• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
Sheriffs:
  • Liutauras Vilda
  • Henry Wong
  • Devaka Cooray
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Al Hobbs
  • Carey Brown
Bartenders:
  • Piet Souris
  • Mikalai Zaikin
  • Himai Minh

Sample Question - Applet Security

 
Ranch Hand
Posts: 81
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Which statement is true?
A. Classes loaded into a browser from the local network are trusted
B. classes loaded into a browser from remote sources are trusted if they are signed
C. classed loaded into a browser from remote sources are trusted if they are in a signed jar file
D. classes loaded from a jar file on a remote source can sometimes be trusted even if the jarfile is unsigned.
E. classes loaded from a signed jarfile are trusted if the public key associated with the jarfile's signature is marked as trusted in the keystore.
The answer is given as D.
Is it correct.
I think the correct answer is E.
What do you guys think

thanks
 
Ranch Hand
Posts: 334
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
D, and E seems all correct.
Please comments
 
Ranch Hand
Posts: 40
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hey guys,
Well the answer is D ONLY
Refer to :

  • http://java.sun.com/docs/books/tutorial/security1.2/tour1/step2.html
    and

  • http://java.sun.com/sfaq/
    Also this has been already discussed recently. In my notes I have the following summary from another post:
    "�The keystore contains certificates, each of which which contains the public key of a trusted source, and which is named by an alias. These are certificates imported into keystore to run someone else's code.
    �Keytool can also be used to create your own public/private key pairs. Presumably, the private key would used to sign your own jar files, the public key what you would export to others who use your code.
    �When a java class executes, the security manager checks in the policy file to see if that codebase has permission to do what it wants to do. Also, if the grant entry has a "signed by" entry, then the security manager uses the "signed by" entry to look up the public certificate in the keystore (matching on alias). If it's there, then it's from a trusted source. The keystore to check is named in the keystore entry of the relevant policy file. "
    in other words even if keystore contains the applet certificate, that's is not enough to trust the applet.
    The policy files needs to grant permissions for this applet codebase. That's the new JDK 1.2 security model.

    Cheers,
    -Chris

    [This message has been edited by Christophe Testi (edited November 06, 2001).]
  •  
    Consider Paul's rocket mass heater.
    reply
      Bookmark Topic Watch Topic
    • New Topic