2009Those in the know will advice people who are just about to launch their new website that it is more important to acquire the service of a search engine optimization company than to spend time analyzing which design template will work best for their website.
Stay Away from Ineffective SEO Companies
By: kayla tyler | 08/12/2009This is the age of online marketing and advertisement thus the constant demand for a search engine marketing company that is capable of providing an array of services that range from search engine optimization (SEO) to pay per click ads management.
How to Convert FLV video to MP3 for iTunes or Garageband on Mac OS X
By: terryly | 08/12/2009If you have some FLV files but you only get the audio but no video, you can compromise by extract audio from it and then listen to it. You might want to extract MP3 audio from FLV format episodes or a movie to iTunes for playback on your iPod, as ringtones for iPhone, or to create your own masterpiece in Garageband. The question is: how to convert FLV to MP3 for iTunes or Garageband
Blackberry Application Development – A Latest Trend in Market
By: Daviodjones035 | 07/12/2009The above article, by and large brings forth the facts that led to the immediate success and popularity of Blackberry pagers and now, mobile phones. The establishment of which has led to an immense increase in the Blackberry Mobile Application Development and software market.
IEEE 1588 Time Protocol Promises More Accurate Time Synchronisation
By: Richard n Williams | 07/12/2009Despite being around for over twenty years, the current favoured time protocol by most networks, NTP (Network Time Protocol) has some competition.
Change Your Lifestyle with New iPhone App Development
By: Vimal Mistry-seo | 07/12/2009The computing world is shrinking from big computers to desktop to laptop to palmtop and now to mini mobile devices, may be with no limits. Arrival of iPhone in the market has created the buzz like never before.
AJAX CascadingDropdown in Asp.Net
By: pons_saravanan | 07/12/2009A pure webservice based cascading dropdown list developed using ASP.Net.