...
Wiki Markup |
---|
According to the Java Tutorials \[[Tutorials 2008|AA. Java References#TutorialsBibliography#Tutorials 08]\] |
If you are creating applet code that you will sign, it needs to be placed in a JAR file. The same is true if you are creating application code that may be similarly restricted by running it with a security manager. The reason you need the JAR file is that when a policy file specifies that code signed by a particular entity is permitted one or more operations, such as specific file reads or writes, the code is expected to come from a signed JAR file. (The term "signed code" is an abbreviated way of saying "code in a class file that appears in a JAR file that was signed.")
...
Wiki Markup |
---|
\[[API 2006|AA. Java References#APIBibliography#API 06]\] \[[Gong 2003|AA. Java References#GongBibliography#Gong 03]\] 12.8.3 jarsigner \[[Eclipse 2008|AA. Java References#EclipseBibliography#Eclipse 08]\] [JAR Signing|http://wiki.eclipse.org/JAR_Signing] and [Signed bundles and protecting against malicious code|http://help.eclipse.org/stable/index.jsp?topic=/org.eclipse.platform.doc.isv/guide] \[[Halloway 2001|AA. Java References#HallowayBibliography#Halloway 01]\] \[[Flanagan 2005|AA. Java References#FlanaganBibliography#Flanagan 05]\] Chapter 24. The java.util.jar Package \[[Oaks 2001|AA. Java References#OaksBibliography#Oaks 01]\] Chapter 12: Digital Signatures, Signed Classes \[[Tutorials 2008|AA. Java References#TutorialsBibliography#Tutorials 08]\] [The JarRunner Class|http://java.sun.com/docs/books/tutorial/deployment/jar/jarrunner.html], [Lesson: API and Tools Use for Secure Code and File Exchanges|http://java.sun.com/docs/books/tutorial/security/sigcert/index.html] and [Verifying Signed JAR Files|http://java.sun.com/docs/books/tutorial/deployment/jar/verify.html] \[[JarSpec 2008|AA. Java References#JarSpecBibliography#JarSpec 08]\] Signature Validation \[[Bea 2008|AA. Java References#BeaBibliography#Bea 08]\] \[[Muchow 2001|AA. Java References#MuchowBibliography#Muchow 01]\] \[[MITRE 2009|AA. Java References#MITREBibliography#MITRE 09]\] [CWE ID 300|http://cwe.mitre.org/data/definitions/300.html] "Channel Accessible by Non-Endpoint (aka 'Man-in-the-Middle')", [CWE ID 319|http://cwe.mitre.org/data/definitions/319.html] "Cleartext Transmission of Sensitive Information", [CWE ID 494|http://cwe.mitre.org/data/definitions/494.html] "Download of Code Without Integrity Check", [CWE ID 347|http://cwe.mitre.org/data/definitions/347.html] "Improperly Verified Signature" |
...