Why security

   Java's security model is one of the key architectural features that makes it an appropriate technology for networked environments. Security is important because networks represent a potential avenue of attack to any computer hooked to them. This concern becomes especially strong in an environment in which software is downloaded across the network and executed locally, as is done, for example, with Java applets and Jini service objects. Because the class files for an applet are automatically downloaded when a user goes to the containing web page in a browser, it is likely that a user will encounter applets from untrusted sources. Similarly, the class files for a Jini service object are downloaded from a code base specified by the service provider when it registers its service with the Jini lookup service. Because Jini enables spontaneous networking in which users entering a new environment look up and access locally available services, users of Jini services will likely encounter service objects from untrusted sources. Without any security, these automatic code download schemes would be a convenient way to distribute malicious code. Thus, Java's security mechanisms help make Java suitable for networks because they establish a needed trust in the safety of executing network-mobile code.

Java's security model is focused on protecting end-users from hostile programs (and bugs in otherwise benevolent programs) downloaded across a network from untrusted sources. To accomplish this goal, Java provides a customizable "sandbox" in which untrusted Java programs can be placed. The sandbox restricts the activities of the untrusted program. The program can do anything within the boundaries of its sandbox, but can't take any action outside those boundaries. For example, the original sandbox for untrusted Java applets in version 1.0 prohibited many activities, including:

• reading or writing to the local disk,
• making a network connection to any but the host from which the applet came,
• creating a new process, and
• loading a new dynamic library

By making it impossible for downloaded code to perform certain actions, Java's security model protects the end-user from the threats of hostile and buggy code.

Because the sandbox security model imposes strict controls on what untrusted code can and cannot do, users are able to run untrusted code with relative safety. Unfortunately for the programmers and users of 1.0 systems, however, the original sandbox was so restrictive, that well-meaning (but untrusted) code was often unable to do useful work. In version 1.1, the original sandbox model was augmented with a trust model based on code signing and authentication. The signing and authentication capability enables the receiving system to verify that a set of class files (in a JAR file) has been digitally signed (in effect, blessed as trustworthy) by some entity, and that the class files have not been altered since they were signed. This enables end users and system administrators to ease the restrictions of the sandbox for code that has been digitally signed by trusted parties.

Although the security APIs released with version 1.1 include support for authentication, they don't offer much help in establishing anything more than an all-or-nothing trust policy (in other words, either code is completely trusted or completely untrusted). Java's next major release, version 1.2, provided APIs to assist in establishing fine-grained security policies based on authentication of digitally signed code. The remainder of this chapter will trace the evolution of Java's security model from the basic sandbox of 1.0, through the code signing and authentication of 1.1, to the fine-grained access control of 1.2.

 

    Java安全模型是整个平台架构的关键特征之一，这个特征使得平台在面向网络的环境中更为合适。计算机身处网络就意味有受攻击的危险，这时安全问题就显得尤为重要。当程序通过网络下载，并且在本地执行时，人们关心的安全问题更为突出，如：从远程下载Applet和使用JINI服务。由于当用户打开浏览器时，Applet的Class文件是自动从网路上下载的，所以Applet很有可能是来自不信任源.同样，当JINI服务对象的Class文件向查找服务注册它的服务，这个字节码文件就会从服务提供商的代码库中下载。当用户联网时，JINI服务能够自发的通过网络查找和访问本地的服务，这时JINI服务的用户可能会遇到不信任来源的服务对象。这样的自动加载策略对发布恶意代码是一个便捷的途径。Java为在网络中可执行的代码移动性建立可信赖的安全机制，可以使得Java技术在网路环境中更加合适。
    Java安全模型的目标是为了让终端用户在从网路上下载时远离恶意程序或者善意程序的bug，为了达到这个目标，Java提供了一个客户可以定制的安全沙箱，不信任的程序可以存放在安全沙箱中。安全沙箱严格的限制了不信任程序的活动。程序可以在安全沙箱的边界范围内做任何事情，但是在安全沙箱边界外，她不可以做任何事情。例如，原来在1.0版本中的被禁止的不信任的Applet的活动包括：
    对硬盘数据的读写
    除Applet来源外的任何网络连接
    创建进程和加载新的动态连接库
   通过阻止代码的特定活动，Java安全模型使用户远离恶意代码或有bug程序的干扰。
   因为沙箱安全模型对不信任程序可进行和不可进行的活动做了严格的限制，用户能够相对安全的运行不信任程序。尽管如此，不幸的1.0版本程序和用户，由于原来的沙箱限制过于严格，不信任但善意的程序经常不能够做有效的工作。在1.1版本中，原来的沙箱模型通过代码签名和授权得到完善。签名和授权能够使接收方能够校验一系列class文件是否获得实体签名，或者class文件被签名后是否已经更改。这样子，终端用户或者系统管理员就能够减弱对通过被信任方签名的程序的限制。
    虽然1.0版本的安全API版本已经包含授权的支持，但是他们的全信任和全不信任策略还是没有提供足够多的帮助。Java的下一个主要版本，为更加细粒度的基于授权和签名的安全策略提供了API支持。剩余的部分将要继续追踪安全模型从原始的到细粒度的访问控制的发展。