How to prevent jar manipulation
We want to deploy an application with java webstart/jnlp and we must assure that at least the core jar is free from modifications.
I spent days reading FAQs and forums but two security issues are still on my mind.
Scenario 1:
The attacker downloads the jar with the informations fro the jnlp file. He decomplies the classes and removes the signitures out of the meta.inf put it all together in a jar and starts the jar locally.
Scenario 2:
The attacker sets up his own web server and places the manipulated jnlp file, jar file(s) and all the other files on this server. He could even direct the dns of our server to his own, which is very simple in windows. Java Webstart could never know that the manipulated jar is the wrong one.
So if anyone knows a solution for these scenarios than please let me know
With best reguards.
Scenario 2 is a simple trust problem that happens with every secured application (an HTTPS site, for instance):
1) you can have your certificate released by a CA
2) you can distribute certificate MD5 and SHA1 hash on a safe channel (ordinary mail): when downloading signed app user is requested to accept certificate (and can view hashes), all he has to do is compare it with the one you distributed
Scenario 1: you can scramble jars; if you use active code to expose jars you can check requesting user agent to prevent everything other then JWS to download them (it's hard to bring them out of cache); you can add a conditional check to be sure code is running on jws; you can have a small jar required to run that you remove from cache everytime application starts .. but it's code! there's no way you can prevent people breaking it on their own computer, you can just make it hard!
Have fun.
Similar Messages
-
How to prevent JFileChooser automatically changing to parent directory?
When you show only directories, and click on the dir icons to navigate, and then dont select anything and click OK, it automatically 'cd's to the parent folder.
My application is using the JFileChooser to let the user navigate through folders and certain details of 'foo' files in that folder are displayed in another panel.
So we dont want the chooser automatically changing dir to parent when OK is clicked. How to prevent this behavior?
I considered extending the chooser and looked at the Swing source code but it is hard to tell where the change dir is happening.
thanks,
Anil
To demonstrate this, I took the standard JFileChooserDemo from the Sun tutorial and modified it adding these lines
// NEW line 45 in constructor
fc.addPropertyChangeListener((PropertyChangeListener) this);
fc.setFileSelectionMode(JFileChooser.DIRECTORIES_ONLY);
* NEW -
* @see java.awt.event.ActionListener#actionPerformed(java.awt.event.ActionEvent)
public void propertyChange(PropertyChangeEvent e) {
String prop = e.getPropertyName();
if (JFileChooser.DIRECTORY_CHANGED_PROPERTY.equals(prop)) {
System.out.println("DIRECTORY_CHANGED_PROPERTY");
File file = (File) e.getNewValue();
System.out.println("DIRECTORY:" + file.getPath());
}Here is the demo:
package filechooser;
import java.awt.BorderLayout;
import java.awt.Insets;
import java.awt.event.ActionEvent;
import java.awt.event.ActionListener;
import java.beans.PropertyChangeEvent;
import java.beans.PropertyChangeListener;
import java.io.File;
import javax.swing.ImageIcon;
import javax.swing.JButton;
import javax.swing.JFileChooser;
import javax.swing.JFrame;
import javax.swing.JPanel;
import javax.swing.JScrollPane;
import javax.swing.JTextArea;
import javax.swing.SwingUtilities;
import javax.swing.UIManager;
* FileChooserDemo.java uses these files:
* images/Open16.gif
* images/Save16.gif
public class FileChooserDemo extends JPanel implements ActionListener,
PropertyChangeListener {
static private final String newline = "\n";
JButton openButton, saveButton;
JTextArea log;
JFileChooser fc;
public FileChooserDemo() {
super(new BorderLayout());
// Create the log first, because the action listeners
// need to refer to it.
log = new JTextArea(5, 20);
log.setMargin(new Insets(5, 5, 5, 5));
log.setEditable(false);
JScrollPane logScrollPane = new JScrollPane(log);
// Create a file chooser
fc = new JFileChooser();
// NEW
fc.addPropertyChangeListener((PropertyChangeListener) this);
fc.setFileSelectionMode(JFileChooser.DIRECTORIES_ONLY);
// Create the open button. We use the image from the JLF
// Graphics Repository (but we extracted it from the jar).
openButton = new JButton("Open a File...",
createImageIcon("images/Open16.gif"));
openButton.addActionListener(this);
// Create the save button. We use the image from the JLF
// Graphics Repository (but we extracted it from the jar).
saveButton = new JButton("Save a File...",
createImageIcon("images/Save16.gif"));
saveButton.addActionListener(this);
// For layout purposes, put the buttons in a separate panel
JPanel buttonPanel = new JPanel(); // use FlowLayout
buttonPanel.add(openButton);
buttonPanel.add(saveButton);
// Add the buttons and the log to this panel.
add(buttonPanel, BorderLayout.PAGE_START);
add(logScrollPane, BorderLayout.CENTER);
* NEW -
* @see java.awt.event.ActionListener#actionPerformed(java.awt.event.ActionEvent)
public void propertyChange(PropertyChangeEvent e) {
String prop = e.getPropertyName();
// If the directory changed, don't show an image.
if (JFileChooser.DIRECTORY_CHANGED_PROPERTY.equals(prop)) {
System.out.println("DIRECTORY_CHANGED_PROPERTY");
File file = (File) e.getNewValue();
System.out.println("DIRECTORY:" + file.getPath());
public void actionPerformed(ActionEvent e) {
// Handle open button action.
if (e.getSource() == openButton) {
int returnVal = fc.showOpenDialog(FileChooserDemo.this);
if (returnVal == JFileChooser.APPROVE_OPTION) {
File file = fc.getSelectedFile();
// This is where a real application would open the file.
log.append("Opening: " + file.getName() + "." + newline);
} else {
log.append("Open command cancelled by user." + newline);
log.setCaretPosition(log.getDocument().getLength());
// Handle save button action.
} else if (e.getSource() == saveButton) {
int returnVal = fc.showSaveDialog(FileChooserDemo.this);
if (returnVal == JFileChooser.APPROVE_OPTION) {
File file = fc.getSelectedFile();
// This is where a real application would save the file.
log.append("Saving: " + file.getName() + "." + newline);
} else {
log.append("Save command cancelled by user." + newline);
log.setCaretPosition(log.getDocument().getLength());
/** Returns an ImageIcon, or null if the path was invalid. */
protected static ImageIcon createImageIcon(String path) {
java.net.URL imgURL = FileChooserDemo.class.getResource(path);
if (imgURL != null) {
return new ImageIcon(imgURL);
} else {
System.err.println("Couldn't find file: " + path);
return null;
* Create the GUI and show it. For thread safety, this method should be
* invoked from the event dispatch thread.
private static void createAndShowGUI() {
// Create and set up the window.
JFrame frame = new JFrame("FileChooserDemo");
frame.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
// Add content to the window.
frame.add(new FileChooserDemo());
// Display the window.
frame.pack();
frame.setVisible(true);
public static void main(String[] args) {
// Schedule a job for the event dispatch thread:
// creating and showing this application's GUI.
SwingUtilities.invokeLater(new Runnable() {
public void run() {
// Turn off metal's use of bold fonts
UIManager.put("swing.boldMetal", Boolean.FALSE);
createAndShowGUI();
} -
How to prevent an error of [WIP work order ... is locked-]
Hello experts
Can someone tell me how to prevent an error which [The WIP work order associated with this transaction is currently locked and being updated by another user. Please wait for a few seconds and try again.Transaction processor error].
How can you prevent that error?
P.S.
Oracle support told me [When you make data of mtl_transaction_interface, give same transaction_header_id to all data. Then, you kick worker with appointed transaction_header_id. Or, you set up being uncompatible with workers].
I cannot allow that making with same transaction_header_id and being uncompatible with worker on my system.Hi santosh,
You can implement badi BBP_DOC_CHECK to check vendor email and issue error message.
Kind regards,
Yann -
How to prevent PO changes in ME22N after Order acknowledgement?
Hi everyone,
Can anyone tell me how to prevent PO changes (ANY) in ME22N after Order acknowledgement?
I would like to make it possible without release strategy process or authorizations.
Do you know some User Exit or Customazing way?
Regards.
Jaime S.Dear Jaime S,
You can do this by restricting in authorization SHDO and also by marking "changes not possible after release" in Release strategy procedure.
And also you can navigate the menu to, SPRO------>IMG------>Material Management--->Purchasing(OLME)------->Purchase Order---->Define screen Layouts at Document Level---->And go to ME22n And Select the right parameter and in this you can make it display, optional or required entry for the fields.
Regards,
Manjunath B L -
Dear Experts,
I have a requirement for making material description as non mandetory in change request view of mdg material screen.
I have done that using field usage in get data method of feeder classes, but still message is displaying.
This message 'Material description is mandatory is displaying with check action only, but not with save or submit after i anhance field property as not mandetory.
How to prevent error message for material description in MDG material detail screen, when user click on check action.
Thanks
SukumarHello Sukumar
In IMG activity "Configure Properties of Change Request Step", you can completely deactivate the reuse area checks (but will then loose all other checks of the backend business logic as well).
You can also set the error severity of the checks from Error to Warning (per CR type, not per check).
Or you provide a default value for the material description, e.g. by implementing the BAdI USMD_RULE_SERVICE.
Regards, Ingo Bruß -
How to prevent a solaris user to telnet from multiple computers
Hello,
How to prevent Solaris users to telnet from multiple computers? They should be able to telnet from only one PC.
Please help..ora_tech have a good point, i was about to suggest ipfilter, which is a built-in-firewall in Solaris, but using tcp wrappers would probably be easier. It all depends on which level of security you want (blocking the telnet requests in a firewall would generally be safer than blocking them at the tcp wrapper level, since its prevents some processing).
Since Solaris 10 you can also easily enable tcp wrappers on the inetd services with inetadm, see:
http://blogs.sun.com/gbrunett/entry/tcp_wrappers_on_solaris_10
.. for more details..
.7/M. -
Help! How to create Jar file for a packaged class?
Hi!
I am new in jar complexities. I made a swing frame that just prompts a JOptionPane when executed. I accomplished the same using jar without packaging my class SwingTest.
But when i package it, it doesn't run. Can any one tell me how to make jar file of packaged classes and include images in the jar files too!
Really Thanx!Call the Jar from the commandline to see the exceptions thrown.
java -jar <jarFileName> <className> -
How to prevent iTunes for Windows from "Updating iTunes Library"?
My library is on a NAS and managed by iTunes on a Mac. I can connect from wife's Windows laptop using iTunes for Windows but every time I do, it Updates iTunes Library. Next time I log in from my Mac it Updates iTunes Library in return. It appears I'm experiencing "Update Wars" between the Mac and Windows versions of iTunes. I would like to allow my wife to stream iTunes songs to her new laptop but I don't want any updates from this source... prefer to manage the library from my Mac and not allow Windows to do any thing other than listen to existing playlists.
Thanks for any help/suggestions.Connect the PC to the library on the NAS. Wait while "updated".
Under Edit > Preferences > Advanced make sure the media folder is correctly pointed at the media folder on the NAS. If not correct, close iTunes, wait a few moments, then open iTunes again.
Close iTunes on the PC. Do not open iTunes on the Mac.
Copy the library files, iTunes Library.itl, iTunes Library Extras.itdb, iTunes Library Genius.itdb, sentinel and the folder Album Artwork into an empty iTunes folder on the PC, for example C:\iTunes.
Click the icon to start iTunes and immediately press and hold down SHIFT. Keep holding until prompted to choose or create a library. Click choose and browse to the copied .itl file, e.g. C:\iTunes\iTunes Library.itl
The library should now work properly on the PC, however check the setting for the media folder. If needs be correct, close iTunes and reopen.
Open iTunes on the Mac. It will update again, but that should be last time.
tt2 -
How to prevent others use their iDevices to remote control apple tv?
Hi All,
I'm wondering that does anyone know how to prevent others use their iDevices to remote control my apple tv?
settings
1. the apple tv is in the school.
2. all students could access the Internet
3. The apple tv is sharing the same Internet with students.Welcome to the Apple Community.
The remote app uses homesharing, therefore anyone wanting to control an Apple TV with the remote app would need to know the home sharing ID and password. -
How to prevent apps from syncing in the new version of itunes?
Hey there.
I brang my macbook to Applestore cause it had a problem and they downloaded the latest version of itunes. Everything's fine and my music, videos and apps are in the new itunes like before. But now, when I want to sync my iphone, a pop window asks me to give the password of the itunes account I used to download some of my apps or it will delete them and their data. The problem is that one of these accounts is an old friend's one and I actually lost all contact with him. So basically now I can't sync my iphone at all or it will delete all my apps.
Has anyone any idea how to sort that out? Or at least knows how to prevent apps from syncing in this new version of itunes?
Thanks for your helpOnthe top menu
View > Show Status Bar.
The grey bar will now appear at the bottom with the info you want -
How to prevent a text in script from displaying if its value is zero
Dear all,
How to prevent a text in script from displaying if its value is zero
for eg Price = 0.00
if price is 0 it should'nt appear in output.
I tried with if price ne 0.
price = &price&
endif.
but it's not working.
Regards
Raj
<MOVED BY MODERATOR TO THE CORRECT FORUM>
Edited by: Alvaro Tejada Galindo on Jan 20, 2009 8:59 AMHello Nagaraju,
What you were doing is partially right.
The correct format to write in the script is as follows :
/: if &PRICE& ne 0.
&PRICE&
/: endif.
This should work. Let me know how it goes.
Nayan -
How to prevent JaxB creation of 2 Interfaces for each Element?
hi,
does any body know how to prevent JaxB creation of 2 Interfaces for each Element (The Content Interface and the element interface)?
I want to configure JaxB to use only one Interface and only one implementation Class.
Thank's,I am sorry I can not answer your question, I have got the same problem. Could you please email me to
[email protected] when you know the answer, please.
I have a question for you. When and complex type is validated, I get the object which contains the error. ( or objects ).
However. How do know the position in the actual parent object. basically. Is there a way to know exactly the position of that attribute in that object. I need to store errors strings.
The first problem derives from this one:
It is not possible to execute validate function for a primitive attribute inside an structure.
I would appreciate your help.
Thanks.
Gustavo. -
How to include .jar files in coldfusion code
To Integrate our cfm code with paypal jar files we do the
following steps with our local coldfusion server ,and to run and
integrate the paypal Java SDK jar files, I think we need to do the
same process on the server, can you suggest any thing to do the
following setting for my domain on the server, without setting the
class path in coldfusion administrator.
The ColdFusion application server must be configured to know
the location of the PayPal JAR
files, and your ColdFusion Markup (CFM) pages must be
configured with the absolute path to
the PayPal API certificate for the PayPal API user on whose
behalf the calls are made.
1. Install the PayPal Java SDK “Installing the
SDK”.
2. Copy a subset of the Java SDK JAR files to a location
accessible by the ColdFusion
application server. The JAR files are in SDK_root\lib and
their exact names are as
follows:
– bcmail-jdk14-128.jar
– bcprov-jdk14-128.jar
– paypal_base.jar
– paypal_stubs.jar
sax2.jar
– xerces.jar
– xpp3-1.1.3.4d_b4_min.jar
– xstream.jar-1.1.3.jar
3. With the ColdFusion Application Server Administrator, add
the absolute path of the
location you determined in Step 2 to the Java and JVM
CLASSPATH environment variable.
4. Restart the ColdFusion Application Server.
Suggest me how to include .jar files without setting
classpath.> Suggest me how to include .jar files without setting
classpath.
Copy them to {CF_HOME}\lib, where {CF_HOME} is, for example,
C:\CFusionMX7. Restart Coldfusion. -
EAP MD5 with ISE 1.2 - How to Prevent Active Directory Account locks?
Hi,
Is there any how to prevent accounts to be locked in AD if someone do a password brute force attack in a account? ISE has some feature/Configuration to prevent this type of attack ?
Thanks.So what you're saying is the retry values only come in to play if the RADIUS server is inaccessible, right?
Windows laptops actually work just fine, because many of them are using machine authentication. The main issue seems to be from iPhones, which are saving the username/password and then re-attempting too many times when the user changes password.
One solution is to use LDAP instead of AD within ACS, but the downside is the password can be guessed thousands of time in a row and open to dictionary attacks. We do enforce complex password policies so the liklihood of an account being compromised is slim, but, I'd rather eliminate the chance entirely. -
How TO DEPLOY JAR FILES INTO XI Server using SDM
Hi XI Gurus,
im working on adapter development. we have created jar file in NWDS.
now going ahead to deploy into XI server through SDM.
can we deploy jar files directly into xiserver through SDM. or it needs to convert to any other formate like EAR, SDA. then how would i convert to SDA.
i any have clear idea on this... pls throw the ways how to convert........
JAR File to EAR format
JAR file to SDA format
EAR file to SDA format
can any one explain the procedure step by step how to convert jar file into deployment archive file in order to succesfully into XI server.
thanks i advance. points will be rewarded.
Regards
RajeshHi Rajesh,
JAR file in itself in not deployable.
So v need to envelop this jar file into an EAR file and then v deploy this EAR file on SDM.
Creating Jar
Inside NWDS --> Windows --> Open perspective --> J2EE Development --> right click on ur proj --> Build EJB Archive
Converting .EAR file to .SDA
Converting .EAR file to .SDA
Regards,
Prateek
Maybe you are looking for
-
Is the Iphone 5 model A1429 (CDMA) and model A1429 (GSM) the same phone?
Apple is inconsistent on their information for the iphone 5. One the LTE info site (http://www.apple.com/iphone/LTE/) it lists three different models, specifically showing that there is both a GSM and CDMA version of Model A1429. However, on the ipho
-
Abnormal(?) rownum
Dear all, Could you please help me understand how's the last column of first and last row calculated? SQL> select rownum,rownum-1,rownum-2,rownum||rownum-1||rownum-2 from dual connect by level < 11; ROWNUM ROWNUM-1 ROWNUM-2 ROWNUM||ROWNUM-1|
-
They say you can now work on large files with out the past problems fingers crossed. You can reame layers in the layers panel without the dialog poping up, that took a long time to implement!
-
PSE 8. Can Not add email contacts.
Can't add e mail contacts. Locks up after info is entered. Have PSE 8 running with windows 7. Help!
-
N91 - Deleted Access Points still visible to appli...
I created and later deleted a number of Access Points in Menu > Tools > Settings > Connection > Access Points. Although they appeared to be deleted (not listed anymore in the N91 menu system), applications such as Fring and Nimbuzz include/show all t