• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Sample Question - Applet Security

 
Ajit Kumar
Ranch Hand
Posts: 81
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Which statement is true?
A. Classes loaded into a browser from the local network are trusted
B. classes loaded into a browser from remote sources are trusted if they are signed
C. classed loaded into a browser from remote sources are trusted if they are in a signed jar file
D. classes loaded from a jar file on a remote source can sometimes be trusted even if the jarfile is unsigned.
E. classes loaded from a signed jarfile are trusted if the public key associated with the jarfile's signature is marked as trusted in the keystore.
The answer is given as D.
Is it correct.
I think the correct answer is E.
What do you guys think

thanks
 
ruilin yang
Ranch Hand
Posts: 334
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
D, and E seems all correct.
Please comments
 
Christophe Testi
Ranch Hand
Posts: 40
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hey guys,
Well the answer is D ONLY
Refer to :

  • http://java.sun.com/docs/books/tutorial/security1.2/tour1/step2.html
    and

  • http://java.sun.com/sfaq/
    Also this has been already discussed recently. In my notes I have the following summary from another post:
    "�The keystore contains certificates, each of which which contains the public key of a trusted source, and which is named by an alias. These are certificates imported into keystore to run someone else's code.
    �Keytool can also be used to create your own public/private key pairs. Presumably, the private key would used to sign your own jar files, the public key what you would export to others who use your code.
    �When a java class executes, the security manager checks in the policy file to see if that codebase has permission to do what it wants to do. Also, if the grant entry has a "signed by" entry, then the security manager uses the "signed by" entry to look up the public certificate in the keystore (matching on alias). If it's there, then it's from a trusted source. The keystore to check is named in the keystore entry of the relevant policy file. "
    in other words even if keystore contains the applet certificate, that's is not enough to trust the applet.
    The policy files needs to grant permissions for this applet codebase. That's the new JDK 1.2 security model.

    Cheers,
    -Chris

    [This message has been edited by Christophe Testi (edited November 06, 2001).]
  •  
    • Post Reply
    • Bookmark Topic Watch Topic
    • New Topic