Java Server Client应用程序签署客户端jar [英] Java Server Client application Signing the client jar
问题描述
你好,
我正在研究Java安全性,我有一个问题。在我的工作中,我不时发现用java编写的客户端应用程序(所以.jar)连接到服务器,但服务器不能使用被操纵的.jar。现在我的问题是,它是如何工作的?在网上阅读后,我发现可以使用密钥或证书(可能是其他人)签署一个jar文件,但是没有关于如何从架构的服务器端检查这个文件。
有人可以给我一些关于它如何工作或我在哪里可以找到信息的指示吗?
Thx
Hello,
I''m doing some research in to Java security, and I have a question. In my line of work I find from time to time client applications written in java (so a .jar) that connects to a server, but the server will not work with a manipulated .jar. Now my question is, how does that work? After reading on the net I found that it is possible to sign a jar file with either a key or a certificate (maybe others), but nothing about how this would be checked from the serverside of the architecture.
Could somebody give me some pointers as to how it works or where I could find information?
Thx
推荐答案
不确定您正在实现什么类型的应用程序,但它看起来像检查哈希代码一样简单...如果哈希代码不匹配则jar已被修改。
签名按照以下方式进行。
-Frinny
Not sure what type of application you are implementing but it seems as simple as checking a hash code...if the hash code doesn''t match then the jar has been modified.
Signing works along these lines.
-Frinny
这是否意味着他们不是一般的在Java控制台(沙箱)中就地运行,可以独立检查.jar。我是从安全角度谈论的,所以如果罐子负责它自己的签名,它只是一个门上的开锁?
Does that mean that their is not a general function in place in the Java console (the sandbox) that would allow to check the .jar independently. I''m talking from a security point of view, so if the jar is responsible for it''s own signing, it would just be an open lock on a door?
我'很抱歉,我实际上不是Java专家。
我熟悉签名代码,因为我使用了很多签名......
我希望Java专家可以进一步帮助你。
我不认为jar会对它自己的签名负责。
我认为你的服务器应用程序会根据jar中的内容存储它为jar文件创建的签名/哈希...当jar被提交给服务器后,它会检查看到签名/哈希是有效的,以确保它不使用修改后的jar文件。
你可能是对的。可以使用Java特定工具来执行此操作,而无需依赖您的代码/应用程序来执行此操作。事实上,如果没有这样的功能,我会感到惊讶。
我仍然不明白你的服务器是如何使用jar文件或你的应用程序做的。
再次,我很抱歉,但我不是Java专家......我只能从概念的角度来帮助你。
-Frinny
I''m so sorry but I''m actually not a Java expert.
I am familiar with signing code because I use signing quite a bit...
I hope that a Java expert can jump in and help you further.
I wouldn''t think that the jar is responsible for it''s own signing.
I would think that your server application would store the signature/hash that it creates for the jar files based on what is in the jar...when the jar is submitted to the server later it would check to see that the signature/hash is valid to ensure that it isn''t working with a modified jar file.
You might be right. There could be a Java Specific tool available to you that does this without having to rely on your code/application to do it. In fact I would be surprised if there isn''t such a feature.
I still don''t understand how your server is using the jar files or what your application does.
Again, I''m sorry but I''m not a Java expert...I can only help you from a conceptual point of view.
-Frinny
这篇关于Java Server Client应用程序签署客户端jar的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
