ch10.html

来自「java2高级编程」· HTML 代码 · 共 745 行 · 第 1/4 页

keystore</EM>
 database and generates the keys. Everything goes on one line.</P>
<PRE CLASS="CODE"><A NAME="pgfId-1087492"></A>keytool -genkey -alias signFiles -keystore compstore 
        -keypass kpi135 -dname &quot;cn=jones&quot; -storepass ab987c</PRE>
<P CLASS="Body">
<A NAME="pgfId-1087495"></A><A NAME="marker-1087493"></A><A NAME="marker-1087494"></A>The above <EM CLASS="CODE">
keytool -genkey </EM>
command invocation generates a key pair that is identified by the alias <EM CLASS="CODE">
signFiles</EM>
. Subsequent <EM CLASS="CODE">
keytool</EM>
 command invocations use this alias and the key password (<EM CLASS="CODE">
-keypass kpi135</EM>
) to access the private key in the generated pair. </P>
<P CLASS="Body">
<A NAME="pgfId-1087496"></A>The generated key pair is stored in a keystore database called <EM CLASS="CODE">
compstore</EM>
 (<EM CLASS="CODE">
-keystore compstore</EM>
) in the current directory and accessed with the <EM CLASS="CODE">
compstore</EM>
 password (<EM CLASS="CODE">
-storepass ab987c</EM>
). </P>
<P CLASS="Body">
<A NAME="pgfId-1087497"></A>The <EM CLASS="CODE">
-dname &quot;cn=jones&quot;</EM>
 option specifies an X.500 Distinguished Name with a <EM CLASS="CODE">
commonName (cn)</EM>
 value. X.500 Distinguished Names identify entities for X.509 certificates. In this example, Susan uses her last name, Jones, for the common name. She could use any common name that suits her purposes. You can view all <EM CLASS="CODE">
keytool</EM>
 options and parameters by typing: </P>
<PRE CLASS="CODE"><A NAME="pgfId-1087498"></A><EM CLASS="CODE">keytool -help</EM>
 </PRE>
<P CLASS="Body">
<A NAME="pgfId-1087499"></A><EM CLASS="Bold">
4: Sign the JAR File. </EM>
JAR <EM CLASS="CODE">
Signer</EM>
 is a command-line tool for signing and verifying the signature on JAR files. In her working directory, Susan uses <EM CLASS="CODE">
jarsigner</EM>
 to make a signed copy of the <EM CLASS="CODE">
SignedApplet.jar</EM>
 file. </P>
<PRE CLASS="CODE"><A NAME="pgfId-1087503"></A><A NAME="marker-1087500"></A><A NAME="marker-1087501"></A><A NAME="marker-1087502"></A>jarsigner -keystore compstore -storepass ab987c -keypass kpi135
           -signedjar SSignedApplet.jar SignedApplet.jar signFiles</PRE>
<P CLASS="Body">
<A NAME="pgfId-1087504"></A>The <EM CLASS="CODE">
-storepass ab987c</EM>
 and <EM CLASS="CODE">
-keystore compstore</EM>
 options specify the <EM CLASS="CODE">
keystore</EM>
 database and password where the private key for signing the JAR file is stored. The <EM CLASS="CODE">
-keypass kpi135</EM>
 option is the password to the private key, <EM CLASS="CODE">
SSignedApplet.jar</EM>
 is the name of the signed JAR file, and <EM CLASS="CODE">
signFiles</EM>
 is the alias to the private key. The <EM CLASS="CODE">
jarsigner</EM>
 command extracts the certificate from the keystore whose entry is <EM CLASS="CODE">
signFiles</EM>
 and attaches it to the generated signature of the signed JAR file. </P>
<P CLASS="Body">
<A NAME="pgfId-1087506"></A><EM CLASS="Bold">
5: Export the Public Key Certificate. </EM>
<A NAME="marker-1087505"></A>The public key certificate is sent with the JAR file to the end user who will be using the applet. That person uses the certificate to authenticate the signature on the JAR file. A certificate is sent by exporting it from the <EM CLASS="CODE">
compstore</EM>
 database. </P>
<P CLASS="Body">
<A NAME="pgfId-1087507"></A>In her working directory, Susan uses <EM CLASS="CODE">
keytool</EM>
 to copy the certificate from <EM CLASS="CODE">
compstore</EM>
 to a file named <EM CLASS="CODE">
CompanyCer.cer</EM>
 as follows: </P>
<PRE CLASS="CODE"><A NAME="pgfId-1087508"></A>keytool -export -keystore compstore -storepass ab987c -alias signFiles -file CompanyCer.cer</PRE>
<P CLASS="Body">
<A NAME="pgfId-1087509"></A> As the last step, Susan posts the JAR and certificate files to a distribution directory on a Web page.</P>
</DIV>
<DIV>
<H5 CLASS="B">
<A NAME="pgfId-1087510"></A>End User</H5>
<P CLASS="Body">
<A NAME="pgfId-1087511"></A>Ray, the end user, downloads the JAR file from the distribution directory, imports the certificate, creates a policy file granting the applet access, and runs the applet. </P>
<P CLASS="Body">
<A NAME="pgfId-1087514"></A><EM CLASS="Bold">
6: Import the Certificate as a Trusted Certificate. </EM>
<A NAME="marker-1087512"></A><A NAME="marker-1087513"></A>Ray downloads <EM CLASS="CODE">
SSignedApplet.jar</EM>
 and <EM CLASS="CODE">
CompanyCer.cer</EM>
 to his home directory. Ray must now create a <EM CLASS="CODE">
keystore</EM>
 database (<EM CLASS="CODE">
raystore</EM>
) and import the certificate into it using the alias company. Ray uses <EM CLASS="CODE">
keytool</EM>
 in his home directory to do this: </P>
<PRE CLASS="CODE"><A NAME="pgfId-1087515"></A>keytool -import -alias company -file CompanyCer.cer 
                      -keystore raystore -storepass abcdefgh</PRE>
<P CLASS="Body">
<A NAME="pgfId-1087516"></A><EM CLASS="Bold">
7: Create the Policy File. </EM>
The policy file grants the <EM CLASS="CODE">
SSignedApplet.jar</EM>
 file signed by the <EM CLASS="CODE">
alias</EM>
 company permission to create <EM CLASS="CODE">
demo.ini</EM>
 (and no other file) in the user's home directory. </P>
<P CLASS="Body">
<A NAME="pgfId-1087517"></A>Ray creates the policy file in his home directory using either <EM CLASS="CODE">
policytool</EM>
 or an ASCII editor. </P>
<PRE CLASS="CODE"><A NAME="pgfId-1087518"></A>keystore &quot;/home/ray/raystore&quot;; </PRE>
<PRE CLASS="CODE"><A NAME="pgfId-1087519"></A>//A sample policy file that lets a program </PRE>
<PRE CLASS="CODE"><A NAME="pgfId-1087520"></A>//create demo.ini in user's home directory </PRE>
<PRE CLASS="CODE"><A NAME="pgfId-1087521"></A>//Satya N Dodda </PRE>
<PRE CLASS="CODE"><A NAME="pgfId-1087522"></A>grant SignedBy &quot;company&quot; </PRE>
<PRE CLASS="CODE"><A NAME="pgfId-1087523"></A>{   
   permission java.util.PropertyPermission &quot;user.home&quot;, &quot;read&quot;;</PRE>
<PRE CLASS="CODE"><A NAME="pgfId-1087524"></A>   permission java.io.FilePermission &quot;${user.home}/demo.ini&quot;, &quot;write&quot;; </PRE>
<PRE CLASS="CODE"><A NAME="pgfId-1087525"></A>}; </PRE>
<P CLASS="Body">
<A NAME="pgfId-1087528"></A><EM CLASS="Bold">
8: Run the Applet in Applet Viewer. </EM>
<A NAME="marker-1087526"></A><A NAME="marker-1087527"></A>The <EM CLASS="CODE">
Applet Viewer</EM>
 tool connects to the HTML documents and resources specified in the call to the <EM CLASS="CODE">
appletviewer </EM>
command and displays the applet in its own window. To run the example, Ray copies the signed JAR file and HTML file to <EM CLASS="CODE">
/home/aURL/public_html</EM>
 and invokes the <EM CLASS="CODE">
Applet Viewer </EM>
tool from his home directory as follows: </P>
<PRE CLASS="CODE"><A NAME="pgfId-1087529"></A>appletviewer -J-Djava.security.policy=Write.jp 
  http://aURL.com/SignedApplet.html</PRE>
<UL>
<P CLASS="NOTE">
<A NAME="pgfId-1087530"></A>NOTE Type everything on one line and put a space after <EM CLASS="CODE">
Write.jp.</EM>
</P>
</UL>
<P CLASS="Body">
<A NAME="pgfId-1087531"></A>The <EM CLASS="CODE">
-J-Djava.security.policy=Write.jp</EM>
 option tells the <EM CLASS="CODE">
Applet Viewer</EM>
 tool to run the applet referenced in the <EM CLASS="CODE">
SignedApplet.html</EM>
 file with the <EM CLASS="CODE">
Write.jp</EM>
 <EM CLASS="CODE">
policy</EM>
 file. </P>
<UL>
<P CLASS="NOTE">
<A NAME="pgfId-1087532"></A>NOTE The policy file can be stored on a server and specified in the <EM CLASS="CODE">
appletviewer</EM>
 invocation as an URL.</P>
</UL>
</DIV>
<DIV>
<H5 CLASS="B">
<A NAME="pgfId-1087533"></A>Running an Application with a Policy File</H5>
<P CLASS="Body">
<A NAME="pgfId-1087534"></A>This application invocation restricts <EM CLASS="CODE">
MyProgram</EM>
 to a sandbox-like environment the same way applets are restricted, but allows access as specified in the <EM CLASS="CODE">
polfile</EM>
 policy file. </P>
<PRE CLASS="CODE"><A NAME="pgfId-1087535"></A>java -Djava.security.manager -Djava.security.policy=polfile MyProgram</PRE>
</DIV>
<DIV>
<H5 CLASS="B">
<A NAME="pgfId-1087536"></A>Signed Applets in JDK 1.1</H5>
<P CLASS="Body">
<A NAME="pgfId-1087538"></A><A NAME="marker-1087537"></A>JDK 1.1 signed applets can access local system resources if the local system is properly set up to allow it. See the JDK 1.1 <EM CLASS="A">
Signed Applet Example</EM>
 page (<EM CLASS="URL-Footnote">
http://java.sun.com/security/signExample/index.html</EM>
) for details. </P>
</DIV>
</DIV>