We've seen in previous lessons how to sign Openwings component
Jar files for secure installation. Java also supports the concept
of checking signatures on Jar files containing code and assigning
permissions based on these signatures. This lesson shows how to
sign the Jar files within a component and configure a component's
security policy so that Java will check the signatures.
For this example, we’ll continue using the Launcher demo component
as we have in the previous lessons in this trail. Assuming the
Launcher is already installed on the system, open a shell and
go to the Launcher's lib directory. For this example, command
syntax reflects a Windows machine with Openwings installed in
the default directory (C:\openwings). Now sign the file:
C:\openwings\Launcher_im-1.0\lib>jarsigner -keystore
\openwings\openwings-1.0\system\certstore Launcher.jar openwings
Enter Passphrase for keystore: openwings
Enter key password for openwings: openwings
Now we’ll need to configure the Launcher component policy (${OW_HOME}/Launcher_im-1.0/policies/Launcher_im.policy)
to enforce the signature check:
// LAUNCHER SECURITY POLICY
// USE FOR DEPLOYED SYSTEMS
grant codebase
"${Launcher_im.property.net.openwings.install.libDir}/*"
signedBy “openwings”
{
permission java.awt.AWTPermission "showWindowWithoutWarningBanner";
};
Note that the keystore location is not yet set. Remember from
the Code Security
tutorial trail that the policy file we edited above is the
raw security policy which is transformed by the Openwings Installer
into the actual component security policy used at runtime.
There are two ways to re-resolve the Launcher component so that
the actual security policy is regenerated. One is to shut down
the Openwings core and run the Openwings installer in static mode:
Windows: %OW_HOME%\openwings-1.0\bin\owinstall -static
Unix: ${OW_HOME}/openwings-1.0/bin/owinstall.csh -static
The second method for re-resolution is to use the Openwings Explorer.
Expand the node for the local platform and right-click on the
Launcher component. Select "Edit Descriptor...". In
the ICD editor, make some small change to the descriptor (such
as editing the description field) and hit the save button. This
forces the Launcher component to be re-resolved. It will also
be started immediately unless you’ve turned off the Run Immediately
flag in the descriptor.
After the Launcher component has been re-resolved, its actual
security policy stored in the Openwings data directory (${OW_HOME}/openwings-1.0/data/Launcher_im-1.0.policy)
ends up looking like the following:
/* AUTOMATICALLY GENERATED ON Tue May 20 07:28:16 MST 2003*/
/* DO NOT EDIT */
keystore "file:/C:/openwings/openwings-1.0/system/certstore";
grant signedBy "openwings", codeBase "file:/C:/openwings/Launcher_im-1.0/lib/*"
{
permission java.awt.AWTPermission "showWindowWithoutWarningBanner";
};
// ...other content follows...
If you haven’t already, re-run the Launcher component. It should
run the same as usual.
Next: Back to Tutorial
Trails
