Hello,
Dan Holmdahl wrote:
>
> Solution to using multiple jar files:
> <PARAM NAME = ARCHIVE VALUE =
> "MyOCFApplet.jar,base-core.jar,base-opt.jar,gemplus-rad-terminals.jar,gemplu
> s-terminals-4.1.jar,gemplus-util.jar,pcsc_wrapper.jar,..."
>
Thanks for sharing the info. I will add this question to the FAQ
I'm currently writting (about OCF in browser applets).
An other solution of course is to "pre-install" the middleware
components and drivers (Card{Terminals,Services}) on the client
machine and just deploy the final application in an applet form.
(then security issues are the same as for any application
or library deployment, and might also involve signing etc. but
at least it's made once and for all).
> With all this data to transfer to a client PC an interesting article to look
> at is:
> http://www-106.ibm.com/developerworks/library/j-javapush/?dwzone=java
Also there is a new technology pushed by Sun called "Java Web Start",
which I didn't have time to used yet.
> An advantage of an intranet is you don't really need to sign these
> jars. Just somehow (I have not decided the best way yet) modify the
> user's .java.policy file with something like:
> grant codeBase
> permission java.security.AllPermission;
> whatever your codeBase may be, and however fine you wish to assign
> permissions.
I tend to disagree with this methods! unless for development/testing
for a programmer. I would not open all doors like this even on an
intranet, because today intranets often extends to be VPNs (i.e.,
Virtual Private Networks) in which people connect from an external
machine, and I think that we should always add the two means: 1) a
firewall for protecting the entire intranet, and 2) specific
protection for each machine, e.g., turning unnecessary servers off,
setting minimum security policy, etc.
I have included as attachement the ".java.policy" file I was using
to run OCF with the plugin. The rights are granted for accesses that
depends on the type of platfom -Linux for me-, JDK, etc. and so they
have to be adapted. If somebody wants to send me a typical policy
file for Windows/Plugin (or maybe two: one for the CommAPI-based
CardTerminals and one for the PC/SC wrapper), I would include it/them
into the FAQ.
Cheers,
Christophe.
= On the side of the software box, in the system requirements =
= section it said "Requires Windows 95 or better." ... =
= So I installed FreeBSD. -- [EMAIL PROTECTED] =
--
-------------------------------------------------------------
[EMAIL PROTECTED] - Gemplus Research Lab
Phone: +33 4-42-36-57-83 | Disclaimer: I don't speak for Gemplus
Gemplus doesn't speak for me... it is better that way!
-------------------------------------------------------------
// this keystore is to store our certificates
keystore ".keystore";
// a grant entry suitable for the OCF applets
// allows ALL applets that were signed by "cm" to carry out the following actions
grant signedBy "cm" {
/* TEST with AllPermission */
/*permission java.security.AllPermission;*/
// read and write arbitrary (including sensitive) system properties
permission java.util.PropertyPermission "*", "read,write";
// read the 'opencard.properties' file in the standard locations
permission java.io.FilePermission "${java.home}/lib/opencard.properties", "read";
permission java.io.FilePermission "${user.home}/.opencard.properties", "read";
permission java.io.FilePermission "${user.dir}/opencard.properties", "read";
permission java.io.FilePermission "${user.dir}/.opencard.properties", "read";
// read the 'javax.comm.properties' file in the standard location
permission java.io.FilePermission "${java.home}/lib/javax.comm.properties",
"read,write,delete";
permission java.io.FilePermission
"${java.home}/lib/Gempluscardterminal.properties", "read,write,delete";
// read the Comm API driver implementation in the standard locations (e.g.,
Blackdown & IBM)
permission java.io.FilePermission "${java.home}/lib/ext/libSerial.so", "read";
permission java.io.FilePermission "${java.home}/lib/ext/i386/libSerial.so", "read";
permission java.io.FilePermission "${java.home}/bin/libibmcomm.so", "read";
permission java.io.FilePermission "${java.home}/lib/ext/libibmcomm.so", "read";
permission java.io.FilePermission "${java.home}/lib/ext/x86/libibmcomm.so", "read";
// access the serial port devices
permission java.io.FilePermission "/dev", "read,write";
permission java.io.FilePermission "/dev/lp0", "read,write";
permission java.io.FilePermission "/dev/lp1", "read,write";
permission java.io.FilePermission "/dev/lp2", "read,write";
permission java.io.FilePermission "/dev/ttyS0", "read,write";
permission java.io.FilePermission "/dev/ttyS1", "read,write";
permission java.io.FilePermission "/dev/ttyS2", "read,write";
permission java.io.FilePermission "/dev/ttyS3", "read,write";
// dynamically load native libraries
permission java.lang.RuntimePermission "loadLibrary.*";
// get access to declared constructors/methods/fields via reflection API
permission java.lang.RuntimePermission "reflect.declared.*";
};
