Hello,
I'm doing some research in to Java security, and I have a question. In my line of work I find from time to time client applications written in java (so a .jar) that connects to a server, but the server will not work with a manipulated .jar. Now my question is, how does that work? After reading on the net I found that it is possible to sign a jar file with either a key or a certificate (maybe others), but nothing about how this would be checked from the serverside of the architecture.
Could somebody give me some pointers as to how it works or where I could find information?
Thx
10  3045  Frinavale 9,735
Recognized Expert Moderator Expert
Not sure what type of application you are implementing but it seems as simple as checking a hash code...if the hash code doesn't match then the jar has been modified.
Signing works along these lines.
-Frinny
Does that mean that their is not a general function in place in the Java console (the sandbox) that would allow to check the .jar independently. I'm talking from a security point of view, so if the jar is responsible for it's own signing, it would just be an open lock on a door?
Frinavale 9,735
Recognized Expert Moderator Expert
I'm so sorry but I'm actually not a Java expert.
I am familiar with signing code because I use signing quite a bit...
I hope that a Java expert can jump in and help you further.
I wouldn't think that the jar is responsible for it's own signing.
I would think that your server application would store the signature/hash that it creates for the jar files based on what is in the jar...when the jar is submitted to the server later it would check to see that the signature/hash is valid to ensure that it isn't working with a modified jar file.
You might be right. There could be a Java Specific tool available to you that does this without having to rely on your code/application to do it. In fact I would be surprised if there isn't such a feature.
I still don't understand how your server is using the jar files or what your application does.
Again, I'm sorry but I'm not a Java expert...I can only help you from a conceptual point of view.
-Frinny
The server-client application that I'm talking about is a bit as follows:
a client has to download a java jar file that will act as a client for the application. the client will use it to enter data, modify things, login,... but the result is checked & verified by the server. but there should be some security measure in place that would prevent a malicious user from modifying the client jar file.
Already big thanks Frinavale for your input, you have helped me a lot already.
Frinavale 9,735
Recognized Expert Moderator Expert
What exactly is sent to the server?
The jar file itself? Or is it some output that is the result of some calculations/operations that the client application does?
-Frinny
the result of some calculation, credentials,...
Frinavale 9,735
Recognized Expert Moderator Expert
Wouldn't this mean that you need to validate the result, not the jar file?
-Frinny
that is one part of the security model, but how could you prevent a malicious attacker from modifying the content of the jar. This is under the assumption that the JAR file contains some data that will not be checked by the server and is excepted as is.
 Frinavale 9,735
Recognized Expert Moderator Expert
I don't think there is any way to prevent someone from un-jaring your jar file and modifying the code.
Signing the jar file certainly won't help with this.
The first thing that came to my mind would be to sign the jar file and then have the client application re-hash the currently used jar and send that signature to the server to verify the signature of the jar used to produce the output.
BUT my immediate next thought was: the malicious user would simply modify your code to have it create a hash based on your original jar....
I can't see how signing is going to help at all.
You could try taking a look at what Sun has to say on Java Security technologies.
I would recommend looking at the security design for the system as a whole.
You said that this is a server/client application....
Why not move all "sensitive" methods to the server side and leave the client side stripped of anything that could potentially leave a security hole in it.
For example, if your application requires that the user authenticates against something move this functionality to the server. Don't leave this up to the client since the client could potentially be modified to get around this authentication.
And Always do validation on the server....that' s just one of those rules that has to be implemented in order to develop a secure application.
-Frinny
Sign in to post your reply or Sign up for a free account.
Similar topics | |
by: Dominique |
last post by:
I am trying to communicate to a prolog server from a java client,
however even though the connection is successfully made every time I
try to perform QueryExecute I get an error, either Socket closed or
null etc. Can anyone help? I am using SICStus prolog.
Currently my prolog server looks like:
:- write('starting'),nl.
:- use_module(library(sockets)).
:- use_module(library(prologbeans)).
:- use_module(library(charsio)).
|
by: Rowland |
last post by:
Hi,
I know this question has prob. been asked a million times, but I couldn't
find it in the FAQ, so here goes :
I'm trying to write a Java applet to call a dll that resides on the web
server (running IIS 6). I've written a little test applet that should call a
helloWorld function in the dll, but when I use System.loadLibrary, it gives
me this security warning :
|
by: Robert Bralic |
last post by:
Hello,
I writed small graphical editor for
probabilystic networks in JAVA, but
there was problem with making save
file inJAVA.
I thinked about it and I concluded
that Save in JAVA is great error.
If is possibile to mke save in JAVA
then is posible tha make save in any
|
by: DrUg13 |
last post by:
In java, this seems so easy. You need a new object
Object test = new Object() gives me exactly what I want.
could someone please help me understand the different ways to do the
same thing in C++. I find my self sometimes, trying
Object app = Object();
Object *app = Object();
Object app = new Object();
|
by: netgeni59 |
last post by:
Hello fellow C# friends,
I am trying to write a C# TCP client that was formerly written in Java.
The server must still remain in Java.
I cannot get text data from the C# client to be received by the Java
TCP server. No matter how I try to send data from the client to the
server, the Java server DataInputStream readUTF() method never returns
with any data. Can someone please shed some light on this problem?
Thanks.
| | |
by: Tomek |
last post by:
Welcome.
I`m trying to prepere some project that shows how to use Corba technology i
heterogenic systems.I`d like to create CORBA server with Borland Delphi (or
C#.NET) and few client applications taht comunicate with serwer: J2ME client
for WindowsCE 5.0, c# or Delphi from WindowsXP, some Web application using
Java and maybe something for Linux system. For few days i`m looking for some
examples in internet but most of them using only...
|
by: Jobs |
last post by:
Download the JAVA , .NET and SQL Server interview with answers
Download the JAVA , .NET and SQL Server interview sheet and rate
yourself. This will help you judge yourself are you really worth of
attending interviews. If you own a company best way to judge if the
candidate is worth of it.
http://www.questpond.com/InterviewRatingSheet.zip
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
| | |
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
