Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 441
  • Last Modified:

securing applet-servlet communication

Hi experts! I would like to start to make web application involving applet - servlet communication, and I would like to know how to secure this? I don't know much about this part in particular, and I would appreciate if you answer with a bit more than links to other sites. What are the standards that are required from companies regarding secure communication on internet? Every book on java internet programming advise that securty should be built in from the beggining, and therefore I would like to start with it right now.
0
d97mivo
Asked:
d97mivo
  • 11
  • 7
  • 4
1 Solution
 
Oliver_DornaufCommented:
For secure applet - servlet comunication you can use the JSSE from sun.
http://java.sun.com/security/index.html
0
 
dnoelppCommented:
A simple (but very limited) way would be that the applet uses getAppletContext().showDocument("https://..."); with secure HTTP.

This way, the applet opens up a new browser window. With parameters you can pass some parameters to the server. Then the server uses a JavaScript function to close the new browser window.

This is very limited, but maybe enough for you?
0
 
d97mivoAuthor Commented:
I need to have the standard security which is requested from companies when they consider whether to by or not by a product which is web based. I have no previous knowledge of this, and this is just my private project which I do in my spare time. Hopefully it will result in a commercial product which will make me rich :). That's why I ask which are the standards for security. Is it enough with JSSE? Are there any commercial implementations of JSSE which do better job?

I don't need to do this with new browser window, it is done easily within the applet. What I need is a way to make secure the messages from applet to servlet and back. There are two types of "messages":

1. text messages, for ex. http://www.myserver.ss/servletDo?message=blabla&reason=thatswhy...
2. object messages, for ex. an object which is sent to the applet with different types of other objects (Strings, Integers, ints,...)

So, how to secure these two types of "messages"? That is the second question to which I would like to get an answer.

0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
dnoelppCommented:
Okay, then go with JSSE. A note, however, JDK 1.4 has JSSE installed by default. If you work with the Java-Plugin version 1.4, you can just use code like this:

URL url = new URL("https://yourserver/yourapp/your.jsp");

and then open the stream, and this stream will be secure.

And for the second question, use serialization. Write or read the serialized data via URL.
0
 
dnoelppCommented:
Is JSSE "enough"? Yes, you can tell... The https implemented by JSSE is as secure as any https protocol, that means secure enough for Internet use. I am not sure whether the CIA will be able to listen to your data, but I don't think so.
0
 
d97mivoAuthor Commented:
Ok, I understand that I get what I need with SSL and JSSE. Now we came to the implementation of SSL. I am using IIS 4.0 with JRun 3.0 as a servlet engine. I wonder how to implement SSL and JSSE into this configuration? Do I have to install (enable) SSL in IIS only, or in JRun?
0
 
dnoelppCommented:
This is a different question. I don't know how to configure SSL on JRun or IIS. One thing, however, you need a server certificate. If you create it yourself and sign it yourself, the browser will popup a warning message to the user. This is ok for testing and developping, but for serious user you need a certificate by an CA.

If you run JRun by an IIS ISAPI redirector, I think you need to set up the certificate with IIS, and JRun will run "behind" this certificate.

Good luck!
0
 
d97mivoAuthor Commented:
I have to ask this too: do I need the certificate installed on the server or both the server and the clients?
0
 
dnoelppCommented:
The server certificate needs only to be installed on the server.

This certificate is signed by a CA. Most browsers have signatures of the most important CA already pre-installed.

SSL works about this way (much simplified): The client gets the certificate of the server and compares its signature with the pre-installed ones. With the help of the certificate the client knows the server (no spoofing possible) and then both client and server can do secure encrypting.

The only point is: You need your server certificate be signed by a CA. You can sign your certificate yourself, but in this case the client doesn't know your signature. The client browser displays a security warning.

This is ok, as I already said, for developing purposes. Just click on "Accept" or "Continue" or the like. Or install your own signature to the browser (Internet Explorer: Options --> Content --> Certificates)
0
 
Oliver_DornaufCommented:
You do not need a server certificate on the IIS for JSSE in every case.
If you use secure rmi and not https to comunicate (wich is relayable, easy and secure) you only need to install a certificate on the java keystore. You can make the certificate self with the keytool programm.

Only if you want to use https you need an expensive server certificate. For rmi over SSL it is not needed.



0
 
d97mivoAuthor Commented:
Ok, but I would like to do it without RMI, because it is not supported in IE.

Here is a new question: can I use IP address of my server when creating self-signed certificate, or it has to be a DNS? (Sorry for these additional questions, but I think the amount of points I award here is quite enough and I will give an A.)
0
 
dnoelppCommented:
A note about https vs rmi:

These are very different technologies.

- https is web oriented. Data is transported via opening an url and reading the response.

- rmi is nearer to the programming language. A remote object behaves very much like a local object. Except of course that some operations take a lot longer to execute.

You see, the philosophies are as different as possible.

One important point, however: If you don't do rmi over http(s), then rmi will not transport through firewalls (except you ask your admin to configure the ports).

And, now, d97mivo, as for your question, I don't know. Try both. Just create a certificate and sign it yourself. After accepting the security warning Internet Explorer for example should display the yellow closed lock symbol at the bottom to show that security is ON.

So, not only your applet communication, but other pages are secured (important for example for the page which loads the applet).
0
 
Oliver_DornaufCommented:
d97mivo if you use a "home brew certificate" for rmi over ssl you do not need a ip address or somthing from you server.

look at : http://java.sun.com/products/jdk/1.2/docs/guide/rmi/index.html for rmi and rmi over ssl

look at :http://java.sun.com/docs/books/tutorial/security1.2/sigcert/index.html
for you "home brew certificate" .
Important: For rmi over ssl the certificate has nothing to do with code signing from jar-files etc. :-)






0
 
dnoelppCommented:
Yes, Oliver is right. Why?

The rmi client is not pre-installed at the user's computer (like IE or other browsers). So it is easy to give it any signatures you want.

The https client (IE or other browser) however is not installed by you, it is pre-installed by the user. So it's not easy to influence the key-store of the browser.

That's why you need a CA signature for the server certificate for https.

***

But I think, for real security on your website, you need to download your applet code with https. Without https someone could spoof your applet and then all the security in your applet is useless.

Another way to avoid spoofing is to sign the applet. Don't mix up the both possibilites. Signed applets are much like signed ActiveX-controls. They are allowed to access your user's computer (depending on the configuration of the policy files of the applet): read and write files and open networks connection to other servers than yours and other possibly dangerous operations.

You could combine two possibilities: load a signed applet via an https connection. That's exactly what we do in our project at office.

***

And as for rmi: Most probably using rmi over https in your applet is the best way to do secure communication applet-servlet, because the remote objects are very near to the programming language Java.

You said, rmi is not supported by IE. I assume, you are using Microsoft's virtual machine and programming with awt, not swing. I suggest that you think about the Java Plugin (http://java.sun.com/products/plugin/) because the new virtual machine by Sun has more features. Microsoft's virtual machine stays at version 1.1 and the Sun's version just being coming out is 1.4 (the one which has JSSE already included).

For data consisting mostly of text https is a simple protocol to exchange data. If you use serialization, you can transfer objects, too, but this gets complicated very soon and then it's better to work with rmi.
0
 
Oliver_DornaufCommented:
Well I speak about "home brew certificate" wich is sufficent for testing and evaluation.
A server certificat from a root CA is about 500$ per year.
An applet using port (1099 for rmi) as to be signed imho.

Loading a signe applett via https is a verry secure was to load an applett but not more. It does not secure the applett comunication.
But I think that is not the question. The point a what to state was:
rmi over ssl needs a certificate in the java keystore. But the sun document speak about siging applett. This is a diffrent think in the same context.
OK ?
0
 
d97mivoAuthor Commented:
Forget RMI for now, it still requires another port to be opened for communication, which I would like to avoid. And you made me confused, so please answer with yes or no on these quesions (again):

1. Is it so that I use https instead http when I make URLConnections in my applet, and get the required protection?
2. I need only a certificate on my server, but not on the client side?
0
 
dnoelppCommented:
1. Yes. For that you need JSSE.

2. Yes. To let certificate be signed by a CA is expensive, as Oliver said.

Just now I have another idea. Maybe with some configuration on JSSE done by the applet before opening the first https URL connection it's possible to avoid a CA-signed certificate. The idea behind is that the applet knows your own signature and has it "installed" in JSSE. This way a "home-brew" certificate will be enough. Exactly how to do this I don't know, however.

Tomorrow I will look into this further, but don't expect any more help from my side. I just will look because I am interested myself.
0
 
dnoelppCommented:
2. Yes, you need only a certificate on the server. :-)
0
 
d97mivoAuthor Commented:
Ok, I will try to do like you propose dnoelpp, but just one LAST question: is this server certificate the same as the one which is used when signing .jar files?

I will award the points within next day, dnoelpp!
0
 
dnoelppCommented:
No, that's something different as Oliver already pointed out.
0
 
d97mivoAuthor Commented:
I choose this as an approriate answer!
0
 
dnoelppCommented:
Thanks for the points!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 11
  • 7
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now