This directory contains the sample code for my JavaOne 2002 presentation.

README             This file.
build.bat          A Windows bat file to build the examples.
build.sh           A shell script to build the examples.
build.xml          The ant project file.
certs.ks           The keystore containing certificates.
private_keys.ks    The keystore containing private keys.
project.dtd        The ant dtd file.
testPolicy         A policy file given AllPermission to code in the src
                   diretcory.
javadoc/           The directory where the javadoc is generated.
src/               The directory containing the example source code.

The keystore private_keys.ks contains the private keys used for
signing. The following keys:

Owner                  Issuer           Comment
root_ca1               root_ca1         Root certificate 1
root_ca2               root_ca2         Root certificate 2
delegated_ca           root_ca1         Delegated CA, signed by CA 1
by_ca1                 root_ca1         Certificate signed by CA 1
by_ca2                 root_ca2         Certificate signed by CA 2
by_delegated_ca        delegated_ca     Certificate signed by Delegated CA
expired                root_ca1         Expired certificate

The certs.ks keystore contains four certificates:
root_ca1
root_ca2
delegated_ca
by_ca2

The test runs unsigned code and code signed by by_ca1, by_ca2,
by_delegated_ca and expired. It uses the certs.ks keystore.

As can been seen from the example output, the permissions assigned are
based on a CA in the by_ca1 and by_delegated_ca runs. Note that the
certificates of the parties that signed code are not in the keystore
used. The standard security policy does not allow this.

The run by_ca2 gets its permissions directly and the unsigned and
expired runs do not get permissios to enter the VM at all. Please
check TestMain.java for the used role assignments. The output of a
sample run is attached below.

Run                    Alias found in key store     Role
unsigned               null                         NOTHING
by_ca1                 root_ca1                     All
by_ca2                 by_ca2                       ENTER
by_delegated_ca        delegated_ca                 READER
expired                root_ca1                     -

To build de sample code, ant need to be available. The following build
targets available:

    ./build.sh              Build everything and run test code
    ./build.sh program      Build program code
    ./build.sh test.jar     Build various test jars
    ./build.sh runtest      Run the test code
    ./build.sh doc          Build the javadoc

This code is provided as is, for demonstration purposes only.

Copyright Tryllian and Otto Moerbeek, 2002.

Hope you find the samples instructive.

Otto Moerbeek <otto@tryllian.com>

Example run

% ./build.sh

Buildfile: build.xml

init:

program:
Compiling 1 source file

javadoc:
Generating Javadoc
Javadoc execution
Loading source files for package net.drijf.javaone...
Constructing Javadoc information...
Building tree for all the packages and classes...
Building index for all the packages and classes...
Building index for all classes...

test.jar:
Compiling 1 source file
Building jar: /Users/otto/cvs/javaone/test.jar
Deleting: /Users/otto/cvs/javaone/test/Test.class
Copying 1 file to /Users/otto/cvs/javaone
Signing Jar : /Users/otto/cvs/javaone/test_by_ca1.jar
Copying 1 file to /Users/otto/cvs/javaone
Signing Jar : /Users/otto/cvs/javaone/test_by_ca2.jar
Copying 1 file to /Users/otto/cvs/javaone
Signing Jar : /Users/otto/cvs/javaone/test_by_delegated_ca.jar
Copying 1 file to /Users/otto/cvs/javaone
Signing Jar : /Users/otto/cvs/javaone/test_expired.jar

runtest:

=== Running with jarfile = test.jar ===
=== Trying to load class ===
Exception in thread "main" java.lang.ClassNotFoundException: Class test.Test denied ClassLoadPermission; URL = file:test.jar; Certificate list is []
	at net.drijf.javaone.DelegatingCL.findClass(DelegatingCL.java:70)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:297)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:253)
	at java.lang.Class.forName0(Native Method)
	at java.lang.Class.forName(Class.java:195)
	at net.drijf.javaone.TestMain.main(TestMain.java:57)
Java Result: 1

=== Running with jarfile = test_by_ca1.jar ===
=== Trying to load class ===
=== Code has permissions === java.security.Permissions@7bc00c (
 (java.security.AllPermission <all permissions> <all actions>)
)
===
=== Trying to read file ===
=== File contains: This directory contains the sample code for my JavaOne 2002 presentation. ===
=== Trying to create thread ===
=== Thread created ===
=== Trying to exit VM ===
=== Trying to exit VM did not work! ===
=== Trying to set security manager ===
Exception in thread "main" java.lang.SecurityException: You may not set a security manager
	at net.drijf.javaone.StrictSecurityManager.checkPermission(StrictSecurityManager.java:103)
	at java.lang.System.setSecurityManager0(System.java:221)
	at java.lang.System.setSecurityManager(System.java:213)
	at net.drijf.javaone.TestMain.main(TestMain.java:85)
Java Result: 1

=== Running with jarfile = test_by_ca2.jar ===
=== Trying to load class ===
=== Code has permissions === java.security.Permissions@3e407c (
 (net.drijf.javaone.ClassLoadPermission test.Test)
)
===
=== Trying to read file ===
Exception in thread "main" java.security.AccessControlException: access denied (java.io.FilePermission README read)
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:272)
	at java.security.AccessController.checkPermission(AccessController.java:399)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:545)
	at net.drijf.javaone.StrictSecurityManager.checkPermission(StrictSecurityManager.java:96)
	at java.lang.SecurityManager.checkRead(SecurityManager.java:890)
	at java.io.FileInputStream.<init>(FileInputStream.java:61)
	at test.Test.tryToReadFile(Test.java:20)
	at net.drijf.javaone.TestMain.main(TestMain.java:68)
Java Result: 1

=== Running with jarfile = test_by_delegated_ca.jar ===
=== Trying to load class ===
=== Code has permissions === java.security.Permissions@3e407c (
 (java.io.FilePermission - read)
 (net.drijf.javaone.ClassLoadPermission *)
)
===
=== Trying to read file ===
=== File contains: This directory contains the sample code for my JavaOne 2002 presentation. ===
=== Trying to create thread ===
Exception in thread "main" java.security.AccessControlException: access denied (java.lang.RuntimePermission modifyThreadGroup)
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:272)
	at java.security.AccessController.checkPermission(AccessController.java:399)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:545)
	at net.drijf.javaone.StrictSecurityManager.checkPermission(StrictSecurityManager.java:96)
	at net.drijf.javaone.StrictSecurityManager.checkAccess(StrictSecurityManager.java:53)
	at java.lang.ThreadGroup.checkAccess(ThreadGroup.java:279)
	at java.lang.Thread.init(Thread.java:265)
	at java.lang.Thread.<init>(Thread.java:332)
	at test.Test.tryToCreateThread(Test.java:27)
	at net.drijf.javaone.TestMain.main(TestMain.java:71)
Java Result: 1

=== Running with jarfile = test_expired.jar ===
=== Trying to load class ===
NotAfter: Sat Dec 29 08:59:42 CET 2001
Exception in thread "main" java.lang.ClassNotFoundException: Class test.Test denied ClassLoadPermission; URL = file:test_expired.jar; Certificate list is [[
[
  Version: V1
  Subject: CN=expired, O=Org, OU=Unit, C=NL, ST=NH, L=Amsterdam
  Signature Algorithm: SHA1withDSA, OID = 1.3.14.3.2.27

  Key:  Sun DSA Public Key
    Parameters:DSA
	p:     827dd49c a2056984 e98371b1 340d5d71 839285b2 5acaa382 d7ac386e 9440843f
    0a467aa8 75a8c1ca 3b70ba6a 970712f6 b199ed3e ec5313f3 940a67bb d69f3872
    2961ab02 3d17a133 3c52235d 9fb7d10e 95e3a55e f9b04fc7 c920c572 da7ac3d5
    0f240dbb 8e54da9e bb702111 c53582e5 35852e9f 593979b3 3250c886 83961917
	q:     fa5079da fa3f3ab1 e80a6df5 bd16f224 d8f8d71b 
	g:     4fbdf52e 3304f051 c17ca55c 9381b5c1 7d4c2050 76853450 cfd9fc72 b2e1b2b1
    6fa01048 b8ff17e7 a90ae1e0 18053e34 d9d561df 714cc8dc 92b151b5 df665970
    6b5e57c3 19a2d658 3b7d32d2 e9e1f166 3eaaac46 0dcd4e67 7036f7f9 be0b2e16
    a05d695d 5b8113a9 03cb3863 561abd36 4a5d6c15 6617fa10 a32099e1 d2347713

  y:
    7898a56e 8b5a7844 a9406fa7 9ee91e01 e38d7bce 00759d35 ecfdce0f 497b8dc5
    31727dd3 f75946d0 aa53570c 5d47488f c11b5443 8b8d3e6a 15d443fc 0312a579
    f5722d84 7a2840be 7e44c1b1 ea97acb5 4085abda 94733aa8 fe07cba6 be5c1489
    97568b8b bce35725 6b46c78e be174b8c f04057d1 8ee8ca99 c11aef0e b7259794

  Validity: [From: Thu Nov 29 08:59:42 CET 2001,
               To: Sat Dec 29 08:59:42 CET 2001]
  Issuer: CN=root_ca1, O=Org, OU=Unit, C=NL, ST=NH, L=Amsterdam
  SerialNumber: [    eb119abf 72]

]
  Algorithm: [SHA1withDSA]
  Signature:
0000: 30 2D 02 15 00 83 3E 4E   FA 61 18 EF D8 F5 F5 A1  0-....>N.a......
0010: 43 FA F6 C1 A1 17 D1 06   7D 02 14 3A 4E 68 9B A1  C..........:Nh..
0020: 76 5F 5B 74 73 B6 1D B8   66 12 78 F5 08 38 38     v_[ts...f.x..88

],[
[
  Version: V1
  Subject: CN=root_ca1, O=Org, OU=Unit, C=NL, ST=NH, L=Amsterdam
  Signature Algorithm: SHA1withDSA, OID = 1.3.14.3.2.27

  Key:  Sun DSA Public Key
    Parameters:DSA
	p:     827dd49c a2056984 e98371b1 340d5d71 839285b2 5acaa382 d7ac386e 9440843f
    0a467aa8 75a8c1ca 3b70ba6a 970712f6 b199ed3e ec5313f3 940a67bb d69f3872
    2961ab02 3d17a133 3c52235d 9fb7d10e 95e3a55e f9b04fc7 c920c572 da7ac3d5
    0f240dbb 8e54da9e bb702111 c53582e5 35852e9f 593979b3 3250c886 83961917
	q:     fa5079da fa3f3ab1 e80a6df5 bd16f224 d8f8d71b 
	g:     4fbdf52e 3304f051 c17ca55c 9381b5c1 7d4c2050 76853450 cfd9fc72 b2e1b2b1
    6fa01048 b8ff17e7 a90ae1e0 18053e34 d9d561df 714cc8dc 92b151b5 df665970
    6b5e57c3 19a2d658 3b7d32d2 e9e1f166 3eaaac46 0dcd4e67 7036f7f9 be0b2e16
    a05d695d 5b8113a9 03cb3863 561abd36 4a5d6c15 6617fa10 a32099e1 d2347713

  y:
    7a4fa276 d626e60f cb0af7e0 e46e9950 42e146db 1b3a0979 7928c842 c6047df8
    77e142d7 333bbe43 8c1eb717 6bfeb811 d4e23dab 14b52c6b f5acd5c4 f66ed854
    236fc687 fcaa6a6c ee61ff36 28b68fd8 fbe98947 83a61224 1ecc92fc 0d5f5d64
    2647683b 38594461 61bb5483 6672a817 d7c6a4a1 bee1d99e a718d8f8 2692d262

  Validity: [From: Wed Dec 26 11:35:56 CET 2001,
               To: Sun Dec 26 11:35:56 CET 2004]
  Issuer: CN=root_ca1, O=Org, OU=Unit, C=NL, ST=NH, L=Amsterdam
  SerialNumber: [    eb02b75a e6]

]
  Algorithm: [SHA1withDSA]
  Signature:
0000: 30 2C 02 14 2A 04 0A 01   7A 2F C3 27 E8 04 41 CD  0,..*...z/.'..A.
0010: 61 EC 8B D2 5A 62 1C D1   02 14 65 6A 79 34 FA 3B  a...Zb....ejy4.;
0020: AE BF 21 FA C7 BF 20 0B   EA 05 D7 26 57 47        ..!... ....&WG

]]
	at net.drijf.javaone.DelegatingCL.findClass(DelegatingCL.java:70)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:297)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:253)
	at java.lang.Class.forName0(Native Method)
	at java.lang.Class.forName(Class.java:195)
	at net.drijf.javaone.TestMain.main(TestMain.java:57)
Java Result: 1

all:

BUILD SUCCESSFUL

Total time: 23 seconds


