Solved

securing applet-servlet communication

Posted on 2001-08-13
22
426 Views
Last Modified: 2013-11-24
Hi experts! I would like to start to make web application involving applet - servlet communication, and I would like to know how to secure this? I don't know much about this part in particular, and I would appreciate if you answer with a bit more than links to other sites. What are the standards that are required from companies regarding secure communication on internet? Every book on java internet programming advise that securty should be built in from the beggining, and therefore I would like to start with it right now.
0
Comment
Question by:d97mivo
  • 11
  • 7
  • 4
22 Comments
 
LVL 4

Expert Comment

by:Oliver_Dornauf
Comment Utility
For secure applet - servlet comunication you can use the JSSE from sun.
http://java.sun.com/security/index.html
0
 
LVL 3

Expert Comment

by:dnoelpp
Comment Utility
A simple (but very limited) way would be that the applet uses getAppletContext().showDocument("https://..."); with secure HTTP.

This way, the applet opens up a new browser window. With parameters you can pass some parameters to the server. Then the server uses a JavaScript function to close the new browser window.

This is very limited, but maybe enough for you?
0
 

Author Comment

by:d97mivo
Comment Utility
I need to have the standard security which is requested from companies when they consider whether to by or not by a product which is web based. I have no previous knowledge of this, and this is just my private project which I do in my spare time. Hopefully it will result in a commercial product which will make me rich :). That's why I ask which are the standards for security. Is it enough with JSSE? Are there any commercial implementations of JSSE which do better job?

I don't need to do this with new browser window, it is done easily within the applet. What I need is a way to make secure the messages from applet to servlet and back. There are two types of "messages":

1. text messages, for ex. http://www.myserver.ss/servletDo?message=blabla&reason=thatswhy...
2. object messages, for ex. an object which is sent to the applet with different types of other objects (Strings, Integers, ints,...)

So, how to secure these two types of "messages"? That is the second question to which I would like to get an answer.

0
 
LVL 3

Expert Comment

by:dnoelpp
Comment Utility
Okay, then go with JSSE. A note, however, JDK 1.4 has JSSE installed by default. If you work with the Java-Plugin version 1.4, you can just use code like this:

URL url = new URL("https://yourserver/yourapp/your.jsp");

and then open the stream, and this stream will be secure.

And for the second question, use serialization. Write or read the serialized data via URL.
0
 
LVL 3

Expert Comment

by:dnoelpp
Comment Utility
Is JSSE "enough"? Yes, you can tell... The https implemented by JSSE is as secure as any https protocol, that means secure enough for Internet use. I am not sure whether the CIA will be able to listen to your data, but I don't think so.
0
 

Author Comment

by:d97mivo
Comment Utility
Ok, I understand that I get what I need with SSL and JSSE. Now we came to the implementation of SSL. I am using IIS 4.0 with JRun 3.0 as a servlet engine. I wonder how to implement SSL and JSSE into this configuration? Do I have to install (enable) SSL in IIS only, or in JRun?
0
 
LVL 3

Expert Comment

by:dnoelpp
Comment Utility
This is a different question. I don't know how to configure SSL on JRun or IIS. One thing, however, you need a server certificate. If you create it yourself and sign it yourself, the browser will popup a warning message to the user. This is ok for testing and developping, but for serious user you need a certificate by an CA.

If you run JRun by an IIS ISAPI redirector, I think you need to set up the certificate with IIS, and JRun will run "behind" this certificate.

Good luck!
0
 

Author Comment

by:d97mivo
Comment Utility
I have to ask this too: do I need the certificate installed on the server or both the server and the clients?
0
 
LVL 3

Expert Comment

by:dnoelpp
Comment Utility
The server certificate needs only to be installed on the server.

This certificate is signed by a CA. Most browsers have signatures of the most important CA already pre-installed.

SSL works about this way (much simplified): The client gets the certificate of the server and compares its signature with the pre-installed ones. With the help of the certificate the client knows the server (no spoofing possible) and then both client and server can do secure encrypting.

The only point is: You need your server certificate be signed by a CA. You can sign your certificate yourself, but in this case the client doesn't know your signature. The client browser displays a security warning.

This is ok, as I already said, for developing purposes. Just click on "Accept" or "Continue" or the like. Or install your own signature to the browser (Internet Explorer: Options --> Content --> Certificates)
0
 
LVL 4

Expert Comment

by:Oliver_Dornauf
Comment Utility
You do not need a server certificate on the IIS for JSSE in every case.
If you use secure rmi and not https to comunicate (wich is relayable, easy and secure) you only need to install a certificate on the java keystore. You can make the certificate self with the keytool programm.

Only if you want to use https you need an expensive server certificate. For rmi over SSL it is not needed.



0
 

Author Comment

by:d97mivo
Comment Utility
Ok, but I would like to do it without RMI, because it is not supported in IE.

Here is a new question: can I use IP address of my server when creating self-signed certificate, or it has to be a DNS? (Sorry for these additional questions, but I think the amount of points I award here is quite enough and I will give an A.)
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 3

Expert Comment

by:dnoelpp
Comment Utility
A note about https vs rmi:

These are very different technologies.

- https is web oriented. Data is transported via opening an url and reading the response.

- rmi is nearer to the programming language. A remote object behaves very much like a local object. Except of course that some operations take a lot longer to execute.

You see, the philosophies are as different as possible.

One important point, however: If you don't do rmi over http(s), then rmi will not transport through firewalls (except you ask your admin to configure the ports).

And, now, d97mivo, as for your question, I don't know. Try both. Just create a certificate and sign it yourself. After accepting the security warning Internet Explorer for example should display the yellow closed lock symbol at the bottom to show that security is ON.

So, not only your applet communication, but other pages are secured (important for example for the page which loads the applet).
0
 
LVL 4

Expert Comment

by:Oliver_Dornauf
Comment Utility
d97mivo if you use a "home brew certificate" for rmi over ssl you do not need a ip address or somthing from you server.

look at : http://java.sun.com/products/jdk/1.2/docs/guide/rmi/index.html for rmi and rmi over ssl

look at :http://java.sun.com/docs/books/tutorial/security1.2/sigcert/index.html
for you "home brew certificate" .
Important: For rmi over ssl the certificate has nothing to do with code signing from jar-files etc. :-)






0
 
LVL 3

Accepted Solution

by:
dnoelpp earned 200 total points
Comment Utility
Yes, Oliver is right. Why?

The rmi client is not pre-installed at the user's computer (like IE or other browsers). So it is easy to give it any signatures you want.

The https client (IE or other browser) however is not installed by you, it is pre-installed by the user. So it's not easy to influence the key-store of the browser.

That's why you need a CA signature for the server certificate for https.

***

But I think, for real security on your website, you need to download your applet code with https. Without https someone could spoof your applet and then all the security in your applet is useless.

Another way to avoid spoofing is to sign the applet. Don't mix up the both possibilites. Signed applets are much like signed ActiveX-controls. They are allowed to access your user's computer (depending on the configuration of the policy files of the applet): read and write files and open networks connection to other servers than yours and other possibly dangerous operations.

You could combine two possibilities: load a signed applet via an https connection. That's exactly what we do in our project at office.

***

And as for rmi: Most probably using rmi over https in your applet is the best way to do secure communication applet-servlet, because the remote objects are very near to the programming language Java.

You said, rmi is not supported by IE. I assume, you are using Microsoft's virtual machine and programming with awt, not swing. I suggest that you think about the Java Plugin (http://java.sun.com/products/plugin/) because the new virtual machine by Sun has more features. Microsoft's virtual machine stays at version 1.1 and the Sun's version just being coming out is 1.4 (the one which has JSSE already included).

For data consisting mostly of text https is a simple protocol to exchange data. If you use serialization, you can transfer objects, too, but this gets complicated very soon and then it's better to work with rmi.
0
 
LVL 4

Expert Comment

by:Oliver_Dornauf
Comment Utility
Well I speak about "home brew certificate" wich is sufficent for testing and evaluation.
A server certificat from a root CA is about 500$ per year.
An applet using port (1099 for rmi) as to be signed imho.

Loading a signe applett via https is a verry secure was to load an applett but not more. It does not secure the applett comunication.
But I think that is not the question. The point a what to state was:
rmi over ssl needs a certificate in the java keystore. But the sun document speak about siging applett. This is a diffrent think in the same context.
OK ?
0
 

Author Comment

by:d97mivo
Comment Utility
Forget RMI for now, it still requires another port to be opened for communication, which I would like to avoid. And you made me confused, so please answer with yes or no on these quesions (again):

1. Is it so that I use https instead http when I make URLConnections in my applet, and get the required protection?
2. I need only a certificate on my server, but not on the client side?
0
 
LVL 3

Expert Comment

by:dnoelpp
Comment Utility
1. Yes. For that you need JSSE.

2. Yes. To let certificate be signed by a CA is expensive, as Oliver said.

Just now I have another idea. Maybe with some configuration on JSSE done by the applet before opening the first https URL connection it's possible to avoid a CA-signed certificate. The idea behind is that the applet knows your own signature and has it "installed" in JSSE. This way a "home-brew" certificate will be enough. Exactly how to do this I don't know, however.

Tomorrow I will look into this further, but don't expect any more help from my side. I just will look because I am interested myself.
0
 
LVL 3

Expert Comment

by:dnoelpp
Comment Utility
2. Yes, you need only a certificate on the server. :-)
0
 

Author Comment

by:d97mivo
Comment Utility
Ok, I will try to do like you propose dnoelpp, but just one LAST question: is this server certificate the same as the one which is used when signing .jar files?

I will award the points within next day, dnoelpp!
0
 
LVL 3

Expert Comment

by:dnoelpp
Comment Utility
No, that's something different as Oliver already pointed out.
0
 

Author Comment

by:d97mivo
Comment Utility
I choose this as an approriate answer!
0
 
LVL 3

Expert Comment

by:dnoelpp
Comment Utility
Thanks for the points!
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
bunnyEars2 challenge 6 66
countAbc challenge 9 49
word0 challenge 4 52
HashMap Vs TreeMap 12 47
INTRODUCTION Working with files is a moderately common task in Java.  For most projects hard coding the file names, using parameters in configuration files, or using command-line arguments is sufficient.   However, when your application has vi…
Introduction This article is the second of three articles that explain why and how the Experts Exchange QA Team does test automation for our web site. This article covers the basic installation and configuration of the test automation tools used by…
Viewers learn about the “for” loop and how it works in Java. By comparing it to the while loop learned before, viewers can make the transition easily. You will learn about the formatting of the for loop as we write a program that prints even numbers…
This tutorial covers a step-by-step guide to install VisualVM launcher in eclipse.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now