This directory contains the sample code for my JavaOne 2002 presentation. README This file. build.bat A Windows bat file to build the examples. build.sh A shell script to build the examples. build.xml The ant project file. certs.ks The keystore containing certificates. private_keys.ks The keystore containing private keys. project.dtd The ant dtd file. testPolicy A policy file given AllPermission to code in the src diretcory. javadoc/ The directory where the javadoc is generated. src/ The directory containing the example source code. The keystore private_keys.ks contains the private keys used for signing. The following keys: Owner Issuer Comment root_ca1 root_ca1 Root certificate 1 root_ca2 root_ca2 Root certificate 2 delegated_ca root_ca1 Delegated CA, signed by CA 1 by_ca1 root_ca1 Certificate signed by CA 1 by_ca2 root_ca2 Certificate signed by CA 2 by_delegated_ca delegated_ca Certificate signed by Delegated CA expired root_ca1 Expired certificate The certs.ks keystore contains four certificates: root_ca1 root_ca2 delegated_ca by_ca2 The test runs unsigned code and code signed by by_ca1, by_ca2, by_delegated_ca and expired. It uses the certs.ks keystore. As can been seen from the example output, the permissions assigned are based on a CA in the by_ca1 and by_delegated_ca runs. Note that the certificates of the parties that signed code are not in the keystore used. The standard security policy does not allow this. The run by_ca2 gets its permissions directly and the unsigned and expired runs do not get permissios to enter the VM at all. Please check TestMain.java for the used role assignments. The output of a sample run is attached below. Run Alias found in key store Role unsigned null NOTHING by_ca1 root_ca1 All by_ca2 by_ca2 ENTER by_delegated_ca delegated_ca READER expired root_ca1 - To build de sample code, ant need to be available. The following build targets available: ./build.sh Build everything and run test code ./build.sh program Build program code ./build.sh test.jar Build various test jars ./build.sh runtest Run the test code ./build.sh doc Build the javadoc This code is provided as is, for demonstration purposes only. Copyright Tryllian and Otto Moerbeek, 2002. Hope you find the samples instructive. Otto Moerbeek Example run % ./build.sh Buildfile: build.xml init: program: Compiling 1 source file javadoc: Generating Javadoc Javadoc execution Loading source files for package net.drijf.javaone... Constructing Javadoc information... Building tree for all the packages and classes... Building index for all the packages and classes... Building index for all classes... test.jar: Compiling 1 source file Building jar: /Users/otto/cvs/javaone/test.jar Deleting: /Users/otto/cvs/javaone/test/Test.class Copying 1 file to /Users/otto/cvs/javaone Signing Jar : /Users/otto/cvs/javaone/test_by_ca1.jar Copying 1 file to /Users/otto/cvs/javaone Signing Jar : /Users/otto/cvs/javaone/test_by_ca2.jar Copying 1 file to /Users/otto/cvs/javaone Signing Jar : /Users/otto/cvs/javaone/test_by_delegated_ca.jar Copying 1 file to /Users/otto/cvs/javaone Signing Jar : /Users/otto/cvs/javaone/test_expired.jar runtest: === Running with jarfile = test.jar === === Trying to load class === Exception in thread "main" java.lang.ClassNotFoundException: Class test.Test denied ClassLoadPermission; URL = file:test.jar; Certificate list is [] at net.drijf.javaone.DelegatingCL.findClass(DelegatingCL.java:70) at java.lang.ClassLoader.loadClass(ClassLoader.java:297) at java.lang.ClassLoader.loadClass(ClassLoader.java:253) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:195) at net.drijf.javaone.TestMain.main(TestMain.java:57) Java Result: 1 === Running with jarfile = test_by_ca1.jar === === Trying to load class === === Code has permissions === java.security.Permissions@7bc00c ( (java.security.AllPermission ) ) === === Trying to read file === === File contains: This directory contains the sample code for my JavaOne 2002 presentation. === === Trying to create thread === === Thread created === === Trying to exit VM === === Trying to exit VM did not work! === === Trying to set security manager === Exception in thread "main" java.lang.SecurityException: You may not set a security manager at net.drijf.javaone.StrictSecurityManager.checkPermission(StrictSecurityManager.java:103) at java.lang.System.setSecurityManager0(System.java:221) at java.lang.System.setSecurityManager(System.java:213) at net.drijf.javaone.TestMain.main(TestMain.java:85) Java Result: 1 === Running with jarfile = test_by_ca2.jar === === Trying to load class === === Code has permissions === java.security.Permissions@3e407c ( (net.drijf.javaone.ClassLoadPermission test.Test) ) === === Trying to read file === Exception in thread "main" java.security.AccessControlException: access denied (java.io.FilePermission README read) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:272) at java.security.AccessController.checkPermission(AccessController.java:399) at java.lang.SecurityManager.checkPermission(SecurityManager.java:545) at net.drijf.javaone.StrictSecurityManager.checkPermission(StrictSecurityManager.java:96) at java.lang.SecurityManager.checkRead(SecurityManager.java:890) at java.io.FileInputStream.(FileInputStream.java:61) at test.Test.tryToReadFile(Test.java:20) at net.drijf.javaone.TestMain.main(TestMain.java:68) Java Result: 1 === Running with jarfile = test_by_delegated_ca.jar === === Trying to load class === === Code has permissions === java.security.Permissions@3e407c ( (java.io.FilePermission - read) (net.drijf.javaone.ClassLoadPermission *) ) === === Trying to read file === === File contains: This directory contains the sample code for my JavaOne 2002 presentation. === === Trying to create thread === Exception in thread "main" java.security.AccessControlException: access denied (java.lang.RuntimePermission modifyThreadGroup) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:272) at java.security.AccessController.checkPermission(AccessController.java:399) at java.lang.SecurityManager.checkPermission(SecurityManager.java:545) at net.drijf.javaone.StrictSecurityManager.checkPermission(StrictSecurityManager.java:96) at net.drijf.javaone.StrictSecurityManager.checkAccess(StrictSecurityManager.java:53) at java.lang.ThreadGroup.checkAccess(ThreadGroup.java:279) at java.lang.Thread.init(Thread.java:265) at java.lang.Thread.(Thread.java:332) at test.Test.tryToCreateThread(Test.java:27) at net.drijf.javaone.TestMain.main(TestMain.java:71) Java Result: 1 === Running with jarfile = test_expired.jar === === Trying to load class === NotAfter: Sat Dec 29 08:59:42 CET 2001 Exception in thread "main" java.lang.ClassNotFoundException: Class test.Test denied ClassLoadPermission; URL = file:test_expired.jar; Certificate list is [[ [ Version: V1 Subject: CN=expired, O=Org, OU=Unit, C=NL, ST=NH, L=Amsterdam Signature Algorithm: SHA1withDSA, OID = 1.3.14.3.2.27 Key: Sun DSA Public Key Parameters:DSA p: 827dd49c a2056984 e98371b1 340d5d71 839285b2 5acaa382 d7ac386e 9440843f 0a467aa8 75a8c1ca 3b70ba6a 970712f6 b199ed3e ec5313f3 940a67bb d69f3872 2961ab02 3d17a133 3c52235d 9fb7d10e 95e3a55e f9b04fc7 c920c572 da7ac3d5 0f240dbb 8e54da9e bb702111 c53582e5 35852e9f 593979b3 3250c886 83961917 q: fa5079da fa3f3ab1 e80a6df5 bd16f224 d8f8d71b g: 4fbdf52e 3304f051 c17ca55c 9381b5c1 7d4c2050 76853450 cfd9fc72 b2e1b2b1 6fa01048 b8ff17e7 a90ae1e0 18053e34 d9d561df 714cc8dc 92b151b5 df665970 6b5e57c3 19a2d658 3b7d32d2 e9e1f166 3eaaac46 0dcd4e67 7036f7f9 be0b2e16 a05d695d 5b8113a9 03cb3863 561abd36 4a5d6c15 6617fa10 a32099e1 d2347713 y: 7898a56e 8b5a7844 a9406fa7 9ee91e01 e38d7bce 00759d35 ecfdce0f 497b8dc5 31727dd3 f75946d0 aa53570c 5d47488f c11b5443 8b8d3e6a 15d443fc 0312a579 f5722d84 7a2840be 7e44c1b1 ea97acb5 4085abda 94733aa8 fe07cba6 be5c1489 97568b8b bce35725 6b46c78e be174b8c f04057d1 8ee8ca99 c11aef0e b7259794 Validity: [From: Thu Nov 29 08:59:42 CET 2001, To: Sat Dec 29 08:59:42 CET 2001] Issuer: CN=root_ca1, O=Org, OU=Unit, C=NL, ST=NH, L=Amsterdam SerialNumber: [ eb119abf 72] ] Algorithm: [SHA1withDSA] Signature: 0000: 30 2D 02 15 00 83 3E 4E FA 61 18 EF D8 F5 F5 A1 0-....>N.a...... 0010: 43 FA F6 C1 A1 17 D1 06 7D 02 14 3A 4E 68 9B A1 C..........:Nh.. 0020: 76 5F 5B 74 73 B6 1D B8 66 12 78 F5 08 38 38 v_[ts...f.x..88 ],[ [ Version: V1 Subject: CN=root_ca1, O=Org, OU=Unit, C=NL, ST=NH, L=Amsterdam Signature Algorithm: SHA1withDSA, OID = 1.3.14.3.2.27 Key: Sun DSA Public Key Parameters:DSA p: 827dd49c a2056984 e98371b1 340d5d71 839285b2 5acaa382 d7ac386e 9440843f 0a467aa8 75a8c1ca 3b70ba6a 970712f6 b199ed3e ec5313f3 940a67bb d69f3872 2961ab02 3d17a133 3c52235d 9fb7d10e 95e3a55e f9b04fc7 c920c572 da7ac3d5 0f240dbb 8e54da9e bb702111 c53582e5 35852e9f 593979b3 3250c886 83961917 q: fa5079da fa3f3ab1 e80a6df5 bd16f224 d8f8d71b g: 4fbdf52e 3304f051 c17ca55c 9381b5c1 7d4c2050 76853450 cfd9fc72 b2e1b2b1 6fa01048 b8ff17e7 a90ae1e0 18053e34 d9d561df 714cc8dc 92b151b5 df665970 6b5e57c3 19a2d658 3b7d32d2 e9e1f166 3eaaac46 0dcd4e67 7036f7f9 be0b2e16 a05d695d 5b8113a9 03cb3863 561abd36 4a5d6c15 6617fa10 a32099e1 d2347713 y: 7a4fa276 d626e60f cb0af7e0 e46e9950 42e146db 1b3a0979 7928c842 c6047df8 77e142d7 333bbe43 8c1eb717 6bfeb811 d4e23dab 14b52c6b f5acd5c4 f66ed854 236fc687 fcaa6a6c ee61ff36 28b68fd8 fbe98947 83a61224 1ecc92fc 0d5f5d64 2647683b 38594461 61bb5483 6672a817 d7c6a4a1 bee1d99e a718d8f8 2692d262 Validity: [From: Wed Dec 26 11:35:56 CET 2001, To: Sun Dec 26 11:35:56 CET 2004] Issuer: CN=root_ca1, O=Org, OU=Unit, C=NL, ST=NH, L=Amsterdam SerialNumber: [ eb02b75a e6] ] Algorithm: [SHA1withDSA] Signature: 0000: 30 2C 02 14 2A 04 0A 01 7A 2F C3 27 E8 04 41 CD 0,..*...z/.'..A. 0010: 61 EC 8B D2 5A 62 1C D1 02 14 65 6A 79 34 FA 3B a...Zb....ejy4.; 0020: AE BF 21 FA C7 BF 20 0B EA 05 D7 26 57 47 ..!... ....&WG ]] at net.drijf.javaone.DelegatingCL.findClass(DelegatingCL.java:70) at java.lang.ClassLoader.loadClass(ClassLoader.java:297) at java.lang.ClassLoader.loadClass(ClassLoader.java:253) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:195) at net.drijf.javaone.TestMain.main(TestMain.java:57) Java Result: 1 all: BUILD SUCCESSFUL Total time: 23 seconds